Messages

1

Web Proxy Filtering and Caching / HAProxy SSH/HTTPS multiplexing

« on: September 15, 2020, 11:09:55 am »

Hi,
For quite some time I am trying to figure out HAProxy configuration that would _reliably_ work for switching between SSH and HTTPS. There are tons of guides all over the network, and most of them work, but not reliably. Although I'm often able to make SSH work every time, HTTPS is hit or miss - often from the same PC it will work on one browser, but not another. This doesn't depend on browser as well.

Can you please have a look at my config and advise what I should change?

Code: [Select]

root@opnsense:/usr/local/etc # less haproxy.conf
#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    # NOTE: Could be a security issue, but required for some feature.
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    tune.ssl.default-dh-param   1024
    ssl-server-verify           none
    spread-checks               0
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats



# Frontend: Router-443
frontend Router-443
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend HTTPS_SERVERPool
    # tuning options
    timeout client 30s

    # logging options
    option tcplog
    # ACL: HTTPS-HTTPS_SERVER
    acl acl_5ed8f96fe45bc7.92407970 req.ssl_hello_type 1
    # ACL: SSH-SSH_SERVER-1
    acl acl_5ef0be88c7f291.74440621 req.ssl_hello_type 1
    # ACL: SSH-SSH_SERVER-2
    acl acl_5ed8f9b4806f55.62302544 req.len 0

    # ACTION: HTTPS_SERVER-IIS
    use_backend HTTPS_SERVERPool if acl_5ed8f96fe45bc7.92407970
    # ACTION: SSH_SERVER-SSH
    use_backend SSH_SERVERPool if !acl_5ef0be88c7f291.74440621 acl_5ed8f9b4806f55.62302544

# Backend: HTTPS_SERVERPool ()
backend HTTPS_SERVERPool
    # health checking is DISABLED
    mode tcp
    balance source

    # tuning options
    timeout connect 30s
    timeout server 30s
    server HTTPS_SERVER 192.168.1.99:443

# Backend: SSH_SERVERPool ()
backend SSH_SERVERPool
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s


2

19.7 Legacy Series / Re: Let's Encrypt using DNS-01 with OVH

« on: January 11, 2020, 12:19:11 pm »

Mate, I surely hope you're joking - ever heard about sanitising logs output before posting to a public forum? Because that's what I did.

3

19.7 Legacy Series / Let's Encrypt using DNS-01 with OVH

« on: January 10, 2020, 01:45:12 pm »

Hello everyone,
First of all, I want to say this is an awesome project - very functional, fast and with pro-level UI. Props!

Alas, here I am with issue I can't solve: I want to get a Let's Encrypt cert for my domain (I have a static IP). The domain is hosted on OVH, and I'd prefer to use DNS-01 verification.

I installed os-acme-client 1.29 then follow https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api to get a cert... it fails when trying to update OVH zone. I am guessing that I have not provided enough access (though I followed the guide 4 times, just to make sure I don't make mistake), but:
1. I can't really figure out the OVH API
2. In the log, there's message "_ovh_p='[hidden](please add '--output-insecure' to see this value)'", and I don't know where should I add it to enable more logging (as a side note, I think this should be either configurable or plain enabled in OPNsense).

Below is relevant part of my log. Can someone help me configure this?

Code: [Select]

[Fri Jan 10 00:00:21 CET 2020] Adding txt value: <snip> for domain:  _acme-challenge.fury.contoso.com
[Fri Jan 10 00:00:21 CET 2020] Using OVH endpoint: ovh-eu
[Fri Jan 10 00:00:21 CET 2020] OVH_API='https://eu.api.ovh.com/1.0'
[Fri Jan 10 00:00:21 CET 2020] Checking authentication
[Fri Jan 10 00:00:21 CET 2020] domain
[Fri Jan 10 00:00:21 CET 2020] GET
[Fri Jan 10 00:00:21 CET 2020] url='https://eu.api.ovh.com/1.0/auth/time'
[Fri Jan 10 00:00:21 CET 2020] timeout=30
[Fri Jan 10 00:00:21 CET 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g  --connect-timeout 30'
[Fri Jan 10 00:00:21 CET 2020] ret='0'
[Fri Jan 10 00:00:21 CET 2020] _ovh_p='[hidden](please add '--output-insecure' to see this value)'
[Fri Jan 10 00:00:21 CET 2020] GET
[Fri Jan 10 00:00:21 CET 2020] url='https://eu.api.ovh.com/1.0/domain'
[Fri Jan 10 00:00:21 CET 2020] timeout=
[Fri Jan 10 00:00:21 CET 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Fri Jan 10 00:00:22 CET 2020] ret='0'
[Fri Jan 10 00:00:22 CET 2020] Consumer key is ok.
[Fri Jan 10 00:00:22 CET 2020] First detect the root zone
[Fri Jan 10 00:00:22 CET 2020] domain/zone/fury.contoso.com
[Fri Jan 10 00:00:22 CET 2020] GET
[Fri Jan 10 00:00:22 CET 2020] url='https://eu.api.ovh.com/1.0/auth/time'
[Fri Jan 10 00:00:22 CET 2020] timeout=30
[Fri Jan 10 00:00:22 CET 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g  --connect-timeout 30'
[Fri Jan 10 00:00:22 CET 2020] ret='0'
[Fri Jan 10 00:00:22 CET 2020] _ovh_p='[hidden](please add '--output-insecure' to see this value)'
[Fri Jan 10 00:00:22 CET 2020] GET
[Fri Jan 10 00:00:22 CET 2020] url='https://eu.api.ovh.com/1.0/domain/zone/fury.contoso.com'
[Fri Jan 10 00:00:22 CET 2020] timeout=
[Fri Jan 10 00:00:22 CET 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Fri Jan 10 00:00:22 CET 2020] ret='0'
[Fri Jan 10 00:00:22 CET 2020] domain/zone/contoso.com
[Fri Jan 10 00:00:22 CET 2020] GET
[Fri Jan 10 00:00:22 CET 2020] url='https://eu.api.ovh.com/1.0/auth/time'
[Fri Jan 10 00:00:22 CET 2020] timeout=30
[Fri Jan 10 00:00:22 CET 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g  --connect-timeout 30'
[Fri Jan 10 00:00:22 CET 2020] ret='0'
[Fri Jan 10 00:00:22 CET 2020] _ovh_p='[hidden](please add '--output-insecure' to see this value)'
[Fri Jan 10 00:00:22 CET 2020] GET
[Fri Jan 10 00:00:22 CET 2020] url='https://eu.api.ovh.com/1.0/domain/zone/contoso.com'
[Fri Jan 10 00:00:22 CET 2020] timeout=
[Fri Jan 10 00:00:22 CET 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Fri Jan 10 00:00:23 CET 2020] ret='0'
[Fri Jan 10 00:00:23 CET 2020] domain/zone/com
[Fri Jan 10 00:00:23 CET 2020] GET
[Fri Jan 10 00:00:23 CET 2020] url='https://eu.api.ovh.com/1.0/auth/time'
[Fri Jan 10 00:00:23 CET 2020] timeout=30
[Fri Jan 10 00:00:23 CET 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g  --connect-timeout 30'
[Fri Jan 10 00:00:23 CET 2020] ret='0'
[Fri Jan 10 00:00:23 CET 2020] _ovh_p='[hidden](please add '--output-insecure' to see this value)'
[Fri Jan 10 00:00:23 CET 2020] GET
[Fri Jan 10 00:00:23 CET 2020] url='https://eu.api.ovh.com/1.0/domain/zone/eu'
[Fri Jan 10 00:00:23 CET 2020] timeout=
[Fri Jan 10 00:00:23 CET 2020] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Fri Jan 10 00:00:23 CET 2020] ret='0'
[Fri Jan 10 00:00:23 CET 2020] invalid domain
[Fri Jan 10 00:00:23 CET 2020] Error add txt for domain:_acme-challenge.fury.contoso.com
[Fri Jan 10 00:00:23 CET 2020] _on_issue_err
[Fri Jan 10 00:00:23 CET 2020] Please check log file for more details: /var/log/acme.sh.log