Messages

1

Tutorials and FAQs / Re: Tutorial 2022/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: April 13, 2022, 03:34:46 pm »

@TheHellSite: Thanks for your tutorial, it helped me to understand things a bit better!

I just had this problem: https://forum.opnsense.org/index.php?topic=27903.new#new. That's why I was reading your thread.

 What was strange to me, that you need to change the port of your opensense web interface! That's the point were I thought there might be a better solution 😬 I was reading and found this tutorial: https://schulnetzkonzept.de/opnsense. This guy just used a virtual IP, like you did. But instead of pointing to the lookup adress he just introduced a new adress and let haproxy listen on. And so did I - and it worked like charm! (detailes in the upper linked problem)

Maybe you wanna add it to your tutorial too?!

Have a nice day!

2

Web Proxy Filtering and Caching / Re: [ha-proxy] SSL Offloading stopped working after some time (update)

« on: April 13, 2022, 03:20:39 pm »

It seemed to have worded because of a kernel setting, that might have changed later on (the kernel seems to prevent now from binding haproxy to an adress used anywhere else).

I found a solution on my own now... Read the tutorial: https://schulnetzkonzept.de/opnsense and came to the idea to add a virtual IP (Interfaces / Virtual IPs / Settings → Add, Mode IP Alias).
This virtual address is now used to let haproxy listen on.
Via Unbound DNS (Services / Unbound DNS / Overrides / Host Overrides → Add) I map my subdomains to this one virtual Adress and erverything is working like charm!

Have a nice day!

3

Web Proxy Filtering and Caching / [ha-proxy] SSL Offloading stopped working after some time (update)

« on: April 11, 2022, 04:41:14 pm »

Hello together 

I have an issue with my (once working) HA-Proxy 🙄 It is used to offload the (Letsencrypt) SSL certificate for my server instances (nextcloud and truenas) - I thought this is the more elegant way, then copying the certificate to the servers on every Letsencrypt update. But it stopped working (I have automativ updates activated) with following error message:

Code: [Select]

[NOTICE] (46781) : haproxy version is 2.4.15
[NOTICE] (46781) : path to executable is /usr/local/sbin/haproxy
[ALERT] (46781) : parsing [/usr/local/etc/haproxy.conf.staging:44] : 'bind' : invalid address: 'nextcloud.<domain>.de' in 'nextcloud.<domain>.de:443'
[ALERT] (46781) : parsing [/usr/local/etc/haproxy.conf.staging:45] : 'bind' : invalid address: 'truenas.<domain>.de' in 'truenas.<domain>.de:443'
[ALERT] (46781) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] (46781) : Fatal errors found in configuration.
I don't really understand this Error. For sure the address is not present - HA-Proxy should listen at this adress.

When I give the servers the hostname (used for listening) in the static dhcp table or via Unbound DNS, the Error vanishes and I can safe the config. ...but HA - Proxy does not work (I can imagine the request will be directly rooted to the servers instead of going through the Proxy).

I think a good analysis start is the config opnsense generates:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    tune.ssl.default-dh-param   1024
    spread-checks               0
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: frontend_ssl_injection ()
frontend frontend_ssl_injection
    bind nextcloud.<domain>.de:443 name nextcloud.<domain>.de:443 ssl  crt-list /tmp/haproxy/ssl/620b750b826711.38878536.certlist
    bind truenas.<domain>.de:443 name truenas.<domain>.de:443 ssl  crt-list /tmp/haproxy/ssl/620b750b826711.38878536.certlist
    mode http
    option http-keep-alive
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: nextcloud_bedingung
    acl acl_620ba6f6251f72.51186815 hdr_beg(host) -i nextcloud
    # ACL: truenas_bedingung
    acl acl_620bbec7c8bf05.22443063 hdr_beg(host) -i truenas

    # ACTION: nextcloud_regel
    use_backend nextcloud_backend if acl_620ba6f6251f72.51186815
    # ACTION: truenas_regel
    use_backend truenas_backend if acl_620bbec7c8bf05.22443063

# Backend: nextcloud_backend ()
backend nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server nextcloud_server XX.XX.XX.XX:443 ssl verify none

# Backend: truenas_backend ()
backend truenas_backend
    # health checking is DISABLED
    mode http
    balance uri
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server truenas_server YY.YY.YY.YY:443 ssl verify none

# Backend (DISABLED): brother_backend ()

listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# statistics are DISABLED

I might have missunderstood this proxy completely 😬 Hopefully you can help - please ☕

Have a nice day!
Matthias

4

Web Proxy Filtering and Caching / Forward Proxy on External Interface

« on: January 21, 2021, 08:25:26 am »

Hello together,

I'm quite new to firewall configuration and as it is quite important to make no stupid mistakes here, I would appreciate your opinion on this topic quite a lot.

I plan to have a forward proxy on an external interface of my opnsese installation (I already have a fixed ip address for vpn purposes). The reason is a quite restrictive filter proxy on my jobs pc. I have some chat applications that are blocked there. But in these applications, I can add a proxy server. As I don't want to have some service provider scanning my network traffic, I want to use my opnsense to root all chat traffic through my place at home to undermine the job proxy.

Can you please give me some hint, how I can build up such a configuration best / safest?

Thanks a lot in advance!
Matthias