Messages

If I have already pulled certificatees from LetsEncrypt with certbot by running it individually on web servers behind OPNsense/HAProxy, can I still use the LetsEncrypt plugin to take over the management of the certificates?

If so, how? If not, what would be the best way to cut over to the plugin so I don't have to deal with the individual servers renewing certificates?

Can anyone explain to me how I would setup haproxy in OPNsense to do ssl-passthrough instead of offloading?

I currently have a single public ip listening on 443 via haproxy with certainty for a couple of servers/services added to it with ssl offloading configured. There are rules that look at host contains and based on the sub domain name of the url, they are routed to the proper pool of servers.

This is currently working for me.

I am more curious on how I would do this with ssl-passthrough instead of offloading and also how I could still use rules to determine which server pool a sub domain url hits.

Any guidance would be much appreciated.

Looks like I figured out how to run multiple sites with SSL and SSL-Offloading. Multiple sites are now loading as expected behind a single public IP.

Can anyone explain to me how to do pass-through ssl with the haproxy plugin?

I do t see anything relevant to this server other than the proxy is started. For the working server I see connection information.

I cloned everything from the working server and modified the options to point to the new server but it just doesn't work.

Maybe it is an nginx issue? But the site works on the lan when going directly to the server. It only had this trouble when going to the haproxy address.

This is doing ssl offloading, I would like to try just pass-through but I don't know what options to select to do pass-through. Everything I have tried doesn't work.

Actually, when going to the site today I get a 503 error.

503 Service Unavailable
No server is available to handle this request.

The cert in the browser looks fine and valid but chrome warns anyway. Clicking proceed gives me the 503 error.

I have one service running behind haproxy with ssl offloading enabled and it works fine.

I added another service to a new backend pool of servers and going to the site over ssl fails with ssl protocol error.

If I go to the site directly to the backend ip it works fine. I only get the protocol error when I go to haproxy address.

What could be the issue? It is nginx with and ssl site on 443.

I need the NAT rule. The traffic I see being allowed out says it is the wan interface and the IP address of the wan interface is the source with 8.8.8.8 as the destination.

I already have the NAT rule configured to redirect DNS but now something internally is pinging 8.8.8.8 (I think it is the google devices in my network ever since the DNS NAT rule was put in place).

What rule would I need to create to block outbound icmp to 8.8.8.8?

In the log live view I see int wan with the wan ip as the source icmp to 8.8.8.8

Trying to use cloudflare doesn't work for me. I tried six ways from Sunday and no luck.

I switched to 9.9.9.9 (Quad9) and tls works fine.

I also switched to OpenSSL from LibreSSL prior to switching to Quad9.

I verified with a WAN packet capture in Wireshark that it is TLS/encrypted.

I'm not sure why Cloudflare doesn't work.

Looking at this article https://www.netgate.com/blog/dns-over-tls-with-pfsense.html?utm_campaign=DNSoverTLS&utm_content=69532200&utm_medium=social&utm_source=twitter

I enabled unbound and added the custom settings from this article to enable dns over tls on 1.1.1.1 and 1.0.0.1.

It seemed to work fine for a short period of time and then I start getting these errors and the unbound service stops running.

unbound: [58716:1] notice: ssl handshake failed 1.1.1.1 port 853

unbound: [58716:1] error: ssl handshake failed crypto error:140020B5:SSL routines:CONNECT_CW_CLNT_HELLO:no ciphers available

Is anyone using cloudflare dns over tls successfully?

I have never had physdiskwrite not work on Windows. Be careful to select the correct disk!

How can haproxy do this? I see the guide on installing the plugin but how can it allow multiple dns names that point to one public ip to hit multiple servers behind OPNsense using the same port (443)?

Suggestions for multiple servers running port 443 behind OPNsense With a single public ip?

What would be a good option for handling this?

example:

a.domain.com:443 —-> single public ip ——> internal_server1:443

b.domain.com:443 —-> single  public ip ——> internal_server2:443

Can any plugins for OPNsense handle this or would something like nginx/reverse proxy be required? Maybe a layer 7 load balancer like kemp or netscaler etc.

Haproxy can't do this can it?

Can haproxy do content switching like a netscaler? Allowing you to host multiple services on the same port via one IP address.