OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: brynjolm on February 09, 2023, 08:54:11 am
-
Hello! I wanted to post here since i could not managed to solve this on my own. i feel like im almost there but i cant get it to work. Everything else works just that i cannot seem to pass to traefik. It gives me either a 503 no service or 400 bad request.
I have followed the tutorial: https://forum.opnsense.org/index.php?topic=23339.0 for the base sni install
then i added rules to the sni frontend using the reply from alh: https://forum.opnsense.org/index.php?topic=18538.msg84958#msg84958
my config looks like this:
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 5000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: sni_frontend (Listening on 80 and 443)
frontend sni_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
bind ::1:80 name ::1:80
bind ::1:443 name ::1:443
mode tcp
default_backend ssl_backend
# logging options
# ACL: traffic_ssl
acl acl_63e3d7d7d34b32.18126829 req_ssl_hello_type 1
# ACL: myservice_sni
acl acl_63e3d8dd452718.96347718 req.ssl_sni -i traefik.homelabbity.uk
# ACTION: request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5
# ACTION: request_content_accept_ssl
tcp-request connection accept if acl_63e3d7d7d34b32.18126829
# ACTION: myservice_sni
use_backend traefik_backend if acl_63e3d8dd452718.96347718
# Frontend: HTTP_frontend (Listiening on Virtual IP)
frontend HTTP_frontend
bind 127.10.20.5:80 name 127.10.20.5:80 accept-proxy
bind ::1:80 name ::1:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: nossl_condition
acl acl_63d848da104d83.11157892 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_63d848da104d83.11157892
# Frontend: HTTPS_frontend (Listen on virtual ip 443)
frontend HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.10.20.5:443 name 127.10.20.5:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63d84eb22bdba2.49299791.certlist
bind ::1:443 name ::1:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63d84eb22bdba2.49299791.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: local_subdomains_condition
acl acl_63d8643cc31f29.38373794 src 192.168.50.0/24 192.168.200.0/24
# ACTION: local_subdomains_rule
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63d863c71a8079.31054171.txt)] if acl_63d8643cc31f29.38373794
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63d84917101ea0.76258733.txt)]
# Backend: ssl_backend (ssl_backend)
backend ssl_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server ssl_server 127.10.20.5 send-proxy-v2 check-send-proxy
# Backend: traefik_backend (traefik)
backend traefik_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server traefik_server 192.168.200.5:8443 send-proxy-v2 check-send-proxy
# statistics are DISABLED
any help would be greatly appreciated.
-
You have set traefik_backend to use Proxy Protocol
Have to set traefik to accept proxy protocol?
If not, either you find a way setting traefik to accept proxy protocol.
Or, you remove the Proxy Protocol config in traefik_backend. (But traefik and all its backends won't get correct IP info)
-
Thank you for taking the time to reply to my thread. Will try this on the weekend and reply back.
I have another question in the meantime, on the reply by alh he states on number 4
4. HAProxy plugin: Create "condition" (enter name ["myservice_sni"], condition type is "SNI TLS extension matches (TCP request content inspection)" with value "myservice.example.com" or whatever your FQDN is)
I dont really understand how this one works. is the myservice.example.com supposed to be the traefik dashboard domain? or can i put a wildcard certificate for it, something like *.mydomain.example?
Thank you once again.
-
Thank you for taking the time to reply to my thread. Will try this on the weekend and reply back.
I have another question in the meantime, on the reply by alh he states on number 4
4. HAProxy plugin: Create "condition" (enter name ["myservice_sni"], condition type is "SNI TLS extension matches (TCP request content inspection)" with value "myservice.example.com" or whatever your FQDN is)
I dont really understand how this one works. is the myservice.example.com supposed to be the traefik dashboard domain? or can i put a wildcard certificate for it, something like *.mydomain.example?
Thank you once again.
No. There aren't any condition accept partial regex in haproxy. If you want to pass the whole wildcard domain to Traefik
Change the condition to "SNI TLS extension contains (TCP request content inspection)" or "SNI TLS extension ends with (TCP request content inspection)"
For example
SNI TLS extension contains (TCP request content inspection)
.example.com
The whole thing is the usual practice to get HAProxy working with SNI in TCP layer
Check "Restrict clients to SSH only" here (https://www.haproxy.com/blog/route-ssh-connections-with-haproxy/)
And the guide is how he managed to put those commands in specific order