Setup & Configure HAProxy Container with Cloudflare Origins

Posted Jun 14, 2022 Updated Apr 18, 2024

By Cipher Menial 5 min read

This is the second guide in the series on how I setup my homelab. In my setup I use Cloudflare Origin Server between the world and my home server. My instructions will include all of the necessary configuration besides the required port forwards on your router. In my setup I only foward connections on port 443 from Cloudflares IPv4 ranges.

Requirements

Cloudflare account
Public domain name
Port 443 forwarded on your router to your LXD server.

Create HAProxy Incus Container

To create the containers run the following.

incus launch images:debian/12 haproxy

This will create a new container with the name haproxy using a Ubuntu 22.04 image.

Incus configuration

For this to work port 443 needs to be forwarded to the haproxy container. To do this you need haproxy to have a static IP.

incus config device override haproxy eth0 ipv4.address 10.10.10.254
incus restart haproxy

You need to forward HTTPS traffic from the host to the container. This creates a rule in nftables to pass the traffic through. You need to use your Incus hosts IP address for the listen address. Make sure your server has a static IP, in my example the server’s IP is 10.0.2.15.

  
incus config device add haproxy https proxy listen=tcp:10.0.2.15:443 connect=tcp:10.10.10.254:443 nat=true

At this point all the configuration requirements for the container are complete. IF you want to view the configuration you can do the following.

incus config show haproxy

And the output will look similar to this.

  
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Debian bookworm amd64 (20240416_05:24)
  image.os: Debian
  image.release: bookworm
  image.serial: "20240416_05:24"
  image.type: squashfs
  image.variant: default
  volatile.base_image: e763cf30d37fa3a77d7c4ed0f74c084ad9480e0ec70ff515426e67a8225317c4
  volatile.cloud-init.instance-id: b4a2b8ba-0ccb-4cde-84a3-e11be74d00d5
  volatile.eth0.host_name: veth042b3414
  volatile.eth0.hwaddr: 00:16:3e:58:ab:47
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"I
sgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgi
d":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: 2ca6366b-2884-4c46-9791-d28619678059
  volatile.uuid.generation: 2ca6366b-2884-4c46-9791-d28619678059
devices:
  eth0:
    ipv4.address: 10.10.10.254
    name: eth0
    network: lxdbr0
    type: nic
  https:
    connect: tcp:10.10.10.254:443
    listen: tcp:10.0.2.15:443
    nat: "true"
    type: proxy
ephemeral: false
profiles:
- default
stateful: false
description: ""

Install and Configure HAProxy

To change to the terminal of the HAProxy container you can do the following.

incus exec haproxy bash

Now I update apt repositories and install all updates. Then install haproxy.

apt update
apt full-upgrade
apt install haproxy

We need to configure the haproxy.cfg. For a write-up of my complete finalised HAProxy configuration click here.

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    user haproxy
    group haproxy
    daemon
    maxconn 40000
    ulimit-n 81000
    crt-base /etc/haproxy/certificates/

defaults
    mode http
    option httplog
    option dontlognull
    option forwardfor
    log global
    timeout client 30s
    timeout server 30s
    timeout connect 5s

# HTTP Frontend
frontend fe_http
    bind *:80
    http-request redirect scheme https code 301

# HTTPS Frontend
frontend fe_https
    bind *:443 ssl crt domain.com.pem

    acl service ssl_fc_sni service.domain.com

    use_backend be_service if service

    # This redirects to a failure page
    default_backend be_no-match

backend be_no-match
    http-request deny deny_status 403

backend be_service
    server service service.lxd:80 check

When we add other containers with services I will show how to configure this file for access to the services.

Configure Cloudflare

Edge Certificate

When you sign up to Cloudflare with your domain you receive a Universal SSL certificate which is enabled by default. I am not sure what the default settings are but mine is set as follows but you can decide how you want to manage it. If you need backwards compatibility for TLS, you can set those setting as you please.

Always Use HTTPS: True
Minimum TLS Version: TLS 1.3
Opportunistic Encryption: True
TLS 1.3: True
Automatic HTTPS Rewrites: True

Origin Certificate

This is the certificate you will install into your haproxy. For an explanation please read through the Cloudflare documentation for this here.

Here are the instuctions to create an Origin CA certificate from Cloudflare docs

After the Origin Certificate is created you will be taken to a page that shows the Origin Certificate and the Private Key.

We will paste both sections of those into a single PEM file on the HAProxy server.

You will need to make a directory called certificates under /etc/haproxy and create a file using your editor of choice

mkdir /etc/haproxy/certificates
vim /etc/haproxy/certificate/domain.com.pem

Paste in the Origin Certificate and Private Key. It will look something like this.

You are now ready to create your first web service container.

Guides, HAProxy

This post is licensed under CC BY 4.0 by the author.