Messages

1

21.7 Legacy Series / Log corruption in GUI?

« on: September 25, 2021, 11:04:07 am »

At first it seemed I couldn't get anyy logs to show up in the GUI, only older logs would show up. I re-installed, re-used my config from a fresh backup, made sure I was up to date, did a health check. Anything and everything I could think of.

But just now I noticed that my logs are updated, but the GUI initially shows logs which were made during the installation and current logs are only shown much further down even though the dates are newer, or will not show up at all.

I have already checked the logs with clog and everything seems perfectly fine, but all (yes, I've tried most if not all) GUI logging is completely messed up.

Attachment shows a snippet of the audit log, but the results are similar all over.

2

Tutorials and FAQs / Re: HowTo - Let's encrypt with HaProxy with 19.1.4

« on: March 29, 2021, 01:03:56 pm »

Currently working on getting this set up using opnsense 21.1.3_3, os-haproxy 3.0 and os-acme-client 2.4
Aka, I'm running 'latest'

One "no_HTTPS" condition: "SSL/TLS connection established" and this negated (Hook @ bottom of menu)
This condition type doesn't exist (anymore). I chose "Traffic is HTTP", and then NOT negated.

Issue found, not fully resolved: The order of the rules when creating the "Virtual services / Public Services" is very important.

See https://github.com/opnsense/plugins/issues/1000 & https://github.com/opnsense/plugins/issues/1925



Remaining problem:

[WARNING] 087/142215 (72748) : parsing [/usr/local/etc/haproxy.conf.staging:66] : a 'http-request' rule placed after a 'use_backend' rule will still be processed before.
[WARNING] 087/142215 (72748) : parsing [/usr/local/etc/haproxy.conf.staging:68] : a 'http-request' rule placed after a 'use_backend' rule will still be processed before.

 

Code: [Select]

63     # ACTION: redirect_acme_challenges                                         
 64     use_backend acme_challenge_backend if acl_605e1a292ddce1.15865947           
 65     # ACTION: rule_redirect_http_https                                         
 66     http-request redirect scheme https code 301 if !acl_6061a61b811977.92979045 acl_605e848931a523.42844100
 67     # ACTION: rule_no_host_match                                               
 68     http-request deny unless acl_605e858f8de9e6.77623103 || acl_605e85820c35d5.14821142 || acl_605e8558014977.72403767 || acl_605e1a292ddce1.15    865947
 69     # ERROR FILE: Unknown_FQDN                                                 
 70     errorfile 403 /tmp/haproxy/errorfiles/605e84df732dd0.89785772.txt
The redirect to https (line 66) is always run before the redirect to use_backend (line 64) as shown in the logs of the acme-client

2021-03-29T13:12:25   acme.sh[16275]   ] nope.nope:Verify error:Fetching https://nope.nope/.well-known/acme-challenge/{challenge key}

The full haproxy.conf.staging can be found here: https://pastebin.com/bkbU0s88[/s]