HAProxy over OPNSense - how to set it up? about headscale-ui HOT 5 CLOSED

Never used HAProxy before, wouldn't even know where to begin. I'll leave this open for a while in case a third someone wants to come along and enlighten us. quick google talks about enabling a lua module which doesn't sound friendly.

You would most likely be better off serving headscale ui on the same subdomain as headscale using the web path. Same domain means no CORS. HAProxy's documentation describes how to do that here.

from headscale-ui.

@routerino

Ahhh it added me a idea! i tried it before on same subdomain, but i use more subdomains with same frontend (not only headscale) and it do a bit difficult. But now i split it each other (headcale and ui vs everything else) and now it work well!

Thanks!

PS: it seems someting wrong, because i can't do of things on UI. i can not create name, and can not add a new machine with normal auth. method. If i add it via CLI i see it on UI (namespace and also devices) So a bit weird...

But i able to delete devices, so i think i able to write it to my headscale.

from headscale-ui.

@routerino

Hmm seems it is browser problem.. My home Windows PC (Chrome) affect above problems, but my Linux desktop (also Chrome) work well... Interesting...

from headscale-ui.

this config work well with HAproxy (same domain). I write it here, that possible to help someone:

# Frontend: general_https_frontend ()
frontend general_https_frontend 
    bind headscale.domain.org:443 name headscale.domain.org:443 ssl  crt-list /tmp/haproxy/ssl/5e6986bca1fdf9.68580069.certlist 
    mode http
    option http-keep-alive
    default_backend opnsense
    # tuning options
    timeout client 30s

    # logging options
    # ACL: headscale
    acl acl_62fa39a1c4f969.44775481 path_beg -i /web
    # ACL: headscale_domain_use
    acl acl_62f62cb5c7c7c9.95836142 hdr(host) -i headscale.domain.org
    # ACL: headscale-ui
    acl acl_62f90fb56e8189.73521649 path_beg -i /web

    # ACTION: headscale
    use_backend headscale if !acl_62fa39a1c4f969.44775481 acl_62f62cb5c7c7c9.95836142
    # ACTION: headscale-ui
    use_backend headscale-ui if acl_62f90fb56e8189.73521649 acl_62f62cb5c7c7c9.95836142

# Backend: headscale ()
backend headscale
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server headscale 192.168.31.105:16666 

# Backend: headscale-ui ()
backend headscale-ui
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    acl auth_ok http_auth(list_62f90f8e3b26e5.68322732)
    http-request auth if !auth_ok
    http-reuse safe
    server headscale-ui 192.168.31.105:16667 

I use 3 conditions and 2 rules.

1. conditon: domain path start with /web
2. conditon: domain path NOT start with /web (negate the previous condition)
3. condition: domain name is headscale.domain.org (it need, because i use more sub-domains)

1 rule: 1 + 3 condition with AND logical and attach it to headscale-ui IP+port backend
2 rule: 2 + 3 condition with AND logical and attach it to headscale IP+port backend

both headscale and headscale-ui is plain http, without encryption, the HAproxy do the SSL part. It no problem that is available without encryption in local network. The point is that is only accessable via SSL from the web.

+1

because (if i look right) headscale-ui not contain any authentication, i set a basic one with HAProxy.

from headscale-ui.

closing for now, I'll link this issue in the doco if we get any other HAproxy related questions.

Note that there is no auth (correct), but all secrets are saved locally to the browser. It's not like putting in the API key lets anyone manipulate the platform.

from headscale-ui.