Messages

1

Tutorials and FAQs / Re: Tutorial: OPNsense, HAProxy, Let's Encrypt, Wildcard Certs, 100% A+ SSLLabs

« on: June 01, 2021, 10:35:23 am »

Thank you very much!
This helped me switching from regular certificates to wildcard certificates!
I now also do score 100% A+ in the SSL test.

2

Web Proxy Filtering and Caching / Re: HAProxy http Redirect

« on: April 07, 2021, 10:23:38 am »

So the thing is... (If I understood your setup correctly.)
To solve your issue you would have to create the relevant ACME condition, rule and a frontend listening on port 80 with the acme rule on it. This rule redirects all ACME challenges to localhost:ACMEport of your OPNsense. The Lets Encrypt Plugin is listening on the "ACMEport" of your OPNsense. All of that is created by the Lets Encrypt plugin automatically if you configure it to use HAProxy for SSL offloading.

But instead of the acme rule forwarding acme challenges to the localhost you would have to forward them to your seafile server.
As soon as there is another server that also has a certbot running things get very complicated!
Also I don't know if the conditions for the le-plugin_acme_challenges are identical to the ones of the certbot!

3

Web Proxy Filtering and Caching / Re: HAProxy http Redirect

« on: April 06, 2021, 12:11:19 pm »

Since you are already reverse proxying, why don't you just let the OPNsense do the SSL offloading?
Just use the Let's Encrypt plugin and configure HAProxy with it.
Then you don't have to run certbots on every single server in your network.

4

Web Proxy Filtering and Caching / [HAPROXY] OCSP stapling (cronjob) not working

« on: April 06, 2021, 12:01:23 pm »

Hello,

since the latest version of HAProxy now supports OCSP stapling I thought it would be a good idea to switch from the "workaround-script" to the official option.

However the option is not working for me. The system log shows the error below.

Code: [Select]

2021-04-06T03:42:01 configd.py[18127] [b2eb554c-4009-4e75-9e58-3f8a1a64e656] Script action stderr returned "b'WARNING: no nonce in response\nResponse verify OK\nWARNING: no nonce in response\nResponse verify OK'"
2021-04-06T03:42:00 configd.py[18127] [b2eb554c-4009-4e75-9e58-3f8a1a64e656] update haproxy ocsp data
I also made some pictures of my config.
https://imgur.com/a/XM9tpZt

5

Web Proxy Filtering and Caching / Re: Let's Encrypt: multiple domains with different WAN IPs, individual certificates

« on: February 25, 2021, 05:09:17 pm »

Services --> Let's Encrypt --> Challenge Type

Make a new HTTP challenge using the 2nd WAN.

In the meantime someone in the german forum already told me to do so.
But thank you still!

This works perfectly fine.

6

German - Deutsch / Re: Let's Encrypt: mehrere WAN IPs mit indiviuellen Zertifikaten

« on: February 25, 2021, 05:07:43 pm »

Hat funktioniert, besten Dank!

7

German - Deutsch / Re: Let's Encrypt: mehrere WAN IPs mit indiviuellen Zertifikaten

« on: February 25, 2021, 01:54:41 pm »

Also im HAProxy ein zweites Frontend (z.B. Frontend_WAN2) für das Let's Encrypt Plugin erstellen, das auf "WAN2_IP:80" lauscht.
Anschließend im LE Plugin unter Validation Methods eine zweite HTTP-01 Validation Methode erstellen (siehe Bild) und diese dann im Zertifikat2 hinterlegen.
Natürlich noch die Firewall entsprechend anpassen.



Ist das so richtig oder habe ich irgendwo einen Denkfehler?

8

Web Proxy Filtering and Caching / Re: Let's Encrypt: multiple WAN IPs with individual certificates

« on: February 25, 2021, 11:42:27 am »

I know that LE issues certificates for domains not IPs.

I updated the first post.

9

German - Deutsch / [GELÖST] Let's Encrypt: mehrere WAN IPs mit indiviuellen Zertifikaten

« on: February 25, 2021, 11:20:11 am »

Hallo,

ich habe bei mir die OPNsense als Reverse Proxy im Einsatz.

Bisher benötigte ich ich nur ein Zertifikat für eine meiner WAN IPs.
Allerdings benötige ich jetzt ein weiteres Zertifikat für eine meiner anderen WAN IPs.

Wie kann ich das erreichen?
Ich weiß, wie ich ein zweites WAN Interface auf der OPNsense anlege und die anderen Einstellungen tätige.
Aber wie kann ich dem ACME Client sagen, dass er WAN1 für Zertifikat1 und WAN2 für Zertifikat2 nutzen soll?

Denn wenn ich das zweite Zertifikat erstellen möchte, nutzt ACME den default Gateway (WAN1), wodurch die Erstellung fehlschlägt, weil die Domain nicht zur IP passt.

10

Web Proxy Filtering and Caching / [SOLVED] LE: multiple domains with different WAN IPs, individual certificates

« on: February 25, 2021, 10:42:40 am »

Hello,

I have set up my OPNsense as a reverse proxy using HAProxy and Let's Encrypt.

Right now I only have one certificate for my domain1.browne.com that has WAN1_IP.
However I need another certificate for my domain2.browne.com that has WAN2_IP.

My setup looks like this:
WAN1_IP (10.1.1.1) --> domain1.browne.com --> already uses a LE certificate (certificate1)
WAN2_IP (10.1.1.2) --> domain2.browne.com --> doesn't use LE certificate, but needs one (certificate2)

I know how to create the 2nd WAN interface and all that...
But how do I tell the ACME client to use WAN1 to generate certificate1 and use WAN2 for certificate2?

When I try to get certificate2 the ACME client on OPNsense always uses the default gateway, which is in my case WAN1 (10.1.1.1). The certificate generation then fails because certificate2 is resolving domain2 (10.1.1.2) during acme challenge. So the IP (WAN1) requesting the certificate (certificate2) is not matching to the IP of the domain (domain2) listed inside the certificate.

11

General Discussion / Re: HAProxy + OCSP Stapling with Let's Encrypt

« on: September 28, 2020, 11:35:02 am »

Just found this: https://github.com/opnsense/plugins/issues/1430#issuecomment-692265194

I guess we all have to go without OCSP or use the script from above, until HAProxy supports this.


browne

12

General Discussion / [SOLVED] HAProxy + OCSP Stapling with Let's Encrypt

« on: September 28, 2020, 10:36:49 am »

I am running HAProxy as a reverse proxy in HTTP / HTTPS (SSL offloading) mode using Let’s Encrypt ACME on OPNsense.
Everything is working fine and I am right now fine tuning my setup.

The only thing left to do is to get OCSP stapling to work!
My certificate already contains the OCSP Must Staple extension.


SSL Labs

Code: [Select]

This server certificate supports OCSP must staple but OCSP response is not stapled.
Firefox brings this, once I use a certificate with the OCSP must staple extension.

Code: [Select]

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
How do I proceed from here on?
I had a look at all the HAProxy settings but couldn’t really figure out how to set up OCSP stapling.


Regards
browne

13

General Discussion / Re: [SOLVED] HAProxy + Remote Desktop Gateway

« on: September 23, 2020, 12:02:34 pm »

We tracked it down to some NTLM issues on the RDP Gateway...
https://support.microsoft.com/en-us/help/2903333/terminal-services-client-connection-error-0xc000035b-when-you-use-lmco

Anyway it is working perfectly fine now!

14

General Discussion / Re: Haproxy and RDS 2019

« on: September 21, 2020, 03:23:19 pm »

You need a condition with path contains string "remoteDesktopGateway" and a rule to match this condition and execute function "http-request deny".

Then it will work ...

This was the solution for my problem. Thank you!
https://forum.opnsense.org/index.php?topic=19169

15

General Discussion / Re: HAProxy + Remote Desktop Gateway

« on: September 21, 2020, 03:06:08 pm »

Thank you very much!
I already saw your post in that other thread, but couldn't believe it had to do with my problem.

Could you please explain to me: Why do I have to use this rule and what exactly it does?

browne