"
yes ;)
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Tutorials and FAQs / Re: Tutorial 2022/08: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
January 24, 2023, 12:12:52 PM #2
Tutorials and FAQs / Re: Tutorial 2022/08: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
January 20, 2023, 10:56:09 PM
Oops. In fact, 'Create map file "throughout_ssl_map_domain" with content :' doesn't work (because SNI work on TCP).
Replace : "HAProxy plugin: Create map file "throughout_ssl_map_domain" with content : ..."
By Create Condition "SNI_synology_me", condition "SNI TLS extension ends with (TCP request content inspection), suffixe SNI ".synologe.me"
Change : HAProxy plugin: Create "Rule" (enter name ["sni_throughout_ssl-rule"], select condition "SNI_synology_me", execute function : "use backend", Backend :"Synology_backend"
*** haproxy config export :
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 500
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
# tuning options
timeout client 30s
# logging options
option tcplog
# ACL: traffic_ssl
acl acl_63c840bdd3f440.07842774 req_ssl_hello_type 1
# ACL: SNI_synology_me
acl acl_63c826ed0527a7.29957165 req.ssl_sni -m end -i .synology.me
# ACTION: request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5
# ACTION: request_content_accept_ssl
tcp-request content accept if acl_63c840bdd3f440.07842774
# ACTION: sni_throughout_ssl-rule
use_backend Synology_backend if acl_63c826ed0527a7.29957165
# Frontend: 1_HTTP_frontend (Listening on 127.74.0.0:80)
frontend 1_HTTP_frontend
bind 127.74.0.0:80 name 127.74.0.0:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_63c813f73e3ac8.56482289 ssl_fc
# ACTION: HTTP_to_HTTPS-rule
http-request redirect scheme https code 301 if !acl_63c813f73e3ac8.56482289
# Frontend: 1_HTTPS_frontend (Listening on 127.74.0.0:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
bind 127.74.0.0:443 name 127.74.0.0:443 accept-proxy ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63c817f31748b0.16739019.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63c814d7b1ebe0.58772734.txt)]
# Backend: OpnSense_backend (OpnSense Pool)
backend OpnSense_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Opnsense 192.168.74.1:444 ssl verify required ca-file /etc/ssl/cert.pem
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 127.74.0.0 send-proxy-v2 check-send-proxy
# Backend: Synology_backend ()
backend Synology_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server Synology 192.168.74.4:443 ##
# statistics are DISABLED
Replace : "HAProxy plugin: Create map file "throughout_ssl_map_domain" with content : ..."
By Create Condition "SNI_synology_me", condition "SNI TLS extension ends with (TCP request content inspection), suffixe SNI ".synologe.me"
Change : HAProxy plugin: Create "Rule" (enter name ["sni_throughout_ssl-rule"], select condition "SNI_synology_me", execute function : "use backend", Backend :"Synology_backend"
*** haproxy config export :
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
default-server maxconn 500
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
# tuning options
timeout client 30s
# logging options
option tcplog
# ACL: traffic_ssl
acl acl_63c840bdd3f440.07842774 req_ssl_hello_type 1
# ACL: SNI_synology_me
acl acl_63c826ed0527a7.29957165 req.ssl_sni -m end -i .synology.me
# ACTION: request_inspect_delay
# NOTE: actions with no ACLs/conditions will always match
tcp-request inspect-delay 5
# ACTION: request_content_accept_ssl
tcp-request content accept if acl_63c840bdd3f440.07842774
# ACTION: sni_throughout_ssl-rule
use_backend Synology_backend if acl_63c826ed0527a7.29957165
# Frontend: 1_HTTP_frontend (Listening on 127.74.0.0:80)
frontend 1_HTTP_frontend
bind 127.74.0.0:80 name 127.74.0.0:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACL: NoSSL_condition
acl acl_63c813f73e3ac8.56482289 ssl_fc
# ACTION: HTTP_to_HTTPS-rule
http-request redirect scheme https code 301 if !acl_63c813f73e3ac8.56482289
# Frontend: 1_HTTPS_frontend (Listening on 127.74.0.0:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
bind 127.74.0.0:443 name 127.74.0.0:443 accept-proxy ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63c817f31748b0.16739019.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
# logging options
# ACTION: PUBLIC_SUBDOMAINS_map-rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63c814d7b1ebe0.58772734.txt)]
# Backend: OpnSense_backend (OpnSense Pool)
backend OpnSense_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server Opnsense 192.168.74.1:444 ssl verify required ca-file /etc/ssl/cert.pem
# Backend: acme_challenge_backend (Added by ACME Client plugin)
backend acme_challenge_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server acme_challenge_host 127.0.0.1:43580
# Backend: SSL_backend ()
backend SSL_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server SSL_server 127.74.0.0 send-proxy-v2 check-send-proxy
# Backend: Synology_backend ()
backend Synology_backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
server Synology 192.168.74.4:443 ##
# statistics are DISABLED
#3
Tutorials and FAQs / Re: Tutorial 2022/08: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
January 20, 2023, 07:48:33 PM
Many thank's for your tutorial. It real help me.
I'd need to throughout for my Synology Nas so I use the informations found in your topic , https://forum.opnsense.org/index.php?topic=18538.msg84958#msg84958 and https://forum.opnsense.org/index.php?topic=22630.msg118934#msg118934
I don't need to throughout admin console of my Nas but the services with port 433 (exemple https://drive.xxxx.synology.me, https://video.xxxx.synology.me etc.)
That I'm doing in completion of your tutorial (in order):
Then, when I'm going with my mobile device to "plex.mydomain.com", it use backend with SSL from OpnSense
And when I use "drive.xxxx.synology.me", it throughout the ssl and use SSL from my Synology NAS
I'd need to throughout for my Synology Nas so I use the informations found in your topic , https://forum.opnsense.org/index.php?topic=18538.msg84958#msg84958 and https://forum.opnsense.org/index.php?topic=22630.msg118934#msg118934
I don't need to throughout admin console of my Nas but the services with port 433 (exemple https://drive.xxxx.synology.me, https://video.xxxx.synology.me etc.)
That I'm doing in completion of your tutorial (in order):
- HAProxy plugin: Create real server "nas_synology" with is local ip and port 443
- HAProxy plugin: Create backend "nas_synology_backend" with "nas_synology" with TCP (Layer 4)
- HAProxy plugin: Create "Condition" (enter name ["traffic_ssl"], condition type is "custom condition (option pass-through)" with value "req_ssl_hello_type 1")
- HAProxy plugin: Create Condition "sni_synology_me", condition "SNI TLS extension ends with (TCP request content inspection), suffixe SNI ".synologe.me"
- HAProxy plugin: Create "Rule" (enter name ["request_inspect_delay"], select no condition, function is "tcp-request inspect delay" with value "5s" or whatever suits you)
- HAProxy plugin: Create "Rule" (enter name ["request_content_accept_ssl"], select condition of 3 ["traffic_ssl"], function is "tcp-request content accept")
- HAProxy plugin: Create "Rule" (enter name ["sni_synology_me-rule"], select condition "SNI_synology_me", execute function : "use backend", Backend :"Synology_backend"
- HAProxy plugin: Modify in "Public service" (service named ["0_SNI_frontend"], select the 3 rules "request_inspect_delay", "request_content_accept_ssl" and "throughout_ssl_map_domain" and you can choose Nothing for Backend Pool by Default
Then, when I'm going with my mobile device to "plex.mydomain.com", it use backend with SSL from OpnSense
And when I use "drive.xxxx.synology.me", it throughout the ssl and use SSL from my Synology NAS
Pages1
