Nextcloud Instance in DMZ and HAProxy - Firewall Rules

Sorry for bothering with another question. I’ve had set a firewall rule RED > RED:443 so HAProxy is able to forwared requests to DMZ server instances with SSL termination.

However, the Nextcloud self check failed until I defined a firewall rule like this: orange_dmzsrvr > RED:443. Then it worked; so it seems to me the LEMP server needs access to the RED:443 interface as well.

Is this okay to do that?

It appears that other application instances also cause firewall drops, (eg. Matomo Analytics) in the same way the Nextcloud instance does.

So, please allow the question if it is safe/good/necessary to declare a firewall rule like this when HAProxy is involved:

dmz.int.ip.addr > RED (Input):HTTPS

in order to get the “loop” back done?

Any advice much appreciated :slight_smile:

For me, it would be easier to help if you included an screenshot of the firewall rule (from the EDIT page). Looks like this:

Or the entire command line if you entered an iptable command.

(edit 20241110: oh my god, I took the wrong snap, now corrected).

Without this rule a curl -I --http2 https://cloud.mydomain.tld on the instance (aka cloud.mydomain.tld) itself doesn’t work either.

The firewall rule I’ve used for the DMZ looks like this:

https://www.ipfire.org/docs/configuration/firewall/rules/dmz-setup#create-dmz-firewall-rule

I am not an expert but what you created in Post 1 does not look correct. Hopefully someone more skilled will stop by and respond…

Thank you :slight_smile: A DMZ rule would be fine when forwarding via NAT. In this scenario I understood HAProxy running on IPFire takes over forwarding, so I need to declare INPUT rules rather than NATted FORWARDs.

The idea is based on this post:

I understand the idea to open ports on iPFire for HAProxy is not preferred that much as it may decrease security on it. However, on the other hand, doing this has also got it’s upsides :slight_smile: