Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - sc00by

Pages: [1]

Tutorials and FAQs / Re: Tutorial 2023/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: May 25, 2023, 01:30:14 pm »

Quote from: TheHellSite on May 25, 2023, 10:36:55 am

Quote from: sc00by on May 25, 2023, 12:40:02 am
Shoot. I thought I put a note in there about logs...

Outside of the informational log, there is nothing logged. In the informational, I see connections originating from the outside. Nothing for hitting this particular internal IP/host, no error. Logs accessed from Services/HAProxy/Logs, enabled all. Nothing here is pertinent near as I can tell. When this internal (BMC) resource loads, I see an unsigned cert which tells me it is not hitting haproxy.

When I access plex, it originates from lan IP then hits the public IP and I can see this logging client IP, it loads. This works from inside/outside. My other external service also works inside/outside. An override with plex

I created a backend, server, and map file for internal services.

I've tried with and without unbound. With and without overrides. Right now I am using unbound, opnsense is my DNS. It loads...attempt to access the web service...I get a self signed cert. This is the head scratcher, same result whether I use AD or Unbound DNS so assuming something I've missed.

What I am really after is 'what did I miss in the configuration' because I'll be setting up another HAproxy box targeted at internal only resources as well.

So, AD DNS is not in the picture, in this context, I am in the same spot.

I'll take another stroll through the tutorial.

Sorry I still don't know what your issue is exactly now?
Your text is very confusing to read.

What I took from it is that the internal and external accesses are working but it is not presenting a trusted cert?

External works perfect inside and outside. Get a lets encrypt cert. We're happy, nothing to do.

Internally? I get a self signed cert, nothing is logged in HAProxy.

I went through the tutorial again last night. Step 7.2 for the FQDN rule...I see you have a domain value, but I am unable to save this condition because my domain is not a valid ipv4 address?

I can plug in 'my.test.com', it will accept and tests out OK. If I use 'lan.scobar.pw', it will not accept the value, gives error below. Outside of informational log, nothing is recorded.

[NOTICE] (67194) : haproxy version is 2.6.13-234aa6d
[NOTICE] (67194) : path to executable is /usr/local/sbin/haproxy
[ALERT] (67194) : config : parsing [/usr/local/etc/haproxy.conf.staging:73] : error detected while parsing ACL 'acl_64685bef85c4e2.08714329' : 'lan.scobar.pw' is not a valid IPv4 or IPv6 address.
[ALERT] (67194) : config : parsing [/usr/local/etc/haproxy.conf.staging:78] : error detected while parsing switching rule : no such ACL : 'acl_64685bef85c4e2.08714329'.
[ALERT] (67194) : config : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] (67194) : config : Fatal errors found in configuration.

Tutorials and FAQs / Re: Tutorial 2023/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: May 25, 2023, 12:40:02 am »

Quote from: TheHellSite on May 24, 2023, 11:00:06 pm

Quote from: sc00by on May 23, 2023, 12:27:20 pm
Good morning,

I am having some challenge with getting HAproxy to handle internal requests. I am not using unbound for DNS since I have active directory deployed. I did try using unbound with overrides. Externally, HAproxy is working, can access plex from the office and able to access a web page.

I've gone through the tutorial a few times and am assuming that something is missed.

The goal is to use HAProxy internally and externally to encrypt traffic with a real cert. I'd appreciate any help or shove back to what was missed in the tutorial.

Code: [Select]
Config: Automatically generated configuration. # Do not edit this file manually. # global uid 80 gid 80 chroot /var/haproxy daemon stats socket /var/run/haproxy.socket group proxy mode 775 level admin nbthread 4 hard-stop-after 60s no strict-limits maxconn 1000 tune.ssl.default-dh-param 4096 spread-checks 2 tune.bufsize 16384 tune.lua.maxmem 0 log /var/run/log local0 info lua-prepend-path /tmp/haproxy/lua/?.lua defaults log global option redispatch -1 maxconn 5000 timeout client 30s timeout connect 30s timeout server 30s retries 3 default-server init-addr last,libc default-server maxconn 1000 # autogenerated entries for ACLs # autogenerated entries for config in backends/frontends # autogenerated entries for stats # Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443) frontend 0_SNI_frontend bind 0.0.0.0:80 name 0.0.0.0:80 bind 0.0.0.0:443 name 0.0.0.0:443 mode tcp default_backend SSL_backend # logging options # Frontend: 1_HTTP_frontend (Listenting on 127.4.4.3:80) frontend 1_HTTP_frontend bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy mode http option http-keep-alive option forwardfor # logging options # Frontend: 1_HTTPS_frontend (Listenting on 127.4.4.3:443) frontend 1_HTTPS_frontend http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6467f8cd2c0025.92252317.certlist mode http option http-keep-alive option forwardfor timeout client 15m # logging options # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition acl acl_6468020a093145.77501579 src 192.168.1.0/24 # ACTION: LOCAL_SUBDOMAINS_rule use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/646801b883fa30.90520723.txt)] if acl_6468020a093145.77501579 # ACTION: PUBLIC_SUBDOMAINS_rule # NOTE: actions with no ACLs/conditions will always match use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6467f584ef9e54.41997502.txt)] # Backend: SSL_backend () backend SSL_backend # health checking is DISABLED mode tcp balance source # stickiness stick-table type ip size 50k expire 30m stick on src server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy # Backend: PLEX_backend () backend PLEX_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server PLEX_server 192.168.1.62:32400 ssl verify none # Backend: remote_dc02_backend (remote dc02) backend remote_dc02_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server remote_dc02_server 192.168.1.6:443 ssl verify none # Backend: BMC_backend (bmc test) backend BMC_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server BMC_server 192.168.1.35 ssl verify none listen local_statistics bind 127.0.0.1:8822 mode http stats uri /haproxy?stats stats realm HAProxy\ statistics stats admin if TRUE # remote statistics are DISABLED

First off, you did not provide any sort of error code or error description. Just some "it is not working, help help"...

Sorry, but this is also out of scope of this tutorial.
The DNS override is most likely your issue! Since you are not using Unbound, you are on your own here.

Shoot. I thought I put a note in there about logs...

Outside of the informational log, there is nothing logged. In the informational, I see connections originating from the outside. Nothing for hitting this particular internal IP/host, no error. Logs accessed from Services/HAProxy/Logs, enabled all. Nothing here is pertinent near as I can tell. When this internal (BMC) resource loads, I see an unsigned cert which tells me it is not hitting haproxy.

When I access plex, it originates from lan IP then hits the public IP and I can see this logging client IP, it loads. This works from inside/outside. My other external service also works inside/outside. An override with plex

I created a backend, server, and map file for internal services.

I've tried with and without unbound. With and without overrides. Right now I am using unbound, opnsense is my DNS. It loads...attempt to access the web service...I get a self signed cert. This is the head scratcher, same result whether I use AD or Unbound DNS so assuming something I've missed.

What I am really after is 'what did I miss in the configuration' because I'll be setting up another HAproxy box targeted at internal only resources as well.

So, AD DNS is not in the picture, in this context, I am in the same spot.

I'll take another stroll through the tutorial.

Tutorials and FAQs / Re: Tutorial 2023/04: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: May 23, 2023, 12:27:20 pm »

Good morning,

I am having some challenge with getting HAproxy to handle internal requests. I am not using unbound for DNS since I have active directory deployed. I did try using unbound with overrides. Externally, HAproxy is working, can access plex from the office and able to access a web page.

I've gone through the tutorial a few times and am assuming that something is missed.

The goal is to use HAProxy internally and externally to encrypt traffic with a real cert. I'd appreciate any help or shove back to what was missed in the tutorial.

Code: [Select]


Config:

Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     1000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 1000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80 
    bind 0.0.0.0:443 name 0.0.0.0:443 
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listenting on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy 
    mode http
    option http-keep-alive
    option forwardfor

    # logging options

# Frontend: 1_HTTPS_frontend (Listenting on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6467f8cd2c0025.92252317.certlist 
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_6468020a093145.77501579 src 192.168.1.0/24

    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/646801b883fa30.90520723.txt)] if acl_6468020a093145.77501579
    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6467f584ef9e54.41997502.txt)] 

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: PLEX_backend ()
backend PLEX_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server PLEX_server 192.168.1.62:32400 ssl verify none

# Backend: remote_dc02_backend (remote dc02)
backend remote_dc02_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server remote_dc02_server 192.168.1.6:443 ssl verify none

# Backend: BMC_backend (bmc test)
backend BMC_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server BMC_server 192.168.1.35 ssl verify none



listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# remote statistics are DISABLED

Pages: [1]