OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of linjojo »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - linjojo

Pages: [1]
1
Tutorials and FAQs / Re: Tutorial 2023/09: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« on: November 07, 2023, 02:09:35 pm »
Thanks for a great tutorial! I have followed it but tried to adapt it to my use case, but I think I am missing something that someone else perhaps has run into?

Eventually, I plan to have a couple of public services but I am not really there yet :) In the meantime, I have a couple of services running on a docker host which I would like to just expose internally via a proxy with the domain name that I have purchased. These are services running without any ssl so only http but I think I might have missed something around that as I get redirected to https, or is that expected? Trying to reach any of these services I get a 503 Service Unavailable.

Perhaps worth mentioning is that I am using AdGuard with Unbound set as my Upstream DNS, and added the services as overrides in Unbound eg. test.thisismydomain.com with the internal IP of OPNsense as the target (10.0.1.1). Is that correct?

Sorry for all the questions. I could ofc run nginx or traefik on my docker host instead, just thought I would try this out first  :)

Code: [Select]
curl -vvvv http://test.thisismydomain.com
*   Trying 10.0.1.1:80...
* Connected to test.thisismydomain.com (10.0.1.1) port 80 (#0)
> GET / HTTP/1.1
> Host: test.thisismydomain.com
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< content-length: 0
< location: https://test.thisismydomain.com/
<
* Connection #0 to host test.thisismydomain.com left intact
Code: [Select]
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62741 to 10.0.1.1:443 (1_HTTPS_frontend/HTTP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62741 to 10.0.1.1:443 (1_HTTPS_frontend/HTTP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62742 to 10.0.1.1:80 (0_SNI_frontend/TCP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62741 to 10.0.1.1:443 (0_SNI_frontend/TCP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62740 to 10.0.1.1:80 (0_SNI_frontend/TCP)

Code: [Select]
#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats

# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_64f0ce32710c92.22370601 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_64f0ce32710c92.22370601

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64f0da0792f405.45981915.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBNETS_condition
    acl acl_64f0df6633f1c3.71515106 src_is_local

    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64f0ded2f1b488.73578425.txt)] if acl_64f0df6633f1c3.71515106

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_SERVER 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: test_backend ()
backend test_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server test 10.0.1.110:49005

# statistics are DISABLED

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2