Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - ckocank

Pages: [1]

Tutorials and FAQs / Re: Tutorial 2024/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 25, 2024, 09:45:24 am »

Edit: After a restart, every thing works again.
My HAproxy stopped working after the update and I cannot make it work again.
I tried all the latest fixes in the comment and updated part 5 and part 8.
This is my config

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    2
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.ocsp-update.mindelay 300
    tune.ssl.ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr libc,last

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (listening on 0000:443 0000:80)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443 
    bind 0.0.0.0:80 name 0.0.0.0:80 
    mode tcp
    default_backend ssl_backend

    # logging options

# Frontend: 1_HTTP_frontend (listen on 10.1.2.3:80)
frontend 1_HTTP_frontend
    bind 10.1.2.3:80 name 10.1.2.3:80 accept-proxy 
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: no_ssl_condition
    acl acl_642ff4b1bd6b30.27652312 ssl_fc

    # ACTION: http_to_https_rule
    http-request redirect scheme https code 301 if !acl_642ff4b1bd6b30.27652312

# Frontend: 1_HTTPS_frontend (listen on 10.1.2.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 10.1.2.3:443 name 10.1.2.3:443 accept-proxy ssl curves secp384r1 strict-sni  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/642ffac3a289a1.74357812.certlist 
    mode http
    option http-keep-alive
    option forwardfor

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/642ff59e3f1923.99537840.txt)] 

# Backend (DISABLED): acme_challenge_backend (Added by ACME Client plugin)


# Backend: ssl_backend (ssl virtual ip backend)
backend ssl_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    server ssl_server 10.1.2.3 send-proxy-v2 check-send-proxy

# Backend: test_backend (test backend pool)
backend test_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server test_server 10.1.1.100:81 



# statistics are DISABLED

frontend prometheus_exporter
   bind *:8404
   mode http
   http-request use-service prometheus-exporter if { path /metrics }

General Discussion / Re: I need Help with OPNsense and GameServer

« on: February 14, 2024, 04:36:01 pm »

Step 1:
Firewall > Setting > Advanced
Reflection for port forwards: Check
Automatic outbound NAT for Reflection: Check

Step 2:
Firewall > Nat > Port forwarding
Interface: Wan
Protocol: TCP/UDP
Destination: This Firewall
Destination port range: 8211
Redirect target IP: server ip
Redirect target port: 8211
NAT reflection: Enable
Filter rule association: Pass

General Discussion / AdGuardHome web ui 503 Service Unavailable

« on: February 14, 2024, 04:27:40 pm »

I cannot access AdGuardHome web ui after update to OPNsense 24.1 and change UI port to 5001. Before update I can access web ui normaly via port 80.

Code: [Select]

http:
  pprof:
    port: 6060
    enabled: false
  address: 0.0.0.0:5001
  session_ttl: 720h

Code: [Select]

root@OPNsense:/usr/local/AdGuardHome # sockstat -l -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     AdGuardHom 70467 13 tcp46  *:5001                *:*
root     AdGuardHom 70467 41 tcp46  *:443                 *:*
root     AdGuardHom 70467 43 udp4   10.1.1.1:5353         *:*
root     AdGuardHom 70467 44 tcp4   10.1.1.1:5353         *:*
root     AdGuardHom 70467 45 tcp4   10.1.1.1:853          *:*
root     AdGuardHom 70467 46 udp4   10.1.1.1:853          *:*

Pages: [1]

Show Posts

Messages - ckocank

Tutorials and FAQs / Re: Tutorial 2024/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

General Discussion / Re: I need Help with OPNsense and GameServer

General Discussion / AdGuardHome web ui 503 Service Unavailable

Tutorials and FAQs / Re: Tutorial 2023/03: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

Web Proxy Filtering and Caching / Re: Access docker container behind HAProxy -> 503

Web Proxy Filtering and Caching / Re: Full Reset of HAProxy Config

Web Proxy Filtering and Caching / Re: Full Reset of HAProxy Config