Show Posts
1
Web Proxy Filtering and Caching / HAProxy and CloudFlare
« on: November 14, 2024, 08:53:05 am »
Hello all,
I have issues making the following setup to work.
I have 1 domain with CloudFlare, which I want to use for all me external services, and another domain set up using OPNSense's Unbound (host overwrites) for internal services. What I want to achieve is to setup HAPRoxy and configure it to serve all my services correctly.
My current network setup for my firewall (OPNSense) is as follows:
WAN - OPNSense Real IP
LAN - 192.168.1.1/24 - OPNSense Web GUI on port 443 only.
VLAN10 - 10.10.10.1/24 - Public Services (services that would be publicly accessible via my domain with CloudFlare)
VLAN20 - 10.10.20.1/24 - Private Service Network (PHP applications, GitLab, etc)
VLAN30 - 10.10.30.1/24 - DB Network (a few DBs in a cluster)
VLAN40 - 10.10.40.1/24 - Vaultwarden network (1 server at the moment with freeBSD and Vaultwarden service running in Jail)
VLAN50 - 10.10.50.1/30 - MGMT Network (only 1 server used for SSH Jump Host)
Till now I figured out, how to serve (using HAPROXY) the public services:
Client -> WWW -> CloudFlare (Country filtering, CDN, DDOS protection, some WAF Rules) -> OPNSense -> HAPROXY (Listening on port 443 only on WAN Address, as CloudFlare do the HTTP -> HTTPS redirect for me) -> Public Services in VLAN10
This works great. I even configured Firewall Alias with all CloudFlare's IPv4 addresses, and allow only CloudFlare's IPs to have access to port 443 via Firewall Rules.
As for the internal services, I tough I could use an IP from VLAN10 for example 10.10.10.5 for the HAPROXY to listen to port 80 and 443, but HAPROXY cannot start if I make frontend listening to VLANs IP.
What should be the best way to configure the Internal services Frontend in HAPROXY?
As OPNSense runs on a VM, I could add another interface specifically for HAPRoxy to listen to, as I want to keep my networking setup as segmentated as possible.
All internal services should goes trough HAPROXY for sure. I use OPNSense's WireGuard VPN to access the internal services directly, before the implementation of the HAPROXY, and still want to use WireGuard to be able to access them (internal services), but this time trough HAPROXY.
Is it a good idea to use separate network interface (a new one) for HAPROXY only, or to use the LAN interface (where OPNSense listens to port 443 at the moment) - 192.168.1.1 or even use a separate IP from the LAN interface for example 192.168.1.10 for HAPROXY?
I have issues making the following setup to work.
I have 1 domain with CloudFlare, which I want to use for all me external services, and another domain set up using OPNSense's Unbound (host overwrites) for internal services. What I want to achieve is to setup HAPRoxy and configure it to serve all my services correctly.
My current network setup for my firewall (OPNSense) is as follows:
WAN - OPNSense Real IP
LAN - 192.168.1.1/24 - OPNSense Web GUI on port 443 only.
VLAN10 - 10.10.10.1/24 - Public Services (services that would be publicly accessible via my domain with CloudFlare)
VLAN20 - 10.10.20.1/24 - Private Service Network (PHP applications, GitLab, etc)
VLAN30 - 10.10.30.1/24 - DB Network (a few DBs in a cluster)
VLAN40 - 10.10.40.1/24 - Vaultwarden network (1 server at the moment with freeBSD and Vaultwarden service running in Jail)
VLAN50 - 10.10.50.1/30 - MGMT Network (only 1 server used for SSH Jump Host)
Till now I figured out, how to serve (using HAPROXY) the public services:
Client -> WWW -> CloudFlare (Country filtering, CDN, DDOS protection, some WAF Rules) -> OPNSense -> HAPROXY (Listening on port 443 only on WAN Address, as CloudFlare do the HTTP -> HTTPS redirect for me) -> Public Services in VLAN10
This works great. I even configured Firewall Alias with all CloudFlare's IPv4 addresses, and allow only CloudFlare's IPs to have access to port 443 via Firewall Rules.
As for the internal services, I tough I could use an IP from VLAN10 for example 10.10.10.5 for the HAPROXY to listen to port 80 and 443, but HAPROXY cannot start if I make frontend listening to VLANs IP.
What should be the best way to configure the Internal services Frontend in HAPROXY?
As OPNSense runs on a VM, I could add another interface specifically for HAPRoxy to listen to, as I want to keep my networking setup as segmentated as possible.
All internal services should goes trough HAPROXY for sure. I use OPNSense's WireGuard VPN to access the internal services directly, before the implementation of the HAPROXY, and still want to use WireGuard to be able to access them (internal services), but this time trough HAPROXY.
Is it a good idea to use separate network interface (a new one) for HAPROXY only, or to use the LAN interface (where OPNSense listens to port 443 at the moment) - 192.168.1.1 or even use a separate IP from the LAN interface for example 192.168.1.10 for HAPROXY?