Any reverse proxy gurus out there? pfsense and HAProxy

Squiggley · 5 October 2022 18:06

Hi all,

I am running an UnRaid server behind a pfsense firewall which runs HAProxy as a reverse proxy. I am struggling with the reverse proxy bit. I reverse proxy lots of services but this is the first one where I need to parse the url and send anything that has /api/v1 on it to a different place.

So I am assuming that I have the dockers setup correctly as I can create a user and login if I use the local ip address. Would this be a correct assumption?

My firewall/reverse proxy knowledge is cobbled together when I need something then not used for long and long so my terminology might be complete garbage!

In HAProxy I have set up 2 backends and 2 frondends

Backends

todo.mydomain.com forwards traffic to 192.168.x.x:8079
todo-api.mydomain.com forwardfs traffic to 192.168.x.x:3456

then the frontends I have an ACL and Action for each
ACL’s

todo - Host matches: - todo.mydomain.com
todo-api - Host Starts With: todo.mydomain.com/api/v1

Actions:

todo uses backend todo
todo-api uses backend todo-api

For the todo-api I have tried various ACL config

Host Starts With: todo.mydomain.com/api/v1
Host matches: todo.mydomain.com/api/v1
Path Starts With: todo.mydomain.com/api/v1
Path Starts With: ./api/v1

No matter what I do the error is always the same in the UI it says

Request failed with status code 405

in the dev tools I get

index.6388306d.js:140 
POST https://todo.mydomain.com/api/v1/login 405 (Not Allowed)

Hope this makes some sense as I barely understand what I am trying to ask

Thanks

vikunja.jf4wf · 5 October 2022 18:43

Hey!

Did you change the api address on the login page?

kolaente · 5 October 2022 19:44

This looks like you didn’t configure the API URL in the vikunja frontend. Since you’re running in docker it’s as easy to make this permanent as setting the respective environment variable: Install Frontend | Vikunja

To check if everything works, can you reach the api at todo.mydomain.com/api/v1/info ?

Squiggley · 5 October 2022 23:09

Thanks @kolaente for the response
Sorry I must have left that out of my original post
I have VIKUNJA_API_URL set as https://todo.mydomain.com/api/v1
and if I go to https://todo.mydomain.com/api/v1/info it redirects me to https://todo.mydomain.com/login

Squiggley · 5 October 2022 23:10

Thanks for the response @vikunja.jf4wf Do I still need to do that if I have set VIKUNJA_API_URL and if so which docker container is it in?

vikunja.jf4wf · 5 October 2022 23:33

So we have a few things. Vikunja works with a backend and frontend, for every new frontend you might need to set the api_url.

Don’t touch your docker, the place that you will change the api url is in the login page of https://todo.mydomain.com . Click change just above the username and put the https://todo.mydomain.com/api/v1/ there.

you will need two subdomains, one for the vikunja frontend and one for the vikunja api in your reverse proxy.

Squiggley · 6 October 2022 11:05

So the login page already has https://todo.mydomain.com/api/v1 though not with the trailing /
I tried it with the trailing / and I still get Request failed with status code 405

In my reverse proxy I have two subdomains setup
https://todo-api.mydomain.com points to 192.168.x.x:3456
https://todo.mydomain.com points to 192.168.x.x:8079

I then have in my api docker
VIKUNJA_SERVICE_FRONTENDURL set to https://todo.mydomain.com
And in my frontend docker I have
VIKUNJA_API_URL set to https://todo.mydomain.com/api/v1

should the frontend be pointing to the todo-api instead?
If I try changing the login page to point to https://todo-api.mydomain.com/api/v1 I get a CORS error in the dev tools window even though in the config.yml CORS is enabled

I am unclear what should be set to what… I have 2 subdomains but I have not put the todo-api subdomain in any config anywhere… surely something needs to know about it?

Should I be able to hit https://todo-api.mydomain.com/api/v1/info without using the frontend?

Squiggley · 6 October 2022 11:26

Got it working… so in my reverse proxy I had the path on the end of the URL and was trying to do host starts with or path starts with.

What I needed to do was just have the 2 subdomains ignoring any paths setup
Then in the frontend I set VIKUNJA_API_URL to be https://todo-api.mydomain.com/api/v1

thanks for all the help!

dflahaut · 6 February 2024 17:08

hi,
I just wanted to give you a good feedback about this topic.
I had the same problem with my config :

a firewall (ipfire) with a reverse proxy (nignx) that deals with letsencrypt
on a proxmox’s container, I used the docker-compose as described
Full docker example | Vikunja

Following the ideas in this topic, this next config is working :

I added two subdomains td.xxx.xxx and td-api.xxx.xxx
in the nginx.conf, I already redirected all http to https
in the nginx.conf, in the https section, I added
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name td.xxx.xxx;
# some of my private items about ssl
location / {
proxy_pass htp://192.168.1.93:80; #lan IP
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name td-api.xxx.xxx;
# some of my private items about ssl
location / {
proxy_pass htp://192.168.1.93:3456; #lan IP
client_max_body_size 20M;
}
}
in the file proposed docker-compose.yml, I used :
VIKUNJA_SERVICE_FRONTENDURL: htps://td.xxx.xxx/
VIKUNJA_API_URL: htps://td-api.xxx.xxx/api/v1