Messages

1

Tutorials and FAQs / Re: Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: November 09, 2024, 01:20:50 am »

Hello! I dont know if the Hellsite or more experienced persons will reply to this, but i just want to ask a quick question regarding implementing this with ipv6. Is it just adding another ssl server ip using ULA/Loopback ipv6 and having that as the backend then adding those to the the http_frontend? I am simply asking since the idea popped into my head recently if i could also run this using ipv6 and ipv4, otherwise i have been using the ipv4 setup for a long time now. Again, just some thoughts i had recently.
Thanks and have a nice day!

2

Virtual private networks / Re: IPV6 over Wireguard

« on: March 15, 2024, 02:19:41 pm »

Thank you for replying. May i ask a few more things then? in allowed ips do i put both ::/0 and the /56? on the client side. and on the server side do i put the whole /48? Also i followed the docs on the site to site wireguard and the selective routing. i found this snippet at the bottom of the page

        When adding the IPv6 address to Tunnel Address in the WireGuard Instance configuration, specify a /127 mask, rather than a /128

        Then, when creating an IPv6 Gateway for the tunnel, specify the IP address to be another IPv6 address that is within the /127 subnet of the Tunnel Address

i setup the client and server side with a /64, it still works but i want to know if i should ideally add a /127 then as the tunnel address?

3

Virtual private networks / Re: IPV6 over Wireguard

« on: March 15, 2024, 01:30:00 pm »

I managed to get the tunnel up and running im just stumped on how i would route the rest of the /56 back to home. Anyone have the time to point me in the right direction?

4

Virtual private networks / IPV6 over Wireguard

« on: February 17, 2024, 06:02:58 pm »

Hello and good day to all!
I wanted to know from more experienced people here, if a provider has given me a routed /48 subnet through the wan address, is it as simple as adding it as an Virtual ip on wan, and then i can use the whole subnet? or do i need to have a separate interface so that i can use dhcpv6 on it? one of the reasons is that i want to do a site to site vpn using wireguard and route a /56 to the other location. but i am not well versed in this topic. And this problem has me stumped for weeks now. I have the tunnel up and running with no issues. The issues comes into play when i want to use another /56 on the local site. I am using GUA's for the addressing on the wireguard tunnel ipv6 only.

5

Web Proxy Filtering and Caching / Re: Traefik behind HAProxy

« on: February 13, 2023, 03:08:46 pm »

Thank you for taking the time to reply to my thread. Will try this on the weekend and reply back.
I have another question in the meantime, on the reply by alh he states on number 4

4. HAProxy plugin: Create "condition" (enter name ["myservice_sni"], condition type is "SNI TLS extension matches (TCP request content inspection)" with value "myservice.example.com" or whatever your FQDN is)

I dont really understand how this one works. is the myservice.example.com supposed to be the traefik dashboard domain? or can i put a wildcard certificate for it, something like *.mydomain.example?

Thank you once again.

6

Web Proxy Filtering and Caching / Traefik behind HAProxy

« on: February 09, 2023, 08:54:11 am »

Hello! I wanted to post here since i could not managed to solve this on my own. i feel like im almost there but i cant get it to work. Everything else works just that i cannot seem to pass to traefik. It gives me either a 503 no service or 400 bad request.
I have followed the tutorial: https://forum.opnsense.org/index.php?topic=23339.0 for the base sni install
then i added rules to the sni frontend using the reply from alh: https://forum.opnsense.org/index.php?topic=18538.msg84958#msg84958
 
my config looks like this:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: sni_frontend (Listening on 80 and 443)
frontend sni_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind ::1:80 name ::1:80
    bind ::1:443 name ::1:443
    mode tcp
    default_backend ssl_backend

    # logging options
    # ACL: traffic_ssl
    acl acl_63e3d7d7d34b32.18126829 req_ssl_hello_type 1
    # ACL: myservice_sni
    acl acl_63e3d8dd452718.96347718 req.ssl_sni -i traefik.homelabbity.uk

    # ACTION: request_inspect_delay
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5
    # ACTION: request_content_accept_ssl
    tcp-request connection accept if acl_63e3d7d7d34b32.18126829
    # ACTION: myservice_sni
    use_backend traefik_backend if acl_63e3d8dd452718.96347718

# Frontend: HTTP_frontend (Listiening on Virtual IP)
frontend HTTP_frontend
    bind 127.10.20.5:80 name 127.10.20.5:80 accept-proxy
    bind ::1:80 name ::1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: nossl_condition
    acl acl_63d848da104d83.11157892 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_63d848da104d83.11157892

# Frontend: HTTPS_frontend (Listen on virtual ip 443)
frontend HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.10.20.5:443 name 127.10.20.5:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63d84eb22bdba2.49299791.certlist
    bind ::1:443 name ::1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63d84eb22bdba2.49299791.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: local_subdomains_condition
    acl acl_63d8643cc31f29.38373794 src 192.168.50.0/24 192.168.200.0/24

    # ACTION: local_subdomains_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63d863c71a8079.31054171.txt)] if acl_63d8643cc31f29.38373794
    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63d84917101ea0.76258733.txt)]

# Backend: ssl_backend (ssl_backend)
backend ssl_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server ssl_server 127.10.20.5 send-proxy-v2 check-send-proxy

# Backend: traefik_backend (traefik)
backend traefik_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server traefik_server 192.168.200.5:8443 send-proxy-v2 check-send-proxy



# statistics are DISABLED




any help would be greatly appreciated.

7

Tutorials and FAQs / Re: Tutorial 2022/08: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 06, 2023, 04:31:29 pm »

Please refer to this post about it. Be warned I can not provide help for this since I am not using such a setup.

https://forum.opnsense.org/index.php?topic=18538.msg84958#msg84958

Still thank you for posting a link to a possible soloution. I have had my hunches but at least it narrows down the area at which to look at. Thank you and have a nice day!

8

Web Proxy Filtering and Caching / Re: haproxy: mixed ssl passthrough and offloading

« on: February 01, 2023, 08:45:09 pm »

After reading a couple of time and trial-and-error, finally I got it running. The key infortation was written in the chapter:

sorry to ressurect but would like to know how you were able to implement this

9

Tutorials and FAQs / Re: Tutorial 2022/08: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 01, 2023, 07:07:39 am »

Hello again Mr.Hellsite the guide you provided has been rock solid for a year now. no hiccups or whatsoever. Im writing back in this post because i wanted to know exactly what you meant on NR.6 on the faq page as im interested in managing a traefik instance behind haproxy

How can we load balance TCP traffic that we don't want to get SSL offloaded, f.e. OpenVPN over TCP?
In my tutorial I only explain how to "redirect+load balance SSL offloaded traffic".
This is because I myself don't have (yet) the need to actually load balance any non SSL traffic.
However balancing non SSL traffic is pretty much the same as balancing SSL traffic.
You only have to make sure that your "NOSSLservice_rule" or "NOSSLservices_map-file_rule" is placed on the "SNI_frontend" instead of the "HTTPS_frontend" and that the backend that belongs to your

Would this kind of setup be applicable to do traefik behind haproxy? also what do you exactly mean by NOSSL_service_rule NOSSL_services_map_file_rule?

10

Tutorials and FAQs / Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: June 25, 2022, 12:16:30 am »

1. The map file is case sensitive. Fix it.

2. Remove the "send-proxy-v2 check-send-proxy" directives from the backends of your actual services. These two options are only necessary on the "SSL_backend".
4. Your "HTTP_frontend" and "HTTPS_frontend" should ONLY be listening to your SSL_server IP address. Not to "0.0.0.0:0" or "::::0". Just think about it and take a look at my diagram in the first post... You should quickly figure that this doesn't make any sense.

Thanks! That solved a lot of the problems i had.

I also had to edit some settings on my cloudflare setup in order for it to work. I now have full access to everything aside from nextcloud and some other stuff. while still being proxied behind cloudflare. I dont know if it will be useful for other cloudflare users. But for me at least since i wanted to go cloudflare for everything. I ended up also using the cloudflare certs and uploading it to HAP while still being onf Full(Strict) mode. i dont know if its and intended sideffect but i didnt have to use split dns for this. I could just call up everything by subdomain.domain.com locally.
Also with regards to the map file for the local subdomanins. The format should look like this?

local loca_backend

plex plex_backend

Should there be a space in between?
Last questions. Is it possible to use the generated Cert for both truenas and opnsense instead of the self signed one? would it break the config? Also is there a specifi HAP sub, or should i just post in the General section?

11

Tutorials and FAQs / Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: June 17, 2022, 11:39:15 pm »

Thanks! So, i set up HAP as per the guide, and am wondering if its a normal consequence to have 503 error on my truenas webui. Internally i can acces it no problems, outside of the home network i am unable to. Sidenote, i do not plan to expose the web ui or planned to. I was just using it as a sort of test run to see if it will resolve to my domain.truenas.com. I also did expose plex under port 32400. But seem to encounter some TLS handshake errors. It would be nice if you could take a look at my config and point me in the right direction. I did only a A and AAAA record for wildcard hostname i.e *.mydomain.com. I dont know if thats enough.
My general goal is to only expose plex and some other services like nextcloud, but thats for another section of the forums. Also my network is kinda flat. All services run through a single VLAN.
I created two Servers and two backends. One for Truenas and plex respectively.
i have been trying to make a stable connection to plex but it just seems to either time out or lose connection after a while.

Heres and output of my config file, i have some disabled stuff in the config file since i turn on and off stuff for testing. Also renamed some stuff, truenas is just the Physical server with the IP. (myloopbackip) is the virutal address.

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

#
# NOTE: HAProxy is currently DISABLED
#
global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr libc,last
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: SNI_frontend (Listening on ip:80 / ip:443)
frontend SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind :::80 name :::80
    bind :::443 name :::443
    mode tcp
    default_backend SSL_Backend
    # tuning options
    timeout client 30s

    # logging options

# Frontend: HTTP_frontend (Listening on 127.10.20.5)
frontend HTTP_frontend
    bind (myloopbackip):80 name (myloopbackip):80 accept-proxy
    bind :::80 name :::80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_Condition
    acl acl_62aa8dcf894a87.42381056 ssl_fc

    # ACTION: HTTPtoHTTPS
    http-request redirect scheme https code 301 if !acl_62aa8dcf894a87.42381056

# Frontend: HTTPS_frontend (Listening on (myloopbackip))
frontend HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind (myloopbackip):443 name (myloopbackip):443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62aad04a028639.71957640.certlist
    bind :::443 name :::443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62aad04a028639.71957640.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options

    # ACTION: Public_subdomains_map_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62aa8e31993357.88056717.txt)]
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }

# Backend: SSL_Backend ()
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_Server (myloopbackip) send-proxy-v2 check-send-proxy

# Backend (DISABLED): router_Backend (router Backend)

# Backend: truenas_Backend (truenas Backend)
backend truenas_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-reuse safe
    server truenas truenasip:443 ssl sni str(truenas) verify none send-proxy-v2 check-send-proxy

# Backend: plex_backend (plex Backend)
backend plex_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server Plex truenasip:32400 send-proxy-v2 check-send-proxy


This is my map file:

Code: [Select]

# public access domains
truenas truenas_backend
plex plex_backend


12

Tutorials and FAQs / Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: June 17, 2022, 09:07:30 pm »

Hi! First off, i want to thank you for the detailed guide you posted. I am new to HAProxy and have some questions regarding some configs, do you still reply to this post? or should i ask or open another thread somewhere? Thanks!

13

22.1 Legacy Series / Re: IPV6 and Prefix

« on: April 08, 2022, 10:26:15 pm »

Thanks! That was just for testing to better see the scope. I cant find the problem if the ip's are all over the place. Still i wanted to just setup my pihole properly/adguard for ipv6. And one of my probable solutions was to just set a static ipv6 for the pihole using dhcpv6. That didnt work out quite what i expected. Might just try using the link local address. Or might just go back to SLAAC since managing dhcpv6 seems to be a pita.

14

22.1 Legacy Series / Re: IPV6 and Prefix

« on: April 06, 2022, 03:19:18 am »

Thanks for all the replies. Was busy at work so unable to reply sooner. Im going to make an example, since i still cant seem to wrap my head around the concept. My ISP should give out like a: 2a02:0000:0000:a2(XX). As far as i understand that should be the whole prefix (/56) from my isp and the XX at the end should be whatever Prefix id i set under interfaces? Also under DHCPv6 i just put a range like ::a000-::b0ff. Would that be ok? Zeroes should just be befor that :: no?

15

22.1 Legacy Series / Re: IPV6 and Prefix

« on: April 02, 2022, 12:28:33 am »

Hi! thanks for replying. I dont know if make sense, i think i jumbled it up. But as far as i understand, i get a static prefix and a dynamic  subnet id(?). Which changes daily or every few hours. once it changes, i need to reboot and then i could have an ipv6 connection again. Now, if i just leave the RA to unmanaged or assisted, everything is fine and dandy. But if i put RA into Managed mode + enable DHCPv6 i have to reboot opnsense once or twice a day. Unmanaged is as far as i understand SLAAC only mode? Yes? What would you say is the main Advantage of having say DHCPv6 against SLAAC?