Messages

Wow! thanks guys. I don't think I'd ever have spotted that. That does indeed seem to have fixed it. Mental note to follow instructions to the number as well as to the letter :-)

Hi, I'm trying to setup HAProxy on my OPNSense box as a reverse proxy for Plex. I've followed the tutorial at https://forum.opnsense.org/index.php?topic=23339.0

I'm pretty sure I've followed the instructions to the letter, but I keep getting the following error when I test the syntax:

Code Select Expand

[NOTICE] (67139) : haproxy version is 3.0.9-7f0031e
[NOTICE] (67139) : path to executable is /usr/local/sbin/haproxy
[ALERT] (67139) : config : Proxy '1_HTTPS_frontend': unable to set SSL curves list to 'secp38r1' for bind '127.4.4.3:443' at [/usr/local/etc/haproxy.conf.staging:72].
Proxy '1_HTTPS_frontend': unable to set SSL curves list to 'secp38r1' for bind '127.4.4.3:443' at [/usr/local/etc/haproxy.conf.staging:72].
[ALERT] (67139) : config : Fatal errors found in configuration.
Upon Googling, the only thing that seems relevant is a bug report from around 5 years ago.

Wondering if anyone might know why HAProxy might throw this error?

My config is as follows:

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    2
    hard-stop-after             60s
    no strict-limits
    maxconn                     1000
    ocsp-update.mindelay 300
    ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 1000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_Backend

    # logging options

# Frontend: 1_HTTP_frontend ()
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_Condition
    acl acl_67acd47edcffd7.39391092 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_67acd47edcffd7.39391092

# Frontend: 1_HTTPS_frontend ()
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp38r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/67ace1f419a770.60014933.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options

    # ACTION: Public_Subdomains_Rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/67acddcce077a4.68710516.txt)]

# Backend: SSL_Backend ()
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server ssl_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: PLEX_Backend ()
backend PLEX_Backend
    # health check: check_plex_server
    option httpchk
    http-check send meth OPTIONS uri / ver HTTP/2 hdr Host localhost
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Plex_Server 192.168.1.94:32400 check inter 60s port 32400  ssl verify none



# statistics are DISABLED

Seems to be working as expected now without me doing anything (I think!)

Yes, that comes back as valid and active

Hi!

I'm trying to setup the ACME plugin on my OPNSense box (running the latest 25.1-amd64) to generate a cert for one service I want to expose to the internet. My DNS provider is Cloudflare and I'm following the tutorial at https://www.zenarmor.com/docs/network-security-tutorials/how-to-change-self-signed-certificates-with-ca-signed-certificate-on-opnsense

When I follow this tutorial and try to generate the cert, I get an error saying that domain verification failed. Upon reading some other posts on this forum, it was suggested to manually create the _acme-challenge TXT record on cloudflare, which I done using "test" as the text.

I assumed that the ACME plugin would use the API credentials to edit this TXT record with some random txt string and then verify it, but it doesn't seem to have done that - the original "test" is still present in the TXT record, and now says that the domain is validated and the certificate is issued.

Is this the way it's supposed to work? Has it actually verified the domain properly?

Kevin

I done a routine check for updates on my OPNSense box today - 39 updates in total.

All went well until the end when I got this message:

Code Select Expand

pkg-static: Fail to rename /usr/local/lib/ruby/site_ruby/3.1/.pkgtemp.rubygems.rb.MXcBimFKNSLP -> /usr/local/lib/ruby/site_ruby/3.1/rubygems.rb:No such file or directory

I'm assuming it's cosmetic, but thought best to report anyway and can't see any other threads with the same issue.

K