31
18.7 Legacy Series / Re: Haproxy issue
« on: August 15, 2018, 12:30:34 am »
Can anyone explain to me how to do pass-through ssl with the haproxy plugin?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
32
18.7 Legacy Series / Re: Haproxy issue
« on: August 14, 2018, 04:47:12 pm »
I do t see anything relevant to this server other than the proxy is started. For the working server I see connection information.
I cloned everything from the working server and modified the options to point to the new server but it just doesn’t work.
Maybe it is an nginx issue? But the site works on the lan when going directly to the server. It only had this trouble when going to the haproxy address.
This is doing ssl offloading, I would like to try just pass-through but I don’t know what options to select to do pass-through. Everything I have tried doesn’t work.
I cloned everything from the working server and modified the options to point to the new server but it just doesn’t work.
Maybe it is an nginx issue? But the site works on the lan when going directly to the server. It only had this trouble when going to the haproxy address.
This is doing ssl offloading, I would like to try just pass-through but I don’t know what options to select to do pass-through. Everything I have tried doesn’t work.
33
18.7 Legacy Series / Re: Haproxy issue
« on: August 14, 2018, 02:41:10 pm »
Actually, when going to the site today I get a 503 error.
503 Service Unavailable
No server is available to handle this request.
The cert in the browser looks fine and valid but chrome warns anyway. Clicking proceed gives me the 503 error.
503 Service Unavailable
No server is available to handle this request.
The cert in the browser looks fine and valid but chrome warns anyway. Clicking proceed gives me the 503 error.
34
18.7 Legacy Series / Haproxy issue
« on: August 14, 2018, 12:57:54 pm »
I have one service running behind haproxy with ssl offloading enabled and it works fine.
I added another service to a new backend pool of servers and going to the site over ssl fails with ssl protocol error.
If I go to the site directly to the backend ip it works fine. I only get the protocol error when I go to haproxy address.
What could be the issue? It is nginx with and ssl site on 443.
I added another service to a new backend pool of servers and going to the site over ssl fails with ssl protocol error.
If I go to the site directly to the backend ip it works fine. I only get the protocol error when I go to haproxy address.
What could be the issue? It is nginx with and ssl site on 443.
35
18.1 Legacy Series / Re: Block outbound icmp to external address?
« on: June 05, 2018, 11:14:01 am »
I need the NAT rule. The traffic I see being allowed out says it is the wan interface and the IP address of the wan interface is the source with 8.8.8.8 as the destination.
I already have the NAT rule configured to redirect DNS but now something internally is pinging 8.8.8.8 (I think it is the google devices in my network ever since the DNS NAT rule was put in place).
I already have the NAT rule configured to redirect DNS but now something internally is pinging 8.8.8.8 (I think it is the google devices in my network ever since the DNS NAT rule was put in place).
36
18.1 Legacy Series / Block outbound icmp to external address?
« on: June 05, 2018, 06:13:21 am »
What rule would I need to create to block outbound icmp to 8.8.8.8?
In the log live view I see int wan with the wan ip as the source icmp to 8.8.8.8
In the log live view I see int wan with the wan ip as the source icmp to 8.8.8.8
37
18.1 Legacy Series / Re: ***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers
« on: April 05, 2018, 02:35:01 am »
Trying to use cloudflare doesn't work for me. I tried six ways from Sunday and no luck.
I switched to 9.9.9.9 (Quad9) and tls works fine.
I also switched to OpenSSL from LibreSSL prior to switching to Quad9.
I verified with a WAN packet capture in Wireshark that it is TLS/encrypted.
I'm not sure why Cloudflare doesn't work.
I switched to 9.9.9.9 (Quad9) and tls works fine.
I also switched to OpenSSL from LibreSSL prior to switching to Quad9.
I verified with a WAN packet capture in Wireshark that it is TLS/encrypted.
I'm not sure why Cloudflare doesn't work.
38
General Discussion / Cloudflare DNS over TLS with Unbound
« on: April 04, 2018, 04:02:59 am »
Looking at this article https://www.netgate.com/blog/dns-over-tls-with-pfsense.html?utm_campaign=DNSoverTLS&utm_content=69532200&utm_medium=social&utm_source=twitter
I enabled unbound and added the custom settings from this article to enable dns over tls on 1.1.1.1 and 1.0.0.1.
It seemed to work fine for a short period of time and then I start getting these errors and the unbound service stops running.
unbound: [58716:1] notice: ssl handshake failed 1.1.1.1 port 853
unbound: [58716:1] error: ssl handshake failed crypto error:140020B5:SSL routines:CONNECT_CW_CLNT_HELLO:no ciphers available
Is anyone using cloudflare dns over tls successfully?
I enabled unbound and added the custom settings from this article to enable dns over tls on 1.1.1.1 and 1.0.0.1.
It seemed to work fine for a short period of time and then I start getting these errors and the unbound service stops running.
unbound: [58716:1] notice: ssl handshake failed 1.1.1.1 port 853
unbound: [58716:1] error: ssl handshake failed crypto error:140020B5:SSL routines:CONNECT_CW_CLNT_HELLO:no ciphers available
Is anyone using cloudflare dns over tls successfully?
39
General Discussion / Re: Writing to Installation Media problem!!
« on: December 17, 2017, 12:48:42 am »
I have never had physdiskwrite not work on Windows. Be careful to select the correct disk!
40
General Discussion / Re: Suggestions for multiple servers running port 443 behind OPNsense
« on: December 16, 2017, 12:59:03 pm »
How can haproxy do this? I see the guide on installing the plugin but how can it allow multiple dns names that point to one public ip to hit multiple servers behind OPNsense using the same port (443)?
41
General Discussion / Suggestions for multiple servers running port 443 behind OPNsense
« on: December 16, 2017, 01:34:53 am »
Suggestions for multiple servers running port 443 behind OPNsense With a single public ip?
What would be a good option for handling this?
example:
a.domain.com:443 —-> single public ip ——> internal_server1:443
b.domain.com:443 —-> single public ip ——> internal_server2:443
Can any plugins for OPNsense handle this or would something like nginx/reverse proxy be required? Maybe a layer 7 load balancer like kemp or netscaler etc.
Haproxy can’t do this can it?
What would be a good option for handling this?
example:
a.domain.com:443 —-> single public ip ——> internal_server1:443
b.domain.com:443 —-> single public ip ——> internal_server2:443
Can any plugins for OPNsense handle this or would something like nginx/reverse proxy be required? Maybe a layer 7 load balancer like kemp or netscaler etc.
Haproxy can’t do this can it?
42
General Discussion / Can haproxy do content switching similar to a netscaler?
« on: December 10, 2017, 03:25:10 pm »
Can haproxy do content switching like a netscaler? Allowing you to host multiple services on the same port via one IP address.
43
17.7 Legacy Series / Re: IDS Alerts
« on: November 16, 2017, 02:21:12 am »
Use LAN interface instead of WAN.
44
General Discussion / Re: Network Monitoring tools
« on: June 16, 2017, 01:04:27 am »
Icinga2 is amazing for all monitoring and alerting.
Graylog is amazing for centralized logging and alerting.
They are even better together. Toss in graphite and grafana for beautiful graphing.
Graylog is amazing for centralized logging and alerting.
They are even better together. Toss in graphite and grafana for beautiful graphing.
45
17.1 Legacy Series / Feature Request: IPS Alerts Filtering
« on: June 08, 2017, 12:45:20 am »
It would be nice to have some additional alert filtering options.
Right now you can do a basic search for something in the logs.
It would be great if we could filter more. Like show me all alerts maybe this dst ip and this action in this time frame or all alerts from this src ip that triggered this rule etc..
Also, is it possible to whitelist an ip in IPS? That would be cool.
Right now you can do a basic search for something in the logs.
It would be great if we could filter more. Like show me all alerts maybe this dst ip and this action in this time frame or all alerts from this src ip that triggered this rule etc..
Also, is it possible to whitelist an ip in IPS? That would be cool.