Issues with HAproxy setup

[SLMK 19]

I have just finished setting up HAproxy on pfsense with ssl offloading and all appreas to be working there. I can remotely login and ssl is correctly working.

I have a problem with Android clients not being able to login from a remote connection, they can connect to the server but I get an invalid username or password error when trying to connect. They have no problem logging in when on the local network. Other devices and web clients can login fine remotely. If I log in on Android while on the local network and then disconnect they continue to play ok over the mobile connection although they no longer show up in the server dashboard.

I see others appear to have run into this, but nothing ive read so far has helped me get it going.

Can anyone suggest the likely problem here? Any log files or configuration details anyone needs to see?

 

Edit: solved.

The server address needs https:// as prefix on android, and the port blanked, someone else posted the solution, I just hadn't pickup up on the https prefix part seeing as its not needed in the web clients.

Edited March 14, 2022 by SLMK

[Luke 42085]

Hi, yes if you don't specifically enter https, then it will default to http. Thanks for following up.

[SLMK 19]

Hi Luke,

Thanks, happy with it for now.

But out of curiosity haproxy has an https redirect in place, any connections in a browser are correctly changed to https regardless, is there any reason this doesn't work in the android app?

[Luke 42085]

I'm not sure. Does haproxy have logging to help find out why?

 

[SLMK 19]

Nope, not that I can see. Oh well.

[pwhodges 2014]

It is common for programs which are not browsers not to handle redirection by the server.

Paul

[Luke 42085]

Plus you don't want that anyway, because then every single request to the server would have to follow a redirect. That's why it's better to just use the original address.

[SLMK 19]

17 hours ago, pwhodges said:

It is common for programs which are not browsers not to handle redirection by the server.

Paul

Ah, makes sense then.

 

Cheers guys.

[C.S. 93]

@SLMK I think a number of people including myself would be grateful for a quick emby/haproxy/pfsense setup guide. I mean if you have nothing else to do...

[SLMK 19]

On 3/16/2022 at 3:13 AM, C.S. said:

@SLMK I think a number of people including myself would be grateful for a quick emby/haproxy/pfsense setup guide. I mean if you have nothing else to do...

Well, I'm not super keen on writing up the instructions myself because I'm not 100% confident I completely understand everything I configured and don't want to give out poor info, it works, but I was following someone else's guide already. I found the frontend config in haproxy very unintuitive, I don't know why it works, but it works.

The good news is my haproxy configuration was copied almost exactly from an existing, well written, easy to follow setup guide.

https://www.danatec.org/2021/06/22/reverse-proxy-with-haproxy-acme-in-pfsense/

I followed that almost precisely, with the obvious port and address substitutions where required. I also used my existing SSL cert in place of the acme setup section of that guide, but most will want to follow the guide and save paying for an SSL cert. There is also a setting to pass the source IP on to the server that I enabled, my understanding is if you leave this off Emby sees all remote connections as local which could be a security issue and will require you have all accounts secured.

I skipped the final section "Bonus: Protect Backend with username and password" as its redundant with Emby handling authentication.

There's another recommended configuration change: In Settings - Advanced - change default webGui port to something else. By default pfsense listens for the web interface on port 80, in setting up haproxy you create a rule to allow port 80. As long as haproxy is working this is fine, but if haproxy shuts down, crashes or is disabled you have now made your web interface visible on WAN.

Edited March 22, 2022 by SLMK