Messages

1

23.7 Production Series / HAproxy: Syncthing Discovery server with forwarded client certificate in header

« on: September 02, 2023, 06:49:27 pm »

Hello,

I want to use the Syncthing Discovery server behind HAproxy with ssl offloading by HAproxy. To do so I set the discovery server to http (option -http). The connection is running. But I must forward the client certificate by header X-SSL-Cert. Acc. the manual the header is required in PEM format.

This would add the client cert in der format what is not recognized by the discovery server:

Code: [Select]

http-request set-header X-SSL-Cert %{+Q}[ssl_c_der,base64]
I modified the line to create a pem file. Either nothing is in or it is in wrong format.

Code: [Select]

http-request set-header X-SSL-Cert -BEGIN\ CERTIFICATE-\ %[ssl_c_der,base64]\ -END\ CERTIFICATE-\ # don't forget last space

Connection is running. But discovery still cannot read the client cert:

Code: [Select]

no certificates: certificate decode result is empty

Any idea how to set-up the forwarding of client certificate by header correctly in OPNsense?

2

German - Deutsch / Re: Vodafone Kabel 1000Mbit - Welche Hardware für Homeoffice

« on: July 23, 2023, 08:42:18 am »

Ich habe einen Vodafone Kabel Anschluss ( ehemals Unitymedia ) mit 1000Mbit.
[...]
Welche OPNSense Hardware sollte ich für diesen Anschluss wählen ?

Du fragst nicht danach, aber mache dir beim Wechsel der Firewall auch Gedanken zur Anbindung an das Gerät, das den Zugang zum Kabelnetz herstellt. Wenn es ein "einfaches" und reines Kabelmodem ist, dann passt das immer. Wenn du dort heute ein Kombigerät hast, das auch Firewall und Telefon bereitstellt (z. B. FritzBox), dann hast du mit dem OPNsense-Gerät eine zweite Firewall, die zu doppeltem NAT führt. Geht auch. Man sollte nur wissen, was das bedeutet, bevor mit dem Basteln beginnt.

3

General Discussion / Re: Client Cert Authentication sufficient for Exchange server

« on: September 08, 2022, 10:28:34 pm »

Still please read all of my last post. Using a dedicated OWA server is highly recommended.

Thanks a lot again. Yes, I got your point already by your first mail.

I will reconsider after looking in some more details. Basically the vpn way is fine for me. My small home lab is running out of resources and one Exchange already is using more RAM I want to spend.

4

General Discussion / Re: Client Cert Authentication sufficient for Exchange server

« on: September 08, 2022, 08:09:54 pm »

Millions of Enterprises do that. Expose OWA to the Internet. That's what it was made for.

Thank you.

5

General Discussion / Re: Client Cert Authentication sufficient for Exchange server

« on: September 08, 2022, 06:30:39 pm »

What is your risk? If this is a lab setup, do you even process real data?

OK. I see that "lab setup" was misleading. Yes, it is processing real data. There are two private mail accounts on it. I know, there are better ways instead of using an oversized Exchange for this. I called it home lab set-up to avoid any link to corporate use or professional data with hundreds of mailboxes.

Therefore let me rephrase my question:

Are there common and recommended scenarios where the activesync site of IIS in Exchange is directly exposed to the internet without reverse proxy or WAF in front?

Have you considered a VPN for instance?

Yes. I am even doing it like this. Most secure variant I guess, but also with disadvantages: Drains more battery from mobile and VPN not always with a stable connection. Therefore I am looking for other ways.

6

General Discussion / Client Cert Authentication sufficient for Exchange server

« on: September 03, 2022, 05:21:15 pm »

Hello,

does enabling Client Certificate Authentication on MS Exchange server bring sufficient security to expose ‘activesync’ and ‘owa’ directly to the internet?

We are talking about a home lab setup. My current configuration is that port 443 for activesync and owa is behind HAProxy on OPNsense doing SSL offloading. Access to smtp is via a mail gateway. To increase the security for I want to switch to Client Certificate Authentication for activesync.

Option 1: setup client auth on HAProxy.
Option 2: passthrough ‘activcesync’ (separate host/SNI) in HAProxy by TCP mode, do authentication on HAProxy and keep offloading SSL for ‘owa’ on HAProxy

Option 1 seems to get to complicate for me as there are other services on port 443 where I want to keep offloading on HAProxy. This would require a complex set-up by two frontends on same port, on with and one without client certificate authentication. Option 2 seems to be the less complex way.

But is a direct exposed Exchange protected by client certificate authentication as save against attacks as behind HAProxy?

7

General Discussion / Re: HAProxy Client Certificate Authentication for specific backends

« on: September 02, 2022, 08:43:19 pm »

So, the client-certificate requirement is configured on the 'Public Service' as 'Optional'. This way you don't need a client-cert for the public website. For the secure services, I add the mentioned 'check' if a client-cert is used, otherwise deny access.

I try to achieve something similar and found your post.

What will happen if the client presents a cert that is not valid and you only check if the cert was presented?
Would it be the right way to combine 'ssl_c_used' with 'ssl_c_verify' in your check?

8

Web Proxy Filtering and Caching / Re: haproxy: mixed ssl passthrough and offloading

« on: August 28, 2022, 09:42:51 pm »

I only get running either with offloading or with passthrough, but not in parallel. What I would like to achieve is to use passthrough for one server and offloading for another server and distinguish via SNI or hostname.

After reading a couple of time and trial-and-error, finally I got it running. The key infortation was written in the chapter:

6. How can we load balance TCP traffic that we don't want to get SSL offloaded, f.e. OpenVPN over TCP?
In my tutorial I only explain how to "redirect+load balance SSL offloaded traffic".
This is because I myself don't have (yet) the need to actually load balance any non SSL traffic.
However balancing non SSL traffic is pretty much the same as balancing SSL traffic.
You only have to make sure that your "NOSSLservice_rule" or "NOSSLservices_map-file_rule" is placed on the "SNI_frontend" instead of the "HTTPS_frontend" and that the backend that belongs to your "NOSSLservice_server" is running in TCP mode.

9

Web Proxy Filtering and Caching / Re: haproxy: mixed ssl passthrough and offloading

« on: August 27, 2022, 11:53:27 pm »

Could anybody get mixed modes passthrough and offloading running with HAProxy under OPNsense meanwhile?

I only get running either with offloading or with passthrough, but not in parallel. What I would like to achieve is to use passthrough for one server and offloading for another server and distinguish via SNI or hostname.

I guess this instruction for pfsense is exactly what I am looking for. Unfortunately, I am not able to transfer this to OPNsense.

https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

Any idea?

10

Zenarmor (Sensei) / Re: Elasticsearch does not start after installing recent Log4j patches

« on: January 23, 2022, 09:51:00 pm »

However, performing a backup within Zenarmor, uninstalling and re-installing it and then restoring the backup resolved the issue.

Perfect, this solved my issue. It took me a while to find this help. I already thought I am the only one with this issue.

11

21.1 Legacy Series / Re: USB 3 to Ethernet adaptor recommendations

« on: March 20, 2021, 05:37:50 am »

I am currently using a Lenovo 03X6903 USB 3 but it only shows up as 100baseTX <half-duplex> in the Lobby, looking for one that will connect at 1000mbps.

Is it connected to an USB 3.0 port?
Some only establish a 100baseTX link when connected to USB 2.0.

12

General Discussion / Re: Looking to install OPNsense and Ad blocking.

« on: February 21, 2021, 04:24:41 am »

Adguard is only installed on some devices, not all.

OK, your are talking about AdGuard on client devices. I was talking about AdGuard Home on OPNsense.

but why not just do it if it's possible... An ad (or malware) which is not blocked by one is hopefully blocked by the other...

Recources on OPNsense box. Performance.
I would like to avoid to spend firewall resources two times or three times for something that is already done.

13

General Discussion / Re: Announce: new OPNsense community repository

« on: February 21, 2021, 04:18:34 am »

unbounddns > access list, I guess you didn't add your WireGuard network there...

Sorry, my question was misleading you. It is not about Unbound, it is about AdGuard from the repository of this thread.

With my unbound set-up before, Wireguard was working. After change to AdGuard DNS, Wireguard was not working any more. On the AdGuard configuration page, the Wireguard network was listed as listening.

But it is solved now. It was any kind of UDP routing issue. The DNS setting on Wiregurd client was not pointing to the Wireguard interface IP. It was pointing to another network on OPNsense. With Unbound this worked. With AdGuard UDP access was not working. By using a test tool and TCP port it also worked. After I changed the DNS IP on Wireguard client to the Wireguard interface IP it also worked with AdGuard.

14

General Discussion / Re: Announce: new OPNsense community repository

« on: February 20, 2021, 03:37:38 pm »

I am using AdGuard from this repo. Installation and set-up all fine. I can resolve from my "normal" networks. But I do not get DNS resolution from my client connected through Wireguard.

Before with unbound on port 53 it was working. No other change I did than installing AdGuard on port 53 and switched off Unbound.

Any idea where to search?

15

General Discussion / Re: Looking to install OPNsense and Ad blocking.

« on: February 20, 2021, 11:19:37 am »

I have a combination of unbound with proper blacklists, sensei free and adguard on my devices. Works very well!

Is there any advantage using all three of them?
If you use adguard I do not see an advantage of unbound with blocking list.
Does sensei free on top of these give you so much more?

These are serious questions from me. So far, I was using unbound as forwarder and sensei free. I am just testing adguard and asking myself what unbound and sensei could be good for if I would use adguard.