Messages

Danke für die Info, schaue ich mir evtl mal an.

Aber wichtiger wäre mir lieber erstmal haproxy sonst muss ich einfach zuviel umstellen.

Das unter system - access - servers - ist das nur für die Opnsense gedacht oder kann ich das auch für andere server hinter dem haproxy nutzen?

Hi Leute,
ist es möglich mit der Opnsense und HAproxy für verschiedene Dienste 2FA zu Aktivieren? Habe gesehen das es so eine Funktion gibt, weiß aber nicht ob man das z.B. dann auch auf Nextcloud usw. einführen kann?
Wenn ja, wie geht das?
Danke :-)

war eigentlich auch meine Idee, aber für die Handyapp benötige ich doch ein Zertifikat vorallem für die 3 Ports.

Die Nutzung von TLS 1.0 und TLS 1.1 ist für die folgenden Ports nicht möglich, alle höheren Versionen von TLS werden unterstützt:

443
5061
5222

Ja, aber nicht ganz. Soll ich dafür einen eigenen Post aufmachen?
Die RTP Ports 10.000-20000 leite ich per NAT direkt zur Telefonanlage

Nur die Ports 443, 5060, 5061 und 5222

5061 und 443 und 5222 nutzen soweit ich weiß TLS, daher hatte ich versucht das durchzuleiten.
Die App startet auch und das Gespräch kann auch angenommen werden, habe wie gesagt nur kein Ton.

Code Select Expand

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6546b7f7e92430.59551874
    # ACTION: telefon
    use_backend telefon if acl_65ae234d52eaa2.85527754


# Frontend: telefon_5222 ()
frontend telefon_5222
    bind 192.168.252.253:5222 name 192.168.252.253:5222
    mode tcp
    default_backend telefon5222

    # logging options

# Frontend: telefon_5060 ()
frontend telefon_5060
    bind 192.168.252.253:5060 name 192.168.252.253:5060
    mode tcp
    default_backend telefon5060

    # logging options

# Frontend: telefon_5061 ()
frontend telefon_5061
    bind 192.168.252.253:5061 name 192.168.252.253:5061
    mode tcp
    default_backend telefon5061

    # logging options

# Frontend: LetsEncrypt_test-technik.de (LetsEncrypt_test-technik.de)
frontend LetsEncrypt_test-technik.de
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 192.168.252.253:443 name 192.168.252.253:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/66ad001d7bbba8.47335583.certlist
    mode http
    option http-keep-alive

    # logging options
    # ACL: find_acme_challenge
    acl acl_6546b7f7e92430.59551874 path_beg -i /.well-known/acme-challenge/
    # ACL: invoice2
    acl acl_66acf64f3d9ab6.26511269 hdr(host) -i www.test-technik.de

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6546b7f7e92430.59551874
    # ACTION: invoice2
    use_backend invoice if acl_66acf64f3d9ab6.26511269
    # WARNING: pass through options below this line
    redirect scheme https code 301 if !{ ssl_fc }

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: telefon ()
backend telefon
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server telefon443 192.168.211.5:443 ssl verify none

# Backend: telefon5222 ()
backend telefon5222
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server telefon5222 192.168.211.5:5222

# Backend: telefon5060 ()
backend telefon5060
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server telefon5060 192.168.211.5:5060

# Backend: telefon5061 ()
backend telefon5061
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server telefon5061 192.168.211.5:5061


ok Danke muss ich mir mal anschauen.
Habe noch ein 2. Problem, bei meiner Telefonie bekomme ich eine Verbindung hin aber keine Sprache. Ist das evtl auch einfacher mit Caddy? oder kannst du hier auch ein Fehler erkennen.

Ich habe es nun wieder umgestellt auf ein frontend mit port 443, scheint aber nun doch zu laufen. Dann keine Ahnung was hier das letzte mal war.
Geht Cady auch mit der Opnsense? Wenn ja wie?

das hatte ich vorher so und hatte dann Probleme, daher habe ich das getrennt.
SNI habe ich doch aber überall richtig konfiguriert oder?

Hallo Leute,

ich habe einen HAProxy mit 2 Domains. Hier in meinem Beispiel mit

service.de und test-technik.de

Nun soll z.B. bei c.service.de das Zertifikat kommen von service.de, es kommt aber das von test-technik.de.
Warum?

Code Select Expand

# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    6
    hard-stop-after             60s
    no strict-limits
    tune.ssl.ocsp-update.mindelay 300
    tune.ssl.ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 60s
    timeout connect 60s
    timeout server 60s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: Letsencrypt_80 ()
frontend Letsencrypt_80
    bind 192.168.252.253:80 name 192.168.252.253:80
    mode tcp
    default_backend acme_challenge_backend

    # logging options
    # ACL: find_acme_challenge
    acl acl_6546b7f7e92430.59551874 path_beg -i /.well-known/acme-challenge/

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6546b7f7e92430.59551874

# Frontend: LetsEncrypt_service.de (LetsEncrypt_service.de)
frontend LetsEncrypt_service.de
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 192.168.252.253:443 name 192.168.252.253:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/657480646e0916.14570670.certlist
    mode http
    option http-keep-alive

    # logging options
    # ACL: Cloud
    acl acl_6574814183df20.44437889 ssl_fc_sni c.service.de
    # ACL: Bitwarden
    acl acl_6574821b797e36.16475695 hdr(host) -i v.service.de
    # ACL: BItwarden Archiv
    acl acl_6574823ea51b23.44386971 hdr(host) -i archiv.service.de
    # ACL: invoice1
    acl acl_657481f7177426.76902867 hdr(host) -i invoice.service.de
    # ACL: find_acme_challenge
    acl acl_6546b7f7e92430.59551874 path_beg -i /.well-known/acme-challenge/
    # ACL: telefon
    acl acl_65ae234d52eaa2.85527754 hdr(host) -i telefon.service.de
    # ACL: Grommunino1
    acl acl_664c906453f702.68929731 hdr(host) -i mail.service.de
    # ACL: Keycloak
    acl acl_668a627a78cb38.48749184 path_beg -i /auth
    # ACL: Autodiscover
    acl acl_657481df6faa20.35926111 hdr(host) -i autodiscover.service.de
    # ACL: Grommunino2
    acl acl_66aa0b17cdf2b9.22616028 hdr(host) -i mail.service.de

    # ACTION: Cloud
    use_backend Cloud if acl_6574814183df20.44437889
    # ACTION: Bitwarden
    use_backend Bitwarden if acl_6574821b797e36.16475695
    # ACTION: BitwardenArchiv
    use_backend BitwardenArchiv if acl_6574823ea51b23.44386971
    # ACTION: invoice1
    use_backend invoice if acl_657481f7177426.76902867
    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6546b7f7e92430.59551874
    # ACTION: telefon
    use_backend telefon if acl_65ae234d52eaa2.85527754
    # ACTION: Mailserver
    use_backend Mail1 if acl_664c906453f702.68929731
    # ACTION: Keycloak
    use_backend Keycloak if acl_668a627a78cb38.48749184
    # ACTION: Mail2
    use_backend Mail2 if acl_657481df6faa20.35926111 || acl_66aa0b17cdf2b9.22616028
    # WARNING: pass through options below this line
    redirect scheme https code 301 if !{ ssl_fc }

# Frontend: telefon_5222 ()
frontend telefon_5222
    bind 192.168.252.253:5222 name 192.168.252.253:5222
    mode tcp
    default_backend telefon5222

    # logging options

# Frontend: telefon_5060 ()
frontend telefon_5060
    bind 192.168.252.253:5060 name 192.168.252.253:5060
    mode tcp
    default_backend telefon5060

    # logging options

# Frontend: telefon_5061 ()
frontend telefon_5061
    bind 192.168.252.253:5061 name 192.168.252.253:5061
    mode tcp
    default_backend telefon5061

    # logging options

# Frontend: Mailserver_8443 ()
frontend Mailserver_8443
    bind 192.168.252.253:8443 name 192.168.252.253:8443
    mode tcp
    default_backend Mail2

    # logging options

# Frontend: LetsEncrypt_test-technik.de (LetsEncrypt_test-technik.de)
frontend LetsEncrypt_test-technik.de
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 192.168.252.253:443 name 192.168.252.253:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/66ad001d7bbba8.47335583.certlist
    mode http
    option http-keep-alive

    # logging options
    # ACL: find_acme_challenge
    acl acl_6546b7f7e92430.59551874 path_beg -i /.well-known/acme-challenge/
    # ACL: invoice2
    acl acl_66acf64f3d9ab6.26511269 hdr(host) -i www.test-technik.de

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6546b7f7e92430.59551874
    # ACTION: invoice2
    use_backend invoice if acl_66acf64f3d9ab6.26511269
    # WARNING: pass through options below this line
    redirect scheme https code 301 if !{ ssl_fc }

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: Cloud ()
backend Cloud
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Cloud 192.168.211.32:80

# Backend: invoice ()
backend invoice
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # WARNING: pass through options below this line
    http-request set-header X-Real-IP %[src]
    http-reuse safe
    server invoice 192.168.211.30:443 ssl verify none

# Backend: Bitwarden ()
backend Bitwarden
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    retries 3
    # WARNING: pass through options below this line
    http-request set-header X-Real-IP %[src]
    http-reuse safe
    server Bitwarden 192.168.211.31:8080

# Backend: BitwardenArchiv ()
backend BitwardenArchiv
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server BitwardenArchiv 192.168.211.73:443 ssl verify none

# Backend: telefon ()
backend telefon
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server telefon443 192.168.211.5:443 ssl verify none

# Backend: Mail1 ()
backend Mail1
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    cookie KC_ROUTE insert indirect nocache
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Port 443
    http-request set-header X-Forwarded-For %[src]
    option forwardfor
    http-reuse safe
    option forwardfor
    server Mailserver 192.168.211.33:443 ssl alpn h2,http/1.1 verify none cookie 6607c74887063778516557

# Backend: telefon5222 ()
backend telefon5222
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server telefon5222 192.168.211.5:5222

# Backend: telefon5060 ()
backend telefon5060
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server telefon5060 192.168.211.5:5060

# Backend: telefon5061 ()
backend telefon5061
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server telefon5061 192.168.211.5:5061

# Backend: Keycloak ()
backend Keycloak
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    cookie KC_ROUTE insert indirect nocache
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Port 443
    http-request set-header X-Forwarded-For %[src]
    option forwardfor
    http-reuse safe
    option forwardfor
    server Keycloak 192.168.211.33:8080 cookie 668a62bcb6c3f299187837

# Backend: Mail2 ()
backend Mail2
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    cookie KC_ROUTE insert indirect nocache
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Port 443
    http-request set-header X-Forwarded-For %[src]
    option forwardfor
    http-reuse safe
    option forwardfor
    server Mail2 192.168.211.83:443 ssl alpn h2,http/1.1 verify none cookie 66aa0aef4fe2c713022817
    server Mail21 192.168.211.83:8443 ssl alpn h2,http/1.1 verify none cookie 66aa2aaf5fe7c129653610



# statistics are DISABLED

Hi,

ich habe unter System -Access - Servers mich per LDAP am Univention Server verbunden.
Wenn ich dort auf "Authentication containers" - Select klicke bekomme ich meine Ordner Auswahl.
D.h. ich bin doch erfolgreich per LDAP mit meinen Server verbunden oder?

Im Univention sehe ich:
sAMAccountName: benutzername

D.h. ich habe unter  "User naming attribute" sAMAccountName eingetragen.

Wenn ich nun am Testserver teste, bekomme ich immer nur "Authentication failed"
Auf dem UCS finde ich dazu leider kein log.

Danke schonmal

Der Keycloak Server ist auf dem Grommunio installiert. Hilft das dann evtl. weiter um das Thema besser zu verstehen?

Hier mal die Nginx von dem Grommunio Server:

Code Select Expand

#user  nginx;
worker_processes  1;
load_module lib64/nginx/modules/ngx_http_brotli_static_module.so;
load_module lib64/nginx/modules/ngx_http_brotli_filter_module.so;
load_module lib64/nginx/modules/ngx_http_vhost_traffic_status_module.so;

# load_module lib64/nginx/modules/ngx_http_fancyindex_module.so;
# load_module lib64/nginx/modules/ngx_http_headers_more_filter_module.so;
# load_module lib64/nginx/modules/ngx_http_image_filter_module.so;
# load_module lib64/nginx/modules/ngx_http_perl_module.so;
# load_module lib64/nginx/modules/ngx_http_xslt_filter_module.so;
# load_module lib64/nginx/modules/ngx_mail_module.so;
# load_module lib64/nginx/modules/ngx_rtmp_module.so;
# load_module lib64/nginx/modules/ngx_stream_module.so;

#error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

#pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
    use epoll;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    include conf.d/*.conf;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  /var/log/nginx/host.access.log  main;

        location / {
            root   /srv/www/htdocs/;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /srv/www/htdocs/;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           /srv/www/htdocs/;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   /srv/www/htdocs/;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    Allow TLS version 1.2 only, which is a recommended default these days
    #    by international information security standards.
    #    ssl_protocols        TLSv1.2;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   /srv/www/htdocs/;
    #        index  index.html index.htm;
    #    }
    #}

    include vhosts.d/*.conf;

}

Keycloak Konfiguration

Code Select Expand


mail:~ # cat /etc/grommunio-keycloak/keycloak.conf
# SPDX-License-Identifier: AGPL-3.0-or-later
# SPDX-FileCopyrightText: 2023 grommunio GmbH

db=mariadb
proxy=edge
http-port=9080
http-relative-path=/auth
http-host=localhost
db-username=grommunio_keycloak
db-password=xxxxxxxxxxxx
db-url-database=grommunio_keycloak
db-url-host=localhost
hostname=mail.test.com


Habe inzwischen auch eine andere HA Proxy Konfiguration:

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    6
    hard-stop-after             60s
    no strict-limits
    tune.ssl.ocsp-update.mindelay 300
    tune.ssl.ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 60s
    timeout connect 60s
    timeout server 60s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats

# Frontend: Letsencrypt_80 ()
frontend Letsencrypt_80
    bind 192.168.200.253:80 name 192.168.200.253:80
    mode tcp
    default_backend acme_challenge_backend

    # logging options
    # ACL: find_acme_challenge
    acl acl_6546b7f7e92430.59551874 path_beg -i /.well-known/acme-challenge/

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6546b7f7e92430.59551874

# Frontend: LetsEncrypt (LetsEncrypt)
frontend LetsEncrypt
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 192.168.200.253:443 name 192.168.200.253:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/657480646e0916.14570670.certlist
    mode http
    option http-keep-alive
    default_backend acme_challenge_backend

    # ACL: find_acme_challenge
    acl acl_6546b7f7e92430.59551874 path_beg -i /.well-known/acme-challenge/
    # ACL: Grommunino
    acl acl_664c906453f702.68929731 hdr(host) -i mail.test.com
    # ACL: Keycloak
    acl acl_668a627a78cb38.48749184 path_beg -i /auth

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6546b7f7e92430.59551874
    # ACTION: Grommunio
    use_backend Grommunio if acl_664c906453f702.68929731
    # ACTION: Keycloak
    use_backend Keycloak if acl_668a627a78cb38.48749184
    # WARNING: pass through options below this line
    redirect scheme https code 301 if !{ ssl_fc }

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: Grommunio ()
backend Grommunio
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    cookie KC_ROUTE insert indirect nocache
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Port 443
    http-request set-header X-Forwarded-For %[src]
    option forwardfor
    http-reuse safe
    option forwardfor
    server Grommunio 192.168.120.33:443 ssl alpn h2,http/1.1 verify none cookie 6607c74887063778516557

# Backend: Keycloak ()
backend Keycloak
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    cookie KC_ROUTE insert indirect nocache
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Port 443
    http-request set-header X-Forwarded-For %[src]
    option forwardfor
    http-reuse safe
    option forwardfor
    server Keycloak 192.168.120.33:8080 cookie 668a62bcb6c3f299187837

# statistics are DISABLED

hier wäre noch meine Aktuelle Konfiguration, habe nun schon etwas angepasst:

Code Select Expand

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    6
    hard-stop-after             60s
    no strict-limits
    tune.ssl.ocsp-update.mindelay 300
    tune.ssl.ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 60s
    timeout connect 60s
    timeout server 60s
    retries 3
    default-server init-addr last,libc

# Frontend: Letsencrypt_80
frontend Letsencrypt_80
    bind 192.168.252.122:80 name 192.168.252.122:80
    mode tcp
    default_backend acme_challenge_backend

    # logging options
    # ACL: find_acme_challenge
    acl acl_6546b7f7e92430.59551874 path_beg -i /.well-known/acme-challenge/
    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6546b7f7e92430.59551874

# Frontend: LetsEncrypt_443 (LetsEncrypt_443)
frontend LetsEncrypt_443
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 192.168.252.122:443 name 192.168.252.122:443 ssl crt /var/etc/acme-client/certs/33747d8d955811.89930809/fullchain.pem key /var/etc/acme-client/keys/33747d8d955811.89930809/private.key
    mode http
    option http-keep-alive
    default_backend acme_challenge_backend

    # logging options
    # ACL: find_acme_challenge
    acl acl_6546b7f7e92430.59551874 path_beg -i /.well-known/acme-challenge/
    # ACL: Grommunino
    acl acl_664c906453f702.68929731 hdr(host) -i mail.test.de

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6546b7f7e92430.59551874
    # ACTION: Grommunio
    use_backend Grommunio if acl_664c906453f702.68929731


# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: Grommunio
backend Grommunio
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    cookie KC_ROUTE insert indirect nocache
    # WARNING: pass through options below this line
    http-request set-header X-Real-IP %[src]
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request set-header X-Forwarded-For %[src]
    http-reuse safe
    option forwardfor
    server Grommunio 192.168.130.33:443 ssl alpn h2,http/1.1 verify none crt /var/etc/acme-client/certs/33747d8d955811.89930809/fullchain.pem key /var/etc/acme-client/keys/33747d8d955811.89930809/private.key

# statistics are DISABLED

Achso sorry, der Grommunio Server hat einen Keycloack für 2FA installiert.
Ich melde mich erst mit Benutzername und Passwort an, dann kommt die 2FA Anmeldung, die ist auch noch erfolgreich und dann macht er irgendwie 2-3 redirects / loops.

Was für Infos bräuchtet ihr da noch? oder wie kann ich helfen?

https://www.keycloak.org/server/reverseproxy

Kann ich eigentlich die Datei in der Shell direkt bearbeiten?
/usr/local/etc/haproxy.conf oder /usr/local/etc/haproxy.conf.staging?
Irgendwie überschreibt die GUI meine Konfiguration immer.

Hallo,

kann jemand bitte mal über meine Konfiguration drüber schauen.
Beim Grommunio Server bekomme ich immer ein Redirect, wieso?

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    6
    hard-stop-after             60s
    no strict-limits
    tune.ssl.ocsp-update.mindelay 300
    tune.ssl.ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua
cache opnsense-haproxy-cache
    total-max-size 4
    max-age 60
    process-vary off

defaults
    log     global
    option redispatch -1
    timeout client 60s
    timeout connect 60s
    timeout server 60s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: Letsencrypt_80 ()
frontend Letsencrypt_80
    bind 192.168.252.253:80 name 192.168.252.253:80
    mode tcp
    default_backend acme_challenge_backend

    # logging options
    # ACL: find_acme_challenge
    acl acl_6546b7f7e92430.59551874 path_beg -i /.well-known/acme-challenge/

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6546b7f7e92430.59551874

# Frontend: LetsEncrypt_443 (LetsEncrypt_443)
frontend LetsEncrypt_443
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 192.168.252.253:443 name 192.168.252.253:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/657480646e0916.14570670.certlist
    mode http
    option http-keep-alive
    default_backend acme_challenge_backend
    option forwardfor

    # logging options
    # ACL: find_acme_challenge
    acl acl_6546b7f7e92430.59551874 path_beg -i /.well-known/acme-challenge/
    # ACL: grom
    acl acl_664c906453f702.68929731 hdr(host) -i mail.test.de



    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_6546b7f7e92430.59551874
    # ACTION: Grommunio
    use_backend Grommunio if acl_664c906453f702.68929731



# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580


# Backend: Grommunio ()
backend Grommunio
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # WARNING: pass through options below this line
    http-request set-header X-Real-IP %[src]
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request cache-use opnsense-haproxy-cache
    http-response cache-store opnsense-haproxy-cache
    http-reuse safe
    option forwarded proto host for
    option forwardfor
    http-request cache-use opnsense-haproxy-cache
    http-response cache-store opnsense-haproxy-cache
    server Grommunio 192.168.133.33:443 ssl alpn h2,http/1.1 verify none



# statistics are DISABLED

Das Zertifikat habe ich gelöscht und neu erstellt, aber leider ist das Problem geblieben.

Das komische ist, nslookup funktioniert, Seiten ohne https funktionieren nur keine mit https.
Obwohl der Server eigentlich mit dem HAProxy nix zu tun hat, kommt beim Surfen nur das Zertifikat von dem HAProxy.

Ich habe noch 4 weitere Opnsense Server mit HAProxy, da funktioniert alles.

hier noch die HAProxy Konfiguration, name usw. habe ich geändert:

Code Select Expand

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    6
    hard-stop-after             60s
    no strict-limits
    tune.ssl.ocsp-update.mindelay 300
    tune.ssl.ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: Letsencrypt_80 (Letsencrypt_80)
frontend Letsencrypt_80
    bind 10.50.52.2:80 name 10.50.52.2:80
    mode tcp

    # logging options

# Frontend: LetsEncrypt_443 (LetsEncrypt_443)
frontend LetsEncrypt_443
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 10.50.52.2:443 name 10.50.52.2:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/665363d00b6901.61101611.certlist
    mode http
    option http-keep-alive
    default_backend acme_challenge_backend
    option forwardfor

    # logging options
    # ACL: find_acme_challenge
    acl acl_665360c0b7aef6.55967259 path_beg -i /.well-known/acme-challenge/
    # ACL: DIM01CHECKMK
    acl acl_66536313ce2220.70622935 hdr(host) -i checkmk.test.de

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if acl_665360c0b7aef6.55967259
    # ACTION: DIM01CHECKMK
    use_backend DIM01CHMK if acl_66536313ce2220.70622935

# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe

# Backend: DIM01CHMK ()
backend DIM01CHMK
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server DIM01CHMK 10.50.50.4:443 ssl verify required ca-file /etc/ssl/cert.pem



# statistics are DISABLED