Messages

well... this helped me... thank you.

I wonder why this is even necessary ?  I installed ntopng on my trusted network, so activity between devices on the same sub net should not require specific rules...

hmmm

yes, also interested in the response to this question... anyone ?

I found an interim fix for this problem.
I set the opnsense caddy handler to use http 1.1 only. This seems to solve the issue.

Not sure I love it... but works for now.

caddy can't start the opnsense web gui after upgrading to 24.7.12

Was working fine before the upgrade.

the handler is configured to do a tls skip verify... so not sure why its stumbling over this...

edit: Interesting in that seems to work ok from a "Private Window". Browser must be holding on to something ?

Just wanted to give a big high five to the caddy team for integrating their solution neatly into opnSense.
I revisited caddy about a year ago... and settled on haProxy instead, since caddy implementation on opnsense was quite immature at the time. haProxy comes with some complexity and reluctantly used that it for the last 12 months.

What a difference a year makes....

I revisited caddy yesterday, and got my whole reverse proxy up in a couple of hours. Integration with core opnsense was much better than I first envisioned. I really like how caddy leverages the trust store in opnsense should you choose to go that way (i did).

I found the doco incredibly clear, concise and super relevant for what I was trying to achieve...

I can see that is capable of doing way more than reverse proxying... and good to know. I may have some use for layer 4, or perhaps simple web hosting... in the future.

Chapeaux

same thing happened to me.

I had previously installed the mimugmail tailscale pkg... and configured it.

I then installed tailscale plugin and System became unresponsive and dns started failing....

I uninstalled the plugin and return to some normalcy... will try again later.

Are there any special install instruction for the plugin ? I suspect I should have uninstalled tailscale pkg before installing the plugin... am I wrong ?

I have got this to work, and use this approach on an experimental basis only...
Its a bit weird running your router in a vm on proxmox... because the vm has to come up before you home network can get served with ip addresses. This is why bare metal is much easier to deal with for the noob. It is easier to have your network infrastructure run out of band from your trusted services.

I use a Lenovo 1 litre pc, with a 4 x port ethernet card in it... works fine.

For proxmox... you will really need 3 x nic's to keep things simple.
- Wan (connects to your router/modem for internet)
- LAN (serve your home with trusted network services and dhcp)
- Proxmox management port (part of your lan. this is where the proxmox UI is defined)

In prox, you can define Lan and Wan as bridged interfaces... which is the easier way to go... The other alternative is to do PCI passthrough of the nic's, so prox will use the hardware directly, without added software layer of a bridge. The latter is more perfromant, but not really a big issue at the 1Gbit interface level.

Stick with it... its fun to do if you have the time...

Thanks monviech...  I gave caddy another try... I currently run HAProxy, but dont really need load balancing for the home network, caddy is simpler.
My results were uneven... thus far. Here is what I did....
- Turned off ddns as relying on opnsense for that
- Gave the domain a custom cert located in the opnsense trust store.
- Gave the domain a custom port of 30000, as haproxy is currently binding to 443 and 80.
- With this approach, caddy does not terminate the connection. Seems to work however if I give it default 443

- Further to this... I disabled haproxy, and enabled caddy
- created a brand new domain and opnsense LE cert.
- bound caddy to 443 and seemed to work ok
- Home assistant loaded fine, the backend is unencrypted
- when backend was encrypted however, I checked the tls box for the backend, but alas failed to certify
  - this was the opnsense gui... which I put on a different port (41443)
  - Gui failed to load.
  - Similar approach seems to work in haproxy... where you check tls but dont bother to certify.

I will try again in a few days... to see if I can work around some of these things...
best regards,

nice plugin... super simple !

Is it possible to defer certs to the opnsense trust store ? 
I already have LE generating certs there... and would like to use those, rather than have caddy own the process of creating/renewing the cert ?

------------ answer ------
I can see now, that you can select other cert if you use advanced option for the domain.

my road warrior setup was not properly connecting, so I consulted latest release documentation to see if everything was setup properly.
Ther doco appears corrupted. The instructions point to items that do not exist, and has become very confusing.

Perhaps a close reading is needed to see if the document remains to be fit for purpose.

i have this problem too... still wondering how to overcome this.

trying to install htop from mimugmail repo.... but its not there.
Am i missing something ?

Is this possible ?
I searched around and could not find anything.
I have a topic that is some 40 pages and would like to search through it...
the search feature on the forum does not seem to provide this...
anyone ?

cool stuff...

techsolo12

It is probably a dns issue. You need to setup a nat reflection solution, so that internal dns names will map to the gateway, where haproxy can do its work.(much the same as when you are coming from external).

I use unbound for dns, and setup a wildcard DNS entry much the same as I did on cloudflare and desec. This wildcard entry points to the opnsense gateway, and haproxy then does its magic.

hope that helps... (worked for me)

First of all, a huge thank you to TheHellSite for this detailed tutorial!

Unfortunately, I need your help. I have configured HAProxy as described in the tutorial. However, with my own domain.

All services that are to be reached externally work as desired. Only the internal service does not seem to be "noticed" by HAProxy. Unfortunately, no accesses to the "node2-ipmi" service from the source IP from the "10.10.10.0/24" network appear in the log. I cannot connect to the service "node2-ipmi".

In firefox i got this warning "SEC_ERROR_UNKNOWN_ISSUER".

Since no log entries appear in the log, I cannot attach any.

Config export:

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (listening to 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (listening on 127.0.0.1:80)
frontend 1_HTTP_frontend
    bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_65612d875c4e55.24914702 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_65612d875c4e55.24914702

# Frontend: 1_HTTPS_frontend (listening to 127.0.0.1:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6561dfa723cb35.23136075.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_FQDN_condition
    acl acl_6563927a593ba4.09519486 src domain.tld
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_65627ea0efa5d5.95729048 src 10.10.5.0/28 10.10.10.0/24 10.10.11.0/24
    # ACL: nextcloud_caldav
    acl acl_65626936202592.20944712 path_beg -i /.well-known/caldav
    # ACL: nextcloud_carddav
    acl acl_656269439b5220.54434789 path_beg -i /.well-known/carddav

    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/656277f5815fc5.43737480.txt)] if acl_6563927a593ba4.09519486 || acl_65627ea0efa5d5.95729048
    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/65612e0d931f69.06203948.txt)]
    # ACTION: nextcloud_dav
    http-request set-path /remote.php/dav if acl_65626936202592.20944712 || acl_656269439b5220.54434789

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy

# Backend: cloud_backend ()
backend cloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server cloud_server 10.10.20.5:80

# Backend: vw_backend ()
backend vw_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server vw_server 10.10.20.7:80

# Backend: office_backend ()
backend office_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server office_server 10.10.20.8:80

# Backend: rezepte_backend ()
backend rezepte_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server rezepte_server 10.10.20.9:3000

# Backend: cash_backend ()
backend cash_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server cash_server 10.10.20.10:5006

# Backend: node2-ipmi_backend ()
backend node2-ipmi_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server node2-ipmi_server 10.10.5.6:443 ssl verify none



# statistics are DISABLED


With best regards,
techsolo12