OPNsense with HAProxy + Octoprint

What is the problem?

I'm trying to make Octoprint work via HAProxy hosted on an OPNsense router, I haven't been able to nail down the configuration for it and was hoping either someone has already or if someone might have an idea.

Just to be extra clear, I know that Octoprint itself has a native built in HAProxy but in my usecase my edge device (Opnsense box) also hosts HAProxy and thats how I handle incoming connections from the outside.

I am able to see a log in screen but not able to actually log in. Most everything loads but it looks like 'packed_client.js?b2d27cf5' gets a 404 and I think this is the problem or a symptom of the problem.

It would be hosted such as https://www.domain.com/octoprint

What did you already try to solve it?

These are the options I'm trying to 'pass through' into HA Proxy in a Backend Pool:

http-request replace-path ^([^\ :]*)\ /octoprint/(.*)  \1\ /\2
http-request add-header X-Script-Name /octoprint
option forwardfor
acl needs_scheme req.hdr_cnt(X-Scheme) eq 0
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }

Have you tried running in safe mode?

No, it does not apply in this scenario.

Did running in safe mode solve the problem?


Systeminfo Bundle

You can download this in OctoPrint's System Information dialog ... no bundle, no support!)

octoprint-systeminfo-20220401151347.zip (74.4 KB)

Additional information about your setup

Version 0.18.0, running on Raspberry Pi 4 Model B Rev 1.4 + Version 1.7.3

I have the same issue using HAProxy. I've followed the sample configurations from Reverse proxy configuration examples and also get a 404 on the packed_client.js?

Additionally, I tried this by setting the prefixHeader, schemeHeader, and hostHeader manually in config.yaml and running an empty HAproxy backend and had the exact same issue.

@ideal2545 - Does it work when you try and access OctoPrint not through your Haproxy setup?

Other things to test - does the path work if you try and enter it manually? /octoprint/static/webassets/packed_client.js would/should be the path to try and find it manually. Is that the path that gives you a 404? Can you see the full path it is trying to request in the browser devtools?

Usually the issue is with the X-Script-Name header, which means OP is generating the wrong links/urls to get the files. But some of them work, so it must be working....?

You could also enable logging at the DEBUG level for tornado.access to see if the requests are making it through to OctoPrint, and if so what the path looks like from it's perspective.

Just to clear up misunderstanding, OctoPrint doesn't have Haproxy built in/native. OctoPi, the RPi OS image comes with it preconfigured to run in front of OctoPrint.

Thanks Charlie, yeah it wont load even if I remove the cache buster id, but literally everything else I can access directly and octoprint works when i access it locally.

I will give that shot and see if I can get some more details. The most Ive been able to derive from the octoprint logs is that it see's me login, but then it says connection closed right after.

I had some trouble getting this working as well. The trick for me in the UI was going to Virtual Services > Backend Pools > . Toggle "advanced mode" on, then in "Option pass-through", include:

http-request add-header X-Scheme https if { ssl_fc }
option forwardfor