OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of DOM_EUWest »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - DOM_EUWest

Pages: [1]
1
24.1 Legacy Series / Re: squid -k parse Requiring client certificates. Segmentation fault (core dumped)
« on: February 08, 2024, 10:38:33 am »
I have the same problem. With 24.1.1
On 23.7.10 all works fine


Code: [Select]
root@firewall:/usr/local/etc/squid # squid -k parse
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2024/02/08 10:36:31| Processing: http_port 10.10.2.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: http_port 10.30.2.254:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: http_port 10.10.50.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: http_port 10.10.51.1:3128  ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
2024/02/08 10:36:31| Processing: sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_crtd -M 4MB
2024/02/08 10:36:31| Processing: sslcrtd_children 5
2024/02/08 10:36:31| Processing: tls_outgoing_options options=NO_TLSv1 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
2024/02/08 10:36:31| Processing: acl bump_step1 at_step SslBump1
2024/02/08 10:36:31| Processing: acl bump_step2 at_step SslBump2
2024/02/08 10:36:31| Processing: acl bump_step3 at_step SslBump3
2024/02/08 10:36:31| Processing: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
2024/02/08 10:36:31| WARNING: empty ACL: acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
2024/02/08 10:36:31| Processing: ssl_bump peek bump_step1 all
2024/02/08 10:36:31| Processing: ssl_bump splice all
2024/02/08 10:36:31| Processing: ssl_bump peek bump_step2 all
2024/02/08 10:36:31| Processing: ssl_bump splice bump_step3 all
2024/02/08 10:36:31| Processing: ssl_bump bump
2024/02/08 10:36:31| Processing: sslproxy_cert_error deny all
2024/02/08 10:36:31| Processing: acl ftp proto FTP
2024/02/08 10:36:31| Processing: http_access allow ftp
2024/02/08 10:36:31| Processing: acl localnet src 10.10.2.0/24 # Possible internal network (interfaces v4)
2024/02/08 10:36:31| Processing: acl localnet src 10.30.2.254/32 # Possible internal network (aliases)
2024/02/08 10:36:31| Processing: acl localnet src 10.10.50.0/24 # Possible internal network (interfaces v4)
2024/02/08 10:36:31| Processing: acl localnet src 10.10.51.0/24 # Possible internal network (interfaces v4)
2024/02/08 10:36:31| Processing: acl localnet src fc00::/7       # RFC 4193 local private network range
2024/02/08 10:36:31| Processing: acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
2024/02/08 10:36:31| Processing: acl whiteList url_regex windowsupdate\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex \.windowsupdate\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex mp\.microsoft\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex \.mp\.microsoft\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex metaservices\.microsoft\.com
2024/02/08 10:36:31| Processing: acl whiteList url_regex \.metaservices\.microsoft\.com
2024/02/08 10:36:31| Processing: acl remoteblacklist_UT1 dstdomain "/usr/local/etc/squid/acl/UT1"
2024/02/08 10:36:31| Processing: acl SSL_ports port 443 # https
2024/02/08 10:36:31| Processing: acl Safe_ports port 80 # http
2024/02/08 10:36:31| Processing: acl Safe_ports port 21 # ftp
2024/02/08 10:36:31| Processing: acl Safe_ports port 443 # https
2024/02/08 10:36:31| Processing: acl Safe_ports port 70 # gopher
2024/02/08 10:36:31| Processing: acl Safe_ports port 210 # wais
2024/02/08 10:36:31| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2024/02/08 10:36:31| Processing: acl Safe_ports port 280 # http-mgmt
2024/02/08 10:36:31| Processing: acl Safe_ports port 488 # gss-http
2024/02/08 10:36:31| Processing: acl Safe_ports port 591 # filemaker
2024/02/08 10:36:31| Processing: acl Safe_ports port 777 # multiling http
2024/02/08 10:36:31| Processing: acl CONNECT method CONNECT
2024/02/08 10:36:31| Processing: icap_enable off
2024/02/08 10:36:31| Processing: include /usr/local/etc/squid/pre-auth/*.conf
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2024/02/08 10:36:31| Processing: cache_peer 10.10.253.10 parent 3128 0 no-query default
2024/02/08 10:36:31| Processing: acl ExcludePPDomains dstdomain .lan .wlan .purner.eu
2024/02/08 10:36:31| Processing: acl ExcludePPIPs dst 10.10.2.0/24 10.10.10.0/24 10.10.20.0/24 10.10.30.0/24 10.10.31.0/24 10.10.40.0/24 10.10.50.0/24 10.10.51.0/24 10.10.60.0/24 10.10.61.0/24 10.10.70.0/24 10.10.71.0/24 10.10.200.0/24 10.10.201.0/24 10.10.254.0/24 172.30.30.0/24 10.2.0.1 10.96.0.1 10.98.0.1 172.30.100.0/24 10.10.253.0/24
2024/02/08 10:36:31| Processing: cache_peer_access 10.10.253.10 deny ExcludePPDomains
2024/02/08 10:36:31| Processing: cache_peer_access 10.10.253.10 deny ExcludePPIPs
2024/02/08 10:36:31| Processing: cache_peer_access 10.10.253.10 allow all
2024/02/08 10:36:31| Processing: never_direct deny ExcludePPDomains
2024/02/08 10:36:31| Processing: never_direct deny ExcludePPIPs
2024/02/08 10:36:31| Processing: never_direct allow all
2024/02/08 10:36:31| Processing: http_access allow whiteList
2024/02/08 10:36:31| Processing: http_access deny remoteblacklist_UT1
2024/02/08 10:36:31| Processing: http_access deny !Safe_ports
2024/02/08 10:36:31| Processing: http_access deny CONNECT !SSL_ports
2024/02/08 10:36:31| Processing: http_access allow localhost manager
2024/02/08 10:36:31| Processing: http_access deny manager
2024/02/08 10:36:31| Processing: http_access deny to_localhost
2024/02/08 10:36:31| Processing: include /usr/local/etc/squid/auth/*.conf
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2024/02/08 10:36:31| Processing: http_access allow localnet
2024/02/08 10:36:31| Processing: http_access allow localhost
2024/02/08 10:36:31| Processing: http_access deny all
2024/02/08 10:36:31| Processing: include /usr/local/etc/squid/post-auth/*.conf
2024/02/08 10:36:31| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2024/02/08 10:36:31| Processing: cache_mem 256 MB
2024/02/08 10:36:31| Processing: coredump_dir /var/squid/cache
2024/02/08 10:36:31| Processing: refresh_pattern ^ftp:          1440    20%     10080
2024/02/08 10:36:31| Processing: refresh_pattern ^gopher:       1440    0%      1440
2024/02/08 10:36:31| Processing: refresh_pattern -i (/cgi-bin/|\?) 0    0%      0
2024/02/08 10:36:31| Processing: refresh_pattern .              0       20%     4320
2024/02/08 10:36:31| Processing: access_log stdio:/var/log/squid/access.log squid
2024/02/08 10:36:31| Processing: cache_store_log none
2024/02/08 10:36:31| Processing: httpd_suppress_version_string on
2024/02/08 10:36:31| Processing: uri_whitespace strip
2024/02/08 10:36:31| Processing: forwarded_for on
2024/02/08 10:36:31| Processing: logfile_rotate 0
2024/02/08 10:36:31| Processing: cache_mgr proxy@purner.eu
2024/02/08 10:36:31| Processing: error_directory /usr/local/etc/squid/errors/local
2024/02/08 10:36:31| Requiring client certificates.
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
2024/02/08 10:36:31| Loaded signing certificate: /C=AT/ST=AT/L=AT/O=AT/emailAddress=/CN=opnsense-vpn-ca
2024/02/08 10:36:31| Not requiring any client certificates
Segmentation fault (core dumped)

Code: [Select]
root@firewall:/usr/local/etc/squid # netstat -an | grep 3128 | wc -l
       4

Code: [Select]
root@firewall:/usr/local/etc/squid # pkg info | grep squid
os-squid-1.0                   Squid is a caching proxy for the web
squid-6.6                      HTTP Caching Proxy
squid-langpack-7.0.0.20230225  Language-specific error documents for Squid web cache

2
Tutorials and FAQs / Re: Tutorial 2023/12: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« on: December 18, 2023, 02:16:06 pm »
Ok :-)

Now it works.

Changed the LAN MTU from 9000 to 4076 was the hack. Now all works fine

3
Tutorials and FAQs / Re: Tutorial 2023/12: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« on: December 17, 2023, 03:18:22 pm »
Thank you for these detailed instructions.

It has made my life much easier.


However, I have the problem that Plex is not accessible, neither internally nor externally.


The Plex log shows me the error....


CERT: incomplete TLS handshake from xxx.xxx.xxx:28422: stream truncated

HA Log..
Informational   haproxy   xx.x.xx.xxx:21734 [18/Dec/2023:02:33:09.222] 1_HTTPS_frontend/127.4.4.3:443: SSL handshake failure


The certificate is new and was requested via ACME with the exact same settings.


I am at a bit of a loss.

MTU WAN: 1500 auto
MTU LAN 9000 with 10G LAGG interface

Code: [Select]
#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    8
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:443 0.0.0.0:80)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend
    timeout client 30s

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 30s

    # logging options
    # ACL: NoSSL_condition
    acl acl_657ed45319efa3.43352536 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_657ed45319efa3.43352536

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/657ed88b10e6c1.81075400.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/657ed57bcfd057.79414853.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    timeout connect 30s
    server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: Plex_DMZ_backend ()
backend Plex_DMZ_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    timeout connect 30s
    http-reuse safe
    server Plex_Server_DMZ 10.10.20.11:32400 ssl verify none resolve-prefer ipv4



# statistics are DISABLED




10.10.2.1 is the LAN IP

When i set the DNS to the Real Server ( 10.10.20.11) and go to https://plex.mydomain.eu:32400 , all work fine.

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2