- Dedicated public entrypoint for internal apps (separate from Fastpanel hosting island).
- Terminates TLS and routes traffic by hostname.
- HAProxy VM LAN: 10.4.175.20
- Public VIP on pfSense WAN2: 71.162.125.137
haproxy.mackdesigner.com → 71.162.125.137wiki.mackdesigner.com → 71.162.125.137
- WAN2 VIP:
71.162.125.137/32 (IP Alias)
- 80 →
10.4.175.20:80
- 443 →
10.4.175.20:443
- TEMP SSH (until MeshCentral/VPN): 2222 →
10.4.175.20:22
- Source restricted to Kris home public IP (and/or specific allowlist)
- UFW enabled
- Allow 80/tcp and 443/tcp
- Allow SSH only from:
- Mack LAN (10.4.175.0/24)
- Kris home public IP (/32)
- HAProxy package: Ubuntu 24.04 (2.8.x)
- Let’s Encrypt via certbot + Cloudflare DNS plugin
- Combined PEMs for HAProxy:
/etc/haproxy/certs/haproxy.mackdesigner.com.pem/etc/haproxy/certs/wiki.mackdesigner.com.pem
- Renew hook rebuilds PEM(s) and reloads HAProxy:
/etc/letsencrypt/renewal-hooks/deploy/haproxy.sh
- HAProxy config:
/etc/haproxy/haproxy.cfg
- Validate:
sudo haproxy -c -f /etc/haproxy/haproxy.cfg
- Reload:
sudo systemctl reload haproxy
- Timeout from home (SSH): usually UFW missing allow for home IP.
- 404 / Not found: Host header routing not matching; add a default backend while testing.