OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: senseivita on September 26, 2020, 01:22:30 am
-
I'm moving (again…) from pfSense to OPNsense. I've tried this several times in the past but it is HAProxy which is crucial for me the part that never lets me complete the migration. I've never been particuraly skilled at HAP in the but I've gotten a little better, I now knoww what stuff means and does and thought about giving it one last shot.
It didn't quite work out like planned… It's not that it's hard--I understand it now--it's just that the OPNsense UI breaks it in soo many steps for the sake of modularity (I assume) but it ends up more complicated than actually writing the config file uncommented from scratch.. That was exactly the thought that brought me here, to ask you guys if you by chance know where is it and if it's editable by hand (pasted and adapted accordingly in my case). I noticed ordinary things like the aliases are exported in serialized config files now.
It would be super helpful because then I would be able to use the official docu that I will likely need. using OPNsense's HAProxy I'm not sure I'll be able to set loopback backend to do it all with a single port like before. I've been dying for years to use the flexibility OPNsense offers with its bleeding edge (as firewalls go) plugin selection and unlocked pkg repos, contrary to pfSense, but it all becomes irrelevant if I need to keep the pf machine just for the proxy with extra NAT running for the proxy with an extra NAT layer in addition to OPN's VM. :( I just need to know where the files are, FreeBSD is weird how it sort of follows Linux dir structure but with stacked on top of something even weirder like /var/db/etc <--Whatthef--that makes no sense! I can never find any "standard" UNIXy location in FreeBSD or macOS. :/
I'm rambling now. If you now about this please share! :D
-
I thought the same thing about haproxy when I first set up opnsense. Haproxy was one of the main reasons I moved from my Microtik router. After fiddling with the config for a bit I thought it would be easier to just setup a config by hand. Well, looking at the files, don't remember where I found them now, I realized I would not be able to use the GUI if I edited them by hand and I abandoned that idea. It took a little bit of time to figure out how to set things up, but once I went through it with a very simple web server proxy it was pretty easy to figure out the rest of what I needed and add my other servers in. I still think the GUI is a bit obtuse, but it's grown on me enough to where I don't mind it and most of the changes I've needed since setting it up initially have been pretty straight forward.
I'm not sure exactly what you are trying to setup, but all of my stuff is port 80 and port 443 and I have 5 websites all running on those ports. I suspect you can do what you want with the GUI but I couldn't be sure without knowing the specifics.
-
The config file is /usr/local/etc/haproxy.conf, this is the folder where all of FreeBSD configs are.
As you don't post what you want to achieve, or any screenshots or errors I can't really help here.
I ran a setup with 20 sites with LE and only listening to one IP .. I think most of the usual stuff is easily doable when you invest some time in testing.
-
Hey guys thanks for answering. My email is down, actually I've been offline for several hours because I thought since I'm giving OPNsense try shot it should be a fair shot so I moved the servers network to a new VLAN--huge mistake, I had some hypervisor drama mixed with OSPF but I think the worst is over. The network changed so much I can't go back to pfSense now; the snapshot I took has been effectively obsoleted, so let's learn some stuff… :)
In the other platform I have two [public] ports like most setups would, port 80 is for some servers that actually need to run in port 80 like OCSP from my CA, the non-HTTPS version of a privacy policy site, all that, what doesn't match goes to a backend (the default backend) that in turn redirects to 443, this is normally done right in the frontend but doing it as a backend allows for more flexibility.
Then there's 443, traffic comes in and first SNI websites that are to painful to offload or have better performance only using their own termination are filtered out, the rest goes to 1 of 4 backends that loopback to different frontends listening internally in the loopback address (127.0.0.1) according to type of traffic, ADFS/private/strictCSP/relaxedCSP:
- (first up) Active Directory Federation Services--
very extremely picky server as it's not meant to be terminated outside but it can get expensive maintaining its certificates so it must be terminated outside for ACME certs, - (then) sites not meant to be available outside the network--some of those are further filtered by an alias, (then) Active Directory Federation Services--
very extremely picky server, - (then) sites with super strict Content Security Policy headers and
- (finally) the rest. send-proxy-v2 and accept-proxy directives are used in the fronends/backends to keep track of IP addresses across loops. There are are no default backends set in the second-stage secure frontends.
There's config in each fronend to redirect error traffic to specific static pages, for instance, if you hit a 503 instead of returning that, it'll return a 200 and instead show you a page that tells you you hit a 503. This was to prevent Cloudflare error pages taking over and fiddling with HAProxy error settings, but I'm not proxying through Cloudflare anymore so it's only for the nicer presentation. The code is a simple one line per error in the adv section, nothing fancy either.
On the backends there's nothing complicated, the most complex scenario I think is for a SEARX instance that limits requests, ADFS has some advanced code, and that's it.
It's ironic now it's the ideal time to set this up because things are "new" so to speak but at the same time things are broken, on fire, the dog is barking nonstop so there's no time to take a course on complicated UIs. ;D At least I should have the old proxy working again any minute now and it'll buy me some time. I didn't post pictures earlier since I was asking for a location, I didn't think they'd matter, sorry. I'm attaching them provided I can compress them enough, it's pretty tight in here and I can't host them right now! Irony! ;D
-
I am not sure if that's all doable in the GUI or not. I know you can add custom directives using the advanced option in the GUI, but I don't need any for my setup.
I think I changed the web port of the opnsense gui from it's default so I wouldn't have to worry about conflicts since I hit the websites I proxy from inside and outside the network, but other than that I was able to add my frontends and backends, rules and conditions all in the gui with nothing needed in the pass through option boxes you get in advanced mode.
What I did when I was learning it was to setup the most basic frontend, backend, rule and condition so one website was working and I could play around with it. After I got it figured out for one site it was pretty easy to add the rest of my sites and servers and the necessary conditions. I did end up getting some stuff confused when I went in later to add some additional config so let's encrypt could work with haproxy and some other servers I have behind the firewall, but I was able to logic my way through it eventually after rearranging some things.