Topics - bobpaul

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - bobpaul

Pages1

Web Proxy Filtering and Caching / Traefik on OPNSense forwarding to internal hosts

May 10, 2024, 11:20:49 PM

Current Setup, without Traefik plug
My current setup is pretty standard. I have 80 and 443 forwarded to an internal host. On that host I run traefik and some docker containers.

80 -> internalhost1:80
443 -> internalhost1:443

But I'd like to a second internal host, also running some services. And I'd like to do this without running either on non-standard ports.

Desired setup, with os-traefik-maxit
I've installed traefik from mimugmail's repo. I was planning something like this:

http://(.*) -> https://(.*)
https://newservice.example.com -> https://internalhost2/
https://oldservice1.example.com -> https://internalhost1/
https://oldservice2.example.com -> https://internalhost1/
https://oldservice3.example.com -> https://internalhost1/

I wonder if anyone has set up something similar. I'm running into some roadblocks right out of the gate and I wonder if anyone has solved them or has suggests.

1. Traefik entry points look like

Code Select

address = ":443", but that will conflict with the local opnsense webui. IS there some way to dynamically use the WAN ip address as the bind address in a configuration file like this? I don't think traefik allows selecting a bind adapter. I won't need traefik on OPNSense listening on any local IPs.

I guess one solution might be that I could have traefik listen on non-standard ports like 127.0.0.1:8443 and then use a port forwarding rule in the OPNSense firewall config.

2. One reason I like Traefik is because of how easy it is to manage TLS certificates. I use DNS challenge with Digital Ocean, but that requires an environment variable

Code Select

DO_AUTH_TOKEN is set. I don't think traefik lets me put this in the traefik.toml file. Is there a way to set environment global variables on OPNsense so that a service like traefik will inherit that in its launch shell?

20.7 Legacy Series / [Solved] Bridge isn't passing traffic between physical ports

August 10, 2020, 05:47:41 AM

I followed the guide for Bridged LAN and it appeared to work, but it turns out it's only half working.

I have igb0 set as WAN, bridge0 set as LAN. Bridge0 contains igb1, igb2, and igb3 (though only igb2 and 3 are plugged in).

All connected links can talk to the router; DHCP works, hosts have internet access, etc. But hosts on igb2 can't talk to hosts on igb3.

Any suggestions on how to proceed?

20.1 Legacy Series / Can't upgrade to 20.7 after restore with beadm

August 09, 2020, 05:01:42 AM

I used beadm to take a snapshot, then I upgraded to 20.7. I'm pretty sure it was successful, but I guess I didn't pay too much attention.

Then I messed around with some bridge settings and locked myself out from the network. I used the local VGA console and used beadm to restore to prior to the upgrade. Things were working, so I deleted the broken 20.7 boot environment; figured I could just upgrade again.

Well now when I go to System -> Firmware -> Upgrade it claims no upgrades available. It doesn't show the 20.7 unlock button.

If I do Audit -> Health it shows a ton of checksum mismatches. I don't think that was the case before I attempted the upgrade, etc.

Is it possible that the something from 20.7 survived switching beadm to switch boot environments back to 20.1?

see: https://controlc.com/9c26862d

Code Select

$ uname -a
FreeBSD router.local 11.2-RELEASE-p18-HBSD FreeBSD 11.2-RELEASE-p18-HBSD  f08b5f14327(stable/20.1)  amd64

No issues turned up in zpool scrub.

20.1 Legacy Series / Configuring WebUI for A+ rating on SSL Labs

February 02, 2020, 03:54:42 AM

I don't normally have my WebUI accessible via the internet, but I allowed it through the firewall temporarily so I could test in on SSLLabs. It was surprisingly easy to get an A+ rating.

I'm using the ACME plugin to get a cert via Lets Encrypt. Everything else setup via System -> Settings -> Administration.

Disable TLS 1.0 and TLS 1.1

SSL Labs caps your rating at a B if you allow TLS 1.0 or 1.1. It looks like the only way to do this is by limiting the available ciphers. So limit to the following ciphers I've changed my ciphers from Default to the following:

Code Select

# TLS 1.3
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

# TLS 1.2
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

This will prevent some archaic browsers from accessing the WebUI. Some examples:

IE 11 works, but not IE 11 on some un-updated versions of Windows Phone OS
Safari 9 on all platforms work, but Safari 8 and older will not work
Android 4.4.2+ should work, but anything older will not

HSTS
Check the box for HTTP Strict Transport Security or you'll be limited to an A rating.

That's it!
Congrats! Your router now has a higher SSL rating than Amazon.com =D

Pages1