Messages

Not really asking for help so much that I'm curious if anyone else has had to recently turn off OCSP stapling in order to get their services not to error in Firefox? This was working fine for a year and I've not changed a single setting in HAProxy or ACME, but all of a sudden now it doesn't work properly and I've since had to disable it to get my services accessible in Firefox again. I've dug around and cannot find a clear answer as to why.

Interesting. I finally found the spot /tmp/haproxy/ssl where the OCSP update file was placed so I added the CRON back and re-enabled the store setting in HAProxy, and monitored the folder and saw it was updating. So I then re-issued my cert with OCSP stapling required and now it's magically working again. Not sure what I fixed, but it's not like enabling of it is terribly difficult so I'm pretty sure I didn't change anything from the previous configuration when I re-enabled it!

Not really asking for help so much that I'm curious if anyone else has had to recently turn off OCSP stapling in order to get their services not to error in Firefox? This was working fine for a year and I've not changed a single setting in HAProxy or ACME, but all of a sudden now it doesn't work properly and I've since had to disable it to get my services accessible in Firefox again. I've dug around and cannot find a clear answer as to why.

Hi all,
I'm curious if I can use this method for internal running services (jails on freenas) without exposing them outside.
I can force the DNS override so I resolve them with fqdn from LAN but I can't make HAproxy work and serve the Certificate for them. I already got certificates for all instances in acme (jail1.domain.x, jail2.domain.x)

thank you in advance

It's all right there in Part 7 of the guide "Advanced Configuration: local-access-only subdomains"

[Part 7 - Advanced Configuration: local-access-only subdomains]

Part 7 - Advanced Configuration: local-access-only subdomains
Imagine you have a service that you would like to access / protect using your brand new reverse proxy without making it available on the internet?
Well, HAProxy has got you covered!

• In your OPNsense go to: Services --> HAProxy --> Settings --> Advanced --> Map Files
  Here you need to clone the "PUBLIC_SUBDOMAINS_mapfile", rename it to f.e. "LOCAL_SUBDOMAINS_mapfile" and add all your local-access-only subdomains along with their corresponding backends.
  Keep in mind that the content of your "PUBLIC_SUBDOMAINS_mapfile" also has to be put in the "LOCAL_SUBDOMAINS_mapfile"! I will explain why later.
  


• Next go to: Services --> HAProxy --> Settings --> Rules & Checks --> Conditions
  Now you need a condition that detects if the source of the request is a local IP or a FQDN.
  You can of course also use the predefined "Source IP is local" condition.
  I am however using only specific subnets since the predefined condition is using the entire RFC1918 IP range, which I don't need!
  
  
  As I just said you can also check for a FQDN.
  But please keep in mind that HAProxy resolves those hostnames to their IPs and then checks them. But the resolving is only done once during the start / restart of HAProxy.
  So if the IP of your FQDN is changing regularly this won't work very well, except if you restart your HAProxy using a cron job like every 24 hours or so.
  


• Next go to: Services --> HAProxy --> Settings --> Rules & Checks --> Rules
  Here you need to clone the "PUBLIC_SUBDOMAINS_rule", rename it to f.e. "LOCAL_SUBDOMAINS_rule", select your "LOCAL_SUBDOMAINS_SUBNETS_condition" and select your "LOCAL_SUBDOMAINS_mapfile".
  If you are also using a FQDN condition, like I do, you will need to select both your FQDN and your subnet condition together with the logical "or" operator!
  


• Next go to: Services --> HAProxy --> Settings --> Virtual Services --> Public Services
  The last thing left to do is to place the "LOCAL_SUBDOMAINS_rule" before your in your "HTTPS_frontend".
  
  Attention!
  Remember that I told you to also put the content of your "PUBLIC_SUBDOMAINS_mapfile" in the "LOCAL_SUBDOMAINS_mapfile"?
  This is because HAProxy is processing the rules in the frontends based on the order they appear!
  So if you place your "PUBLIC_SUBDOMAINS_rule" before your "LOCAL_SUBDOMAINS_rule" in the frontend configuration, you won't get access to your local-access-only subdomains.
  Vice versa this will also happen and you will no longer have access to your public subdomains.
  To avoid this you have to also put the content of your "PUBLIC_SUBDOMAINS_mapfile" in the "LOCAL_SUBDOMAINS_mapfile" and place their rules in the correct order.
  
  The correct way of placing both rules is like this.
  


• Done!
  You should now still have access to your public subdomains from any network and also have access to your local-access-only subdomains from the locations you defined.

@TheHellSite

First of all...thank you so so much for this extensive guide! It was awesome and extremely helpful. I got everything working first time without a hitch! I sent ya *some* beer just now! Whatever you can buy with what I sent :)

I am writing because I saw a typo in section 4 of Part 7 I quoted above.

You wrote:

The last thing left to do is to place the "LOCAL_SUBDOMAINS_rule" before your in your "HTTPS_frontend"

And I think you meant to write:

The last thing left to do is to place the "LOCAL_SUBDOMAINS_rule" before your "PUBLIC_SUBDOMAINS_rule" in your "HTTPS_frontend"

Thanks again for everything!

I learned a few more things.

1) Unbound will return the IP address for all local interfaces - https://forum.opnsense.org/index.php?topic=19658.0

2) and Chrome handles DNS resolution a bit differently.

This all contributed to what I experienced. I ended up re-enabling the WebUI listener on all of my interfaces and controlled access via firewall policies. This is resolved...thank you all for letting me air out my troubleshooting here :)

Ok, after more digging, I found something interesting. I ran tcpdump on the opnsense instance and found that when I browse by name from Chrome for some reason it initially tries to hit the firewall on an interface which isn't local. For this example let's just say that 1.1.1.1 is local and 1.1.2.1 is another interface on the firewall. When I ping the firewall by name it gives me 1.1.1.1, but when Chrome tries to browse to it by name it initially goes to 1.1.2.1 and then later after the timeout mentioned above goes 1.1.1.1. Where Firefox goes to browses by name to 1.1.1.1 every single time.

I'm running OPNsense 23.1.6-amd64. I used the ACME Client to create a certificate for my administration/webui. I applied it, and it works for the most part...just this strange issue in Chrome on a Mac.

99.999% of the time, when I try to access the webui by name using Chrome on a Mac it will sit there and hang the connection start (See attached screenshot from DevTools). You can see the screenshot shows 1.5 min, but I've had it last up to 3.5 mins and sometimes 39 seconds. Now if I run this same test by IP, I don't have a single problem and can run the test over and over and over by IP and name and the results are consistent relative to the way I'm trying it. If I connect from Firefox or Safari by name it works perfectly every, single, time...no hang or delay. I've tried clearing the Chrome cache, starting a new profile, incognito mode...nothing helps. I even tried from my kids Macbooks...still the same result with chrome.

I'm at a loss

Awesome!  How hard would it be to create?

Quick question then. If I'm running the 17.7 release candidate will I need to do anything when the stable production release comes out in order to move to that from the release candidate?  Thanks!

I recently moved from Untangle to opnsense.  Everything is running great but I cannot seem to figure out a good way to get alerts when new devices appear on my internal network(s).  I like to be aware of new connections so I know if someone new jumped on my wireless or connected to my LAN.  It's just for the sake of knowing and making sure it's legit and not some rogue device.  Untangle had an easy way of doing this, and I understand that opnsense is a completely different platform and I'm not necessarily looking for an as easy solution...just *a* solution...either using what's part of the platform by default or through the use of an additional features.  Either works for me, I just want to be able to get an email every time a device, not previously known or on the network, connects.  Thanks!