OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: magnust on November 22, 2017, 10:12:16 am

Title: Letsencrypt+HAproxy reverse proxy HTTPS to HTTP(S)
Post by: magnust on November 22, 2017, 10:12:16 am

I have an important question at the bottom of this post. But let's begin with the steps to get this running  :)

The letsencrypt ACME automatic integration with HAproxy is great inserting everything needed for validation, downloading and adding a certificate  :D  I have Letsencrypt running with Haproxy handling incoming HTTPS traffic converting it to HTTP between OPNsense and the internal server. So the internal server does not need a certificate, I only need the automatically updated one on OPNsense. Great!

My initial idea was to do as above with the only difference being that I'd also run HTTPS between OPNsense and the internal server (since I only have an unsigned certificate on it). But I can't get HTTPS to HTTPS to work. As soon as I change to HTTPS on the server tab in HAproxy I get 503 timeouts.

But maybe there are no downsides running HTTPS to HTTP instead of HTTPS to HTTPS???


In HAproxy

ADD SERVER
Name: myserver
FQDN: server IP (on the inside)
Port: 80                                    <<<< if I set these to 443 and enabled I get 503 timeout
SSL: disabled                            <<<<
Verify SSL cert: disabled


ADD BACKEND
Enabled: check
Name: mybackend
Mode: HTTP Layer 7
Servers: myserver
Actions (ACLs): empty


ADD FRONTEND
Enabled: check
Name: myfrontend
Listen addresses: www.mydomain.com:443, mydomain.com:443
Type: SSL offloading
Default backend: mybackend
SSL offloading: check
Certificates: my letsencrypt certificate
X-forwarded-For header: not checked
Actions (ACLs): empty


And finally add a firewall rule
Interface: WAN
Destination: This firewall
Destination port range: HTTPS




---------------------------------------------------

One scary thing though!!!!! If I temporarily stop HAproxy, anyone surfing to my public web site will instead reach the OPNsense admin login page. I DO NOT like that  :o

I'm not clear how to prevent this?? The OPNsense webserver really shouldn't listen to the WAN interface IMHO. I might be missing something here though.

EDIT:
A very good tip from Fraenkie is to simply change the listening port of the OPNsense WEB GUI to some odd port that IS closed (with appropriate rules) on the WAN and not used by NAT or HAproxy. The very very minor drawback, if any, is that you will have to surf to your OPNsense GUI adding the port number to the link https://<yoururl or ip>:<yourspecialportnumber> i

Title: Re: Letsencrypt+HAproxy reverse proxy HTTPS to HTTP(S)
Post by: Webxorcist on November 22, 2017, 02:18:12 pm

Nice tut, thanks :)

For me, OPNsense doesn't publish the admin page to the public interface. I didn't do anything for this.

Title: Re: Letsencrypt+HAproxy reverse proxy HTTPS to HTTP(S)
Post by: Webxorcist on November 22, 2017, 02:20:06 pm

Also, your server is set to port 80 because HAProxy talks unsecure to your server, since you are using SSL Offloading. Your internal servers are 'freed' from decrypting stuff.

Title: Re: Letsencrypt+HAproxy reverse proxy HTTPS to HTTP(S)
Post by: magnust on November 22, 2017, 02:21:44 pm

Quote from: Webxorcist on November 22, 2017, 02:18:12 pm

Nice tut, thanks :)

For me, OPNsense doesn't publish the admin page to the public interface. I didn't do anything for this.

Even if you temporarily disable HAproxy on the HAproxy page in OPNsense? If I do that the FW admin pages are available on port 443 on the WAN! I've tested it from a remote computer towards my WAN FQDN address, so it's not some reflection problem testing from the LAN.

Title: Re: Letsencrypt+HAproxy reverse proxy HTTPS to HTTP(S)
Post by: magnust on November 23, 2017, 07:47:47 pm

Added https 301 redirection also. Everything is running very very nicely. Very happy  :D

Title: Re: Letsencrypt+HAproxy reverse proxy HTTPS to HTTP(S)
Post by: fraenki on November 24, 2017, 09:24:05 pm

Quote from: magnust on November 22, 2017, 10:12:16 am

One scary thing though!!!!! If I temporarily stop HAproxy, anyone surfing to my public web site will instead reach the OPNsense admin login page. I DO NOT like that  :o

I've posted an answer to this question in your other thread:

https://forum.opnsense.org/index.php?topic=6463.msg27752#msg27752

Title: Re: Letsencrypt+HAproxy reverse proxy HTTPS to HTTP(S)
Post by: magnust on November 25, 2017, 11:34:22 am

Just adding some maybe-good-to-know-info:


I tested the Letsencrypt/HAproxy setup at https://www.ssllabs.com/ssltest/ which is a very handy site. I only got a B grading due to the default settings enabling an older RC4 version and a weaker 1024 bit DH size. So after searching for good information I added this:

HAproxy >> General settings >> global settings >>
Maximum SSL DH Size:
2048

And HAproxy >> General settings >> global settings >> advanced mode >>
Custom options
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3
ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

Note that I didn't myself come up with these values but picked them up from what seems good sources:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
https://forums.rancher.com/t/haproxy-ssl-ciphers/6653
You might want to not close down the options this tight but IMHO this seems to be a very good balance of what ciphers to support and not support. Just test your site at https://www.ssllabs.com/ssltest/ after adding these options and read through the report comments.