OPNsense Forum
International Forums => Dutch - Nederlands => Topic started by: ghmc on March 11, 2024, 03:58:33 pm
-
LS,
Ik heb sinds kort een DEC850 in gebruik als NGFW router, die draait op OPNsense 23.10.2-amd64. Ik heb een intern netwerk waarbij op een NAS enkele tientallen docker apps draaien die met verschillende poorten benaderbaar zijn.
Om dat goed benaderbaar te houden en met het juiste TLS certificaat (letsencrypt ACME die werkt), wil ik een interne reverse proxy gebruiken met als intern domein, laten we zeggen, "intern.domein". Als de applicatie "app" is zou de interne url dan app.intern.domain worden waarop deze benaderbaar moet zijn.
Unbound DNS en het verplaatsen van de web GUI poort van OPNsense is al zodanig ingericht dat dit kan. Ik had tot voor kort een werkende HAProxy installatie op de Opnsense router draaien die zorgde voor de juiste doorverwijzing van app.intern.domein naar ipadres:poort. Deze is een aantal dagen geleden zonder verdere reden gestopt met werken, HAProxy zelf draait gewoon maar ik kan geen interne applicatie meer op die manier bereiken via de url's (wel via ipadres:poort). Kan in de logs ook niet terugvinden wat er aan de hand is en met NS lookup zie ik dat de url's niet worden gevonden op de router. Lijkt dus een probleem met HAProxy op de OPNsense router.
De enige wijziging die ik op de opnsense router heb doorgevoerd is dat ik IPv6 op de WAN en LAN interfaces heb geconfigureerd, waardoor de devices in mijn netwerk allemaal een ook een IPv6 adres krijgen. Ik weet niet of ik daardoor HAProxy de nek om heb gedraaid.
Nu vind ik de setup via HAProxy hiervoor ook wel bijzonder omslachtig. En nu HAproxy blijkbaar onbetrouwbaar is wil ik kijken om dit op de Opsense router met een nginx reverse proxy te doen. Ik weet echter niet of dit ook erg omslachtig is in te richten voor tientallen interne services en vind nergens een goede tutorial oid terug waarin ik kan zien wat ik via de OPNsense GUI van Nginx proxy dan precies moet configureren en invullen.
Als referentie. Ik heb dit hiervoor met een losstaande docker met nginx proxy manager gerealiseerd waarmee dat redelijk eenvoudig kan. Ik vind het nogal zonde als ik die weer van stal moet halen en dit niet mogelijk is op de DEC850. Beetje zonde van de capaciteiten van dat device als er alleen routing en firewall mogelijk is.
-
https://forum.opnsense.org/index.php?topic=19305.0 (https://forum.opnsense.org/index.php?topic=19305.0)
-
Die heb ik inderdaad gevonden en gevolgd. Werkt echter niet.
Het roept de vraag op wat ik nu precies waar moet configureren. Onduidelijk. Waar geef ik aan welke docker service met welke poort moet worden aangegeven? De upstream server?? Betekent dit dat ik voor iedere app/service een aparte upstream server moet aanmaken? Voor tientallen services? Erg inefficient en onnodig veel werk. Dan kan ik inderdaad beter een aparte NPM service kan draaien.
En waarom werkt HAproxy opeens niet meer?
Dan is de opnsense router allen maar inzetbaar als router en firewall. Jammer.
-
https://github.com/opnsense/plugins/tree/master/www/caddy
-
Dank! Caddy ken ik (nog) niet en ga ik morgen meteen bekijken.
-
Als ik caddy probeer te installeren via de tutorial (SSH en daarna in de GUI), krijg ik de volgende foutmelding:
***GOT REQUEST TO INSTALL***
Currently running OPNsense 23.10.2 at Tue Mar 12 12:15:43 CET 2024
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 872 packages processed.
Updating os-caddy-plugin repository catalogue...
os-caddy-plugin repository is up to date.
All repositories are up to date.
pkg: os-caddy has a missing dependency: caddy-custom
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***
Als ik dit via cli probeer krijg ik:
root@opnsense:~ # pkg install caddy-custom
Updating OPNsense repository catalogue...
Fetching meta.conf: 100% 163 B 0.2kB/s 00:01
Fetching packagesite.pkg: 100% 241 KiB 247.1kB/s 00:01
Processing entries: 100%
OPNsense repository update completed. 872 packages processed.
Updating os-caddy-plugin repository catalogue...
os-caddy-plugin repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'caddy-custom' have been found in the repositories
De vraag is dus hoe ik pkg caddy-custom kan installeren?
-
Sorry for answering in english. The caddy-custom package is not available yet in the OPNsense Business Repo. It's only in the community repo. You could install it manually though (no guarantees, I don't recommend it). https://pkg.opnsense.org/FreeBSD:13:amd64/snapshots/latest/All/caddy-custom-2.7.6.3.0.3.5.3_14.pkg
Though, why don't you use OPNWAF instead? You get it in the business Repo and its tested for it.
-
OK, I didn't know that I had OPNWAF and that it could do reverse proxying with that.
I looked at the documentation of OPNWAF but could not clearly determine how I would configure this. Suppose I would like app.domain.org have reverse proxy to, for instance, 192.168.12.10:1234 and 192.168.12.11:1234. And app.domain.org would have to use the letsencrypt cert I already have via the ACME plugin.
What would I configure where in the gateway section as virtual server and as location?
At the moment I have app.domain.org defined as virtual server on port 443 with the certs. As location I have path /, remote destinations 192.168.12.10:1234 and 192.168.12.11:1234 on seperate lines bound to virtual server app.domain.org.
That does not seems to resolve.
-
I have only used that plugin briefly to test it. It gets ACME Certificates automatically without having to use ACME Plugin.
I remembered I posted in a thread here, I also posted example outputs of my config, maybe that helps you.
https://forum.opnsense.org/index.php?topic=36796.msg179919
-
Thanks a lot. I could compare and check my config against yours and it matches ok, so it should work. Unfortunately it doesn't. The reverse proxy solutions on the opnsense don't reverse to the services with IP and port numbers. Strange because HAproxy has worked for a few weeks and then suddenly stopped reverse proxying.
All-in-all to unstable for us to use, so deinstalling them all and going back to a simple and working NPM docker somewhere on the LAN.
-
The reverse proxy solutions on the opnsense don't reverse to the services with IP and port numbers.
Could you explain what you mean by that? Because I use HAproxy and Caddy with IP addresses and ports other than 80/443 in production. Has worked for years and still does.
-
If you want to try caddy (it won't break your firewall, Patrick uses it too) you can invoke these commands:
curl https://pkg.opnsense.org/FreeBSD:13:amd64/snapshots/latest/All/caddy-custom-2.7.6.3.0.3.5.3_14.pkg -o caddy-custom-2.7.6.3.0.3.5.3_14.pkgpkg install ./caddy-custom-2.7.6.3.0.3.5.3_14.pkgpkg install os-caddy
Because I suck at configuring all of the current Reverse Proxy solutions (except OPNWAF, which is great and easy to use. Really love to use it for customers.) I made the Caddy plugin with ease of configuration in mind. Because I made it for my needs, for me its the best reverse proxy plugin (of course I'm biased).
Then its best to follow this tutorial:
https://forum.opnsense.org/index.php?topic=38714.0
-
Until a week ago I had HAProxy running ok and reverting, for instance, app.domain.org on my LAN to a docker instance with an IP address and port. I have almost 50 docker services running that way. I have the opnsense router a few weeks and want it to do more than just routing and NGFW. It's the main reason I bought this hardware solution.
Now it suddenly stopped reversing. The different app.domain.org aren't found. nslookup gives the right server and DNS address (192.168.1.1 and 192.168.1.1#53) and the the error Non-authoritative answer: Can't find...
The thing is, I haven't changed anything in Haproxy, Unbound DNS when it was working. It just stopped doing its thing. So, for me this is an unreliable solution for a production network.
Before this I used a Nginx Proxy Manager docker that ran for years without glitches, so I'll probably go back to that .
-
Now it suddenly stopped reversing. The different app.domain.org aren't found. nslookup gives the right server and DNS address (192.168.1.1 and 192.168.1.1#53) and the the error Non-authoritative answer: Can't find...
But this is a DNS and not a reverse proxy failure. You need to investigate that. First I would start checking if the entries can be resolved "on the Internet" via a second, e.g. mobile, uplink.
-
DNS seems to work fine. Also the overrides I put in Unbound DNS are resolving fine.
Only the url's I defined in HAproxy don't resolve, suddenly.
-
But you are right there has to be a DNS problem.
Checking the override list I find that all host overrides I put in there to go to the IP of the router, so HAproxy can pick them up are gone!
-
First of all I would like to thank everyone that responded to my initial question and offering help and suggestions. I have been able to determine and solve the problem I had.
It was a problem with DNS (isn't ever!). In Unbound DNS I had created an override to the opnsense router and aliases for all the running services attached to that override. HAproxy was correctly configured and working for those services and reversing those url request.
Somewhere and somehow the override and all the aliases were deleted. I still don't know how, but that has to be my error. I can't think of a reason that Unbound does that by itself. And therefore HAproxy couldn't do it's job.
After reconfiguring the override and aliases everything worked again.
As suggested I also tried the OPNWAF plugin, because that is a lot easier to configure than HAproxy. But found that a lot off services showed up garbled and missing a lot off visuals in the endusers browser. So abandoned that path. HAproxy is working fine for now.
The next issue I want to solve with HAproxy is a loadbalancing one. Now that the services are running fine from a single networkport on the NAS where the dockers are running, I want to add the second networkport and let HAproxy decide which one is going to be used. The first networkport is a LAG with 4 times 1 Gb, the second networkport is a LAG with the 2 times 10 Gb.