Messages

Just a headsup for everyone posting here. The author updated the post with the following:

No More Free Support

Due to the increasing number of support requests I've been receiving, both directly in the topic and via DM, I regret to inform that I can no longer provide free assistance. Balancing my real job and personal life has become extremely challenging. While I genuinely want to help everyone resolve their issues to get things up and running smoothly, I find it difficult to allocate the necessary time without sacrificing my personal commitments.

In addition, it has come to my attention that some individuals seeking help are not thoroughly reading the provided tutorial or lack the fundamental knowledge of networking. This has been a recurring issue and has made the support process increasingly frustrating.

I sincerely appreciate your interest in my expertise and if you would like to receive my assistance, I am more than happy to provide you with the details via DM.

Thank you for your understanding in this matter,
TheHellSite

But perhaps someone else have a solution to my problem. I have HAProxy up and running for a few months, was working fine. In may i added local domains map file for a site. Now i deleted the map file and removed all the local domain map file rules etc. But now my public domains aren't available from my internal network anymore (they work from external access).

Ive gone through the setup and everything seems fine, and i havent changed anything in the domain override in Unbound.

https://ibb.co/vkGLPGF

Any suggestions where the confligt might be located? What else block internal access to my public domains?

I don't have the IDS-PT Research installed, but thanks for adding your findings if someone else has the same problem.

I still have the issue, and nothing in the logs give any indication on why its happening. Today i manually updated the rules this morning. All other rules was updated 02:30 as per cron-job, but the ET-Telemetry wasn't updated since the 12th of may.

Log files:

Code Select Expand

2023-05-16T07:58:13 Notice suricata [100486] <Notice> -- rule reload complete
2023-05-16T07:56:32 Notice suricata [100486] <Notice> -- rule reload starting
2023-05-16T02:32:02 Notice suricata [100486] <Notice> -- rule reload complete
2023-05-16T02:30:22 Notice suricata [100486] <Notice> -- rule reload starting
2023-05-15T02:32:07 Notice suricata [100486] <Notice> -- rule reload complete
2023-05-15T02:30:22 Notice suricata [100486] <Notice> -- rule reload starting
2023-05-14T02:32:03 Notice suricata [100486] <Notice> -- rule reload complete
2023-05-14T02:30:22 Notice suricata [100486] <Notice> -- rule reload starting
2023-05-13T02:32:16 Notice suricata [100486] <Notice> -- rule reload complete
2023-05-13T02:30:33 Notice suricata [100486] <Notice> -- rule reload starting
2023-05-12T02:32:13 Notice suricata [100486] <Notice> -- rule reload complete
2023-05-12T02:30:33 Notice suricata [100486] <Notice> -- rule reload starting

So everything seems "fine", and no difference between the 12th and the other dates.

Anyone got a clue why this is happening?

Have any update here? I have the same issue.

penalty kick online

I still have the same issue. It updates a few times per week but not every night per the cronjob. Never found a reason. At most its usualy 2-3 days without updates.

Hi,

How do i reset the Interface Statistics?

I have tons of Errors Out on my primary VLAN. Found some threads suggesting it may be because of Zenarmor, and would like to reset the statistics so i can see if the problem persists when trying things out.

My provided ciphers are fine! Also TLS_v1.2 is available with my config. If TLS_v1.3 is not available on the client side it will (try) to use TLS_v1.2 instead.
Don't weaken the ciphers there is likely another configuration problem on your side.

If there are no errors in the haproxy log upon connection of the SmartThings client then there is nothing wrong with the haproxy cipher settings.

I get a handshake failure in the log when trying to establish the webhook:

52.213.77.15:56225 [24/Mar/2023:07:34:18.143] 1_HTTPS_frontend/127.0.0.1:443: SSL handshake failure

The error matches the text in the setup guide for HA+SmartThings "Setting the supported cipher suite too restrictly will prevent handshaking."

Though i dont want too weak cipher, id like to test and add the EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+ED, but i dont understand how to build them in which order.

I need some help with ciphers and understanding the part in HTTPS_frontend and what i can change.

Im trying to setup a webhook to integrate SmartThings to my Homeassistant, and get a error when trying to validate it.

According to the troubleshooting-guide at https://www.home-assistant.io/integrations/smartthings/#troubleshooting there are some problems doing this with a reverse proxy, and suggest that the cipher suite is too restricted.

Some reverse proxy configuration settings can interfere with communication from SmartThings. For example, TLSv1.3 is not supported. Setting the supported cipher suite too restrictly will prevent handshaking. The following NGINX SSL configuration is known to work:

Code Select Expand

# cert.crt also contains intermediate certificates
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/cert.key;
ssl_dhparam /path/to/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

Could someone help me with the current string and how i can edit it with the suggestion the troubleshooting-guide above. Is it enought to add EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH to the current, or do i need to edit something out as well?

Current:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384


Thanks in advance,

Hi,

I have a problem with the my ET Telemetry-rules. The cronjob to update the rules at 02:30 every night works for the built in rules, but not for the ones from the ET Telemetry-list.

https://ibb.co/BTR9jKn

Manual updating works.

Any idea why this happens?

Which URL do you use to access them from inside?

How do you access them directly (ip:port) full URL?

Bitwarden is accesses via Bitwarden.mydomain.com for internal

(it works) and external (can't reach server)
HA is accessed internally from 192.168.1.106:8123 (works) and external via homeassistant.mydomain.com (can't reach server).

There are some settings for HA to configure proxy that I think I need to set up, but since Bitwarden doesn't work it's not the complete solution to my problem.


From https://www.home-assistant.io/integrations/http/

use_x_forwarded_for boolean (optional, default: false)
Enable parsing of the X-Forwarded-For header, passing on the client's correct IP address in proxied setups. You must also whitelist trusted proxies using the trusted_proxies setting for this to work. Non-whitelisted requests with this header will be considered IP spoofing attacks, and the header will, therefore, be ignored.

trusted_proxies string | list (optional)
List of trusted proxies, consisting of IP addresses or networks, that are allowed to set the X-Forwarded-For header. This is required when using use_x_forwarded_for because all requests to Home Assistant, regardless of source, will arrive from the reverse proxy IP address. Therefore in a reverse proxy scenario, this option should be set with extreme care. If the immediate upstream proxy is not in the list, the request will be rejected. If any other intermediate proxy is not in the list, the first untrusted proxy will be considered the client.

I'm using suricata IPS/IDS and tried disabling these, but no change. Using blocklists in Unbound DNS but that should not interfere.

I'm out of ideas. I will review everything again when I get home later today.

[in the guide]

And as I already told you before and in the guide!!!
The gateway of the service does not matter at all!? Why is that so hard to understand?

The client dns request needs to be overwritten, not the dns requests of any service!!! So guess what, if the client is in subnet A and wants to access ANY service in ANY subnet then what IP will the client use to connect to the service? It obviously has to be subnet A gateway address since the client is in subnet A.
If the client is in subnet B you will have to create the same override but with subnet B gateway as target.
And so on.

All of the above is however only relevant for local access from within your network.

Now answer this
Is bitwarden working from external networks (mobile data,...)?
Is bitwarden now working from internal network?

No, I can only access it from internal networks. Not from the outside.

Bitwarden works in internal networks.

No, it has to be the the interface IP of your OPNsense that is reachable by the clients that want to use haproxy... The guide is VERY clear about that. You can't just use any IP!? Stick to the guide!!   :-\

Please post your interface overview...

As i wrote, was misinterpreting from my part. I still get a 503-error when trying to reach the services after changing IP to the gateway of each network.

My HA-server is on my LAN, the Windows server which hosts my Docker Desktop with Bitwarden is on VLAN100.

Pictures of interface overview of LAN,MGMT(vlan100) & WAN:

https://ibb.co/SDCqcrn
https://ibb.co/sKMjnv5
https://ibb.co/p0nCc4y
https://ibb.co/C8jgnf2
https://ibb.co/SxN16PS

Screenshots taken from RDP-session from my phone, so they are a bit cropped.

[and understand]

Did you read and understand  what I wrote in part 6 - option a - step 3 of my tutorial? Or did you also not bother reading? Please explain to me what I am saying there and then explain what you did there... Maybe you will spot your error.

Also post the content (in a code box) of your public and local subdomains map file.

interface IP as the IP of the gateway? I understood it as any ip in the range of the vlan. Yes I've read through the steps several times, English isn't my native language so some things might be lost in translation.

Code Select Expand


# public access subdomains
bit BITWARDEN_backend
home HA_backend


Bitwarden only works from internal since I set up HA-Proxy.

Here's a picture of the override:
https://ibb.co/ysNPg09

If you really did the guide four times now then I am suprised that you still don't know how to ask for help.  ???
Hint: I describe it in the first post.

Relevant question. I focused on the guide part, not the text above sorry.

Here is the config export.

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening to localhost)
frontend 1_HTTP_frontend
    bind 127.0.0.1:80 name 127.0.0.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_64025b0cc7a716.63164065 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_64025b0cc7a716.63164065

# Frontend: 1_HTTPS_frontend (Listening on 127.0.0.1:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.0.0.1:443 name 127.0.0.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64025f85730fc6.50514236.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64025bea0b8443.12301363.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 127.0.0.1 send-proxy-v2 check-send-proxy

# Backend: BITWARDEN_backend ()
backend BITWARDEN_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server BITWARDEN_server 192.168.100.161:443 ssl verify none

# Backend: HA_backend ()
backend HA_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server HA_server 192.168.1.106:8123



# statistics are DISABLED

In the log file if i try to connect from the outside i get:

2023-03-08T09:49:15   Informational   haproxy   Connect from -external ip-:8335 to -public ip:443 (1_HTTPS_frontend/HTTP)   
2023-03-08T09:49:13   Informational   haproxy   Connect from -external ip-:8335 to -public ip-:443 (1_HTTPS_frontend/HTTP)   
2023-03-08T09:49:11   Informational   haproxy   Connect from -external ip-8335 to -public ip-:443 (1_HTTPS_frontend/HTTP)   
2023-03-08T09:49:10   Informational   haproxy   Connect from -external ip-:8335 to -public ip-:443 (1_HTTPS_frontend/HTTP)   
2023-03-08T09:49:10   Informational   haproxy   Connect from -external ip-:8335 to -public ip-:443 (0_SNI_frontend/TCP)   
2023-03-08T09:49:10   Informational   haproxy   Connect from -external ip-:8438 to -public ip-:443 (1_HTTPS_frontend/HTTP)   
2023-03-08T09:49:09   Informational   haproxy   Connect from -external ip-:8438 to -public ip8:443 (0_SNI_frontend/TCP)   
2023-03-08T09:49:09   Informational   haproxy   Connect from -external ip-:8430 to -public ip:443 (1_HTTPS_frontend/HTTP)   
2023-03-08T09:49:09   Informational   haproxy   Connect from -external ip-:8430 to -public ip:443 (0_SNI_frontend/TCP)

You didn't read the tutorial properly. Read it again from the very top to the very bottom. Everything you just asked is answered there. Also if you would have followed the tutorial correctly you wouldn't see any errors now.

Ah, missunderstood the text regarding the map FAQ. Now i understand what you refered to.

Regarding my setup. Before i asked for help ive already gone through it twice. Ive now been through it twice again and i cant find anything wrong. I havent used virtual IP and instead using 127.0.0.1 as IP in the cases where you use your virtual IP.

Perhaps its working and Homeassistant is the problem? I found some threads regarding adding trusted proxies there. Anyone had the same problem and know what to configure in HA?

First of all, thanks for a awesome guide!

In 5.8 you refer to a "FAQ about Map Files". Could you please link me to this FAQ? Perhaps it could be added as a link in the post so ppl easier can find it.

Second comes my question.
Ive finished the setup. I sorted out a *.-certificate for mydomain.com and added a A-record in the DNS for the domain with a homeassistant.mydomain.com that points to my public IP.
In HAProxy ive added a real server HA_server which points to the IP of my HA-server with port 8123. SSL checked.
I've added a backend pool HA_backend that points to my HA_server
Ive added a host override for host homeassistant domain mydomain.com with the internal IP of my HA-server.

My Local MAP-filehttps://ibb.co/D8xwgH5
My Public MAP-filehttps://ibb.co/D8xwgH5

When browsing to homeassistant.mydomain.com i get a "Unable to connect" message.

What did i do wrong, any tips where i should start looking?