1
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
24.1 Production Series / Re: HAProxy - wrong ssl certificater after upgrade to 24.1
« on: February 02, 2024, 08:30:55 pm »
Thank you.
This looks like the issue I am facing.
This looks like the issue I am facing.
3
24.1 Production Series / HAProxy - wrong ssl certificater after upgrade to 24.1
« on: January 31, 2024, 08:09:54 pm »
Hello,
for the issue with IDS not workong after update I could find quickly here the solution.
Now I have detected the second issue after update to 14.1.
I use HAProxy in a mix of SNI frontend (TCP type) and https frontend (SSL offloading). For offloading I use two hostnames with two ssl certificates that will will use two different backend servers.
Since the update the wrong certificate of the both is getting provided to the client. Backend selection is as expected. This setup is running since years. It broke when I upgraded to 14.1 yesterday.
for the issue with IDS not workong after update I could find quickly here the solution.
Now I have detected the second issue after update to 14.1.
I use HAProxy in a mix of SNI frontend (TCP type) and https frontend (SSL offloading). For offloading I use two hostnames with two ssl certificates that will will use two different backend servers.
Since the update the wrong certificate of the both is getting provided to the client. Backend selection is as expected. This setup is running since years. It broke when I upgraded to 14.1 yesterday.
4
23.7 Legacy Series / HAproxy: Syncthing Discovery server with forwarded client certificate in header
« on: September 02, 2023, 06:49:27 pm »
Hello,
I want to use the Syncthing Discovery server behind HAproxy with ssl offloading by HAproxy. To do so I set the discovery server to http (option -http). The connection is running. But I must forward the client certificate by header X-SSL-Cert. Acc. the manual the header is required in PEM format.
This would add the client cert in der format what is not recognized by the discovery server:
I modified the line to create a pem file. Either nothing is in or it is in wrong format.
Connection is running. But discovery still cannot read the client cert:
Any idea how to set-up the forwarding of client certificate by header correctly in OPNsense?
I want to use the Syncthing Discovery server behind HAproxy with ssl offloading by HAproxy. To do so I set the discovery server to http (option -http). The connection is running. But I must forward the client certificate by header X-SSL-Cert. Acc. the manual the header is required in PEM format.
This would add the client cert in der format what is not recognized by the discovery server:
Code: [Select]
http-request set-header X-SSL-Cert %{+Q}[ssl_c_der,base64]
I modified the line to create a pem file. Either nothing is in or it is in wrong format.
Code: [Select]
http-request set-header X-SSL-Cert -BEGIN\ CERTIFICATE-\ %[ssl_c_der,base64]\ -END\ CERTIFICATE-\ # don't forget last space
Connection is running. But discovery still cannot read the client cert:
Code: [Select]
no certificates: certificate decode result is empty
Any idea how to set-up the forwarding of client certificate by header correctly in OPNsense?
5
German - Deutsch / Re: Vodafone Kabel 1000Mbit - Welche Hardware für Homeoffice
« on: July 23, 2023, 08:42:18 am »Ich habe einen Vodafone Kabel Anschluss ( ehemals Unitymedia ) mit 1000Mbit.
[...]
Welche OPNSense Hardware sollte ich für diesen Anschluss wählen ?
Du fragst nicht danach, aber mache dir beim Wechsel der Firewall auch Gedanken zur Anbindung an das Gerät, das den Zugang zum Kabelnetz herstellt. Wenn es ein "einfaches" und reines Kabelmodem ist, dann passt das immer. Wenn du dort heute ein Kombigerät hast, das auch Firewall und Telefon bereitstellt (z. B. FritzBox), dann hast du mit dem OPNsense-Gerät eine zweite Firewall, die zu doppeltem NAT führt. Geht auch. Man sollte nur wissen, was das bedeutet, bevor mit dem Basteln beginnt.
6
General Discussion / Re: Client Cert Authentication sufficient for Exchange server
« on: September 08, 2022, 10:28:34 pm »Still please read all of my last post. Using a dedicated OWA server is highly recommended.
Thanks a lot again. Yes, I got your point already by your first mail.
I will reconsider after looking in some more details. Basically the vpn way is fine for me. My small home lab is running out of resources and one Exchange already is using more RAM I want to spend.
7
General Discussion / Re: Client Cert Authentication sufficient for Exchange server
« on: September 08, 2022, 08:09:54 pm »Millions of Enterprises do that. Expose OWA to the Internet. That's what it was made for.
Thank you.
8
General Discussion / Re: Client Cert Authentication sufficient for Exchange server
« on: September 08, 2022, 06:30:39 pm »What is your risk? If this is a lab setup, do you even process real data?
OK. I see that "lab setup" was misleading. Yes, it is processing real data. There are two private mail accounts on it. I know, there are better ways instead of using an oversized Exchange for this. I called it home lab set-up to avoid any link to corporate use or professional data with hundreds of mailboxes.
Therefore let me rephrase my question:
Are there common and recommended scenarios where the activesync site of IIS in Exchange is directly exposed to the internet without reverse proxy or WAF in front?
Quote
Have you considered a VPN for instance?
Yes. I am even doing it like this. Most secure variant I guess, but also with disadvantages: Drains more battery from mobile and VPN not always with a stable connection. Therefore I am looking for other ways.
9
General Discussion / Client Cert Authentication sufficient for Exchange server
« on: September 03, 2022, 05:21:15 pm »
Hello,
does enabling Client Certificate Authentication on MS Exchange server bring sufficient security to expose ‘activesync’ and ‘owa’ directly to the internet?
We are talking about a home lab setup. My current configuration is that port 443 for activesync and owa is behind HAProxy on OPNsense doing SSL offloading. Access to smtp is via a mail gateway. To increase the security for I want to switch to Client Certificate Authentication for activesync.
Option 1: setup client auth on HAProxy.
Option 2: passthrough ‘activcesync’ (separate host/SNI) in HAProxy by TCP mode, do authentication on HAProxy and keep offloading SSL for ‘owa’ on HAProxy
Option 1 seems to get to complicate for me as there are other services on port 443 where I want to keep offloading on HAProxy. This would require a complex set-up by two frontends on same port, on with and one without client certificate authentication. Option 2 seems to be the less complex way.
But is a direct exposed Exchange protected by client certificate authentication as save against attacks as behind HAProxy?
does enabling Client Certificate Authentication on MS Exchange server bring sufficient security to expose ‘activesync’ and ‘owa’ directly to the internet?
We are talking about a home lab setup. My current configuration is that port 443 for activesync and owa is behind HAProxy on OPNsense doing SSL offloading. Access to smtp is via a mail gateway. To increase the security for I want to switch to Client Certificate Authentication for activesync.
Option 1: setup client auth on HAProxy.
Option 2: passthrough ‘activcesync’ (separate host/SNI) in HAProxy by TCP mode, do authentication on HAProxy and keep offloading SSL for ‘owa’ on HAProxy
Option 1 seems to get to complicate for me as there are other services on port 443 where I want to keep offloading on HAProxy. This would require a complex set-up by two frontends on same port, on with and one without client certificate authentication. Option 2 seems to be the less complex way.
But is a direct exposed Exchange protected by client certificate authentication as save against attacks as behind HAProxy?
10
General Discussion / Re: HAProxy Client Certificate Authentication for specific backends
« on: September 02, 2022, 08:43:19 pm »So, the client-certificate requirement is configured on the 'Public Service' as 'Optional'. This way you don't need a client-cert for the public website. For the secure services, I add the mentioned 'check' if a client-cert is used, otherwise deny access.
I try to achieve something similar and found your post.
What will happen if the client presents a cert that is not valid and you only check if the cert was presented?
Would it be the right way to combine 'ssl_c_used' with 'ssl_c_verify' in your check?
11
Web Proxy Filtering and Caching / Re: haproxy: mixed ssl passthrough and offloading
« on: August 28, 2022, 09:42:51 pm »I only get running either with offloading or with passthrough, but not in parallel. What I would like to achieve is to use passthrough for one server and offloading for another server and distinguish via SNI or hostname.
After reading a couple of time and trial-and-error, finally I got it running. The key infortation was written in the chapter:
Quote
6. How can we load balance TCP traffic that we don't want to get SSL offloaded, f.e. OpenVPN over TCP?
In my tutorial I only explain how to "redirect+load balance SSL offloaded traffic".
This is because I myself don't have (yet) the need to actually load balance any non SSL traffic.
However balancing non SSL traffic is pretty much the same as balancing SSL traffic.
You only have to make sure that your "NOSSLservice_rule" or "NOSSLservices_map-file_rule" is placed on the "SNI_frontend" instead of the "HTTPS_frontend" and that the backend that belongs to your "NOSSLservice_server" is running in TCP mode.
12
Web Proxy Filtering and Caching / Re: haproxy: mixed ssl passthrough and offloading
« on: August 27, 2022, 11:53:27 pm »
Could anybody get mixed modes passthrough and offloading running with HAProxy under OPNsense meanwhile?
I only get running either with offloading or with passthrough, but not in parallel. What I would like to achieve is to use passthrough for one server and offloading for another server and distinguish via SNI or hostname.
I guess this instruction for pfsense is exactly what I am looking for. Unfortunately, I am not able to transfer this to OPNsense.
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends
Any idea?
I only get running either with offloading or with passthrough, but not in parallel. What I would like to achieve is to use passthrough for one server and offloading for another server and distinguish via SNI or hostname.
I guess this instruction for pfsense is exactly what I am looking for. Unfortunately, I am not able to transfer this to OPNsense.
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends
Any idea?
13
Zenarmor (Sensei) / Re: Elasticsearch does not start after installing recent Log4j patches
« on: January 23, 2022, 09:51:00 pm »However, performing a backup within Zenarmor, uninstalling and re-installing it and then restoring the backup resolved the issue.
Perfect, this solved my issue. It took me a while to find this help. I already thought I am the only one with this issue.
14
21.1 Legacy Series / Re: USB 3 to Ethernet adaptor recommendations
« on: March 20, 2021, 05:37:50 am »I am currently using a Lenovo 03X6903 USB 3 but it only shows up as 100baseTX <half-duplex> in the Lobby, looking for one that will connect at 1000mbps.
Is it connected to an USB 3.0 port?
Some only establish a 100baseTX link when connected to USB 2.0.
15
General Discussion / Re: Looking to install OPNsense and Ad blocking.
« on: February 21, 2021, 04:24:41 am »Adguard is only installed on some devices, not all.
OK, your are talking about AdGuard on client devices. I was talking about AdGuard Home on OPNsense.
but why not just do it if it's possible... An ad (or malware) which is not blocked by one is hopefully blocked by the other...
Recources on OPNsense box. Performance.
I would like to avoid to spend firewall resources two times or three times for something that is already done.