Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - mhartgring

Pages1
#1
21.7 Legacy Series / Log corruption in GUI?
September 25, 2021, 11:04:07 AM
At first it seemed I couldn't get anyy logs to show up in the GUI, only older logs would show up. I re-installed, re-used my config from a fresh backup, made sure I was up to date, did a health check. Anything and everything I could think of.

But just now I noticed that my logs are updated, but the GUI initially shows logs which were made during the installation and current logs are only shown much further down even though the dates are newer, or will not show up at all.

I have already checked the logs with clog and everything seems perfectly fine, but all (yes, I've tried most if not all) GUI logging is completely messed up.

Attachment shows a snippet of the audit log, but the results are similar all over.

#2
Tutorials and FAQs / Re: HowTo - Let's encrypt with HaProxy with 19.1.4
March 29, 2021, 01:03:56 PM
Currently working on getting this set up using opnsense 21.1.3_3, os-haproxy 3.0 and os-acme-client 2.4
Aka, I'm running 'latest'

One "no_HTTPS" condition: "SSL/TLS connection established" and this negated (Hook @ bottom of menu)
This condition type doesn't exist (anymore). I chose "Traffic is HTTP", and then NOT negated.

Issue found, not fully resolved: The order of the rules when creating the "Virtual services / Public Services" is very important.

See https://github.com/opnsense/plugins/issues/1000 & https://github.com/opnsense/plugins/issues/1925



Remaining problem:

Quote[WARNING] 087/142215 (72748) : parsing [/usr/local/etc/haproxy.conf.staging:66] : a 'http-request' rule placed after a 'use_backend' rule will still be processed before.
[WARNING] 087/142215 (72748) : parsing [/usr/local/etc/haproxy.conf.staging:68] : a 'http-request' rule placed after a 'use_backend' rule will still be processed before.

Code Select
63     # ACTION: redirect_acme_challenges                                         
64     use_backend acme_challenge_backend if acl_605e1a292ddce1.15865947           
65     # ACTION: rule_redirect_http_https                                         
66     http-request redirect scheme https code 301 if !acl_6061a61b811977.92979045 acl_605e848931a523.42844100
67     # ACTION: rule_no_host_match                                               
68     http-request deny unless acl_605e858f8de9e6.77623103 || acl_605e85820c35d5.14821142 || acl_605e8558014977.72403767 || acl_605e1a292ddce1.15    865947
69     # ERROR FILE: Unknown_FQDN                                                 
70     errorfile 403 /tmp/haproxy/errorfiles/605e84df732dd0.89785772.txt

The redirect to https (line 66) is always run before the redirect to use_backend (line 64) as shown in the logs of the acme-client

Quote2021-03-29T13:12:25   acme.sh[16275]   ] nope.nope:Verify error:Fetching https://nope.nope/.well-known/acme-challenge/{challenge key}

The full haproxy.conf.staging can be found here: https://pastebin.com/bkbU0s88[/s]
Pages1