OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: Lip90 on April 01, 2021, 10:28:00 pm
-
Hello,
after a long try I finally managed to configure the Haproxy so that openvpn and my Seafile server run on port 443. But now I have the problem that the Certbot, which regularly renews the SSL certificate on my SeafileServer, no longer gets access to the server via port 80.
As far as I understand I have to create a rewrite rule from http to https. Unfortunately I can't get any further here. Could someone help me?
My HAProxy Config:
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 1
tune.ssl.default-dh-param 2048
spread-checks 2
tune.chksize 16384
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: https_passthrough ()
frontend https_passthrough
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend OpenVPNBackend
# tuning options
timeout client 30s
# logging options
# ACL: traffic_ssl
acl acl_6065828520f318.80916105 req_ssl_hello_type 1
# ACL: myservice_sni_seafile
acl acl_606582cba59604.58079977 req.ssl_sni -i cloud.xyzdomain.com
# ACTION: request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5s
# ACTION: request_content_accept_ssl
tcp-request content accept if acl_6065828520f318.80916105
# ACTION: myservice_sni_seafile
use_backend seafile_backend if acl_606582cba59604.58079977
# Backend: seafile_backend ()
backend seafile_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server seafile 192.168.30.15:443
# Backend: OpenVPNBackend ()
backend OpenVPNBackend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30000
timeout server 30000
retries 3
server opnvpnserver 127.0.0.1:1194
-
Since you are already reverse proxying, why don't you just let the OPNsense do the SSL offloading?
Just use the Let's Encrypt plugin and configure HAProxy with it.
Then you don't have to run certbots on every single server in your network.
-
that's a good idea, but until now i haven't dared to do it. The Nginx does it all automatically. In the HAProxy, I have to configure a lot for that.
-
So the thing is... (If I understood your setup correctly.)
To solve your issue you would have to create the relevant ACME condition, rule and a frontend listening on port 80 with the acme rule on it. This rule redirects all ACME challenges to localhost:ACMEport of your OPNsense. The Lets Encrypt Plugin is listening on the "ACMEport" of your OPNsense. All of that is created by the Lets Encrypt plugin automatically if you configure it to use HAProxy for SSL offloading.
But instead of the acme rule forwarding acme challenges to the localhost you would have to forward them to your seafile server.
As soon as there is another server that also has a certbot running things get very complicated!
Also I don't know if the conditions for the le-plugin_acme_challenges are identical to the ones of the certbot!