Messages

Hi,

I just upgraded to 18.7 from the prior latest version. Now I've lost all my websites behind HAproxy. Postpone the update if you care about HAproxy. Unfortunately I am only with mobile, so I can't debug much. Rules have lost their names for example in frontend definitions, just uuids. Perhaps some broken config conversion.

I'll update after I get back to keyboard.

I took config backup before update. Can I try restoring it to the 18.7 box?

I really like how easy I can get certs now with HAproxy and Let's encrypt. Great work, thanks.

I thought I tell this minor issue with it here if someone is interested to fix it. It's really minor, but confusing for the first timer like me. So I have HAproxy listening all traffic to port 443. The default public service then routes requests to correct backends based on rules. First I create rules to sort traffic to given domain and backend. Then I add the ruleto to public service. That frontend also is using certs from Let's Encrypt service. Next I need to go to letsencrypt service to add domain.

I add the domain with http validation method, and press the small refresh button to force registration. This always fails at first run. But it also always works on the second run. Even though the gui don't show it until page refresh, but logs do.

So it's now OK for me, as I know this, but I sure spent some time on the first trials as I didn't look at the logs first.

Anyway, knowing this, it is great feature. Perhaps it gets fixed at some point.

Pheeew... finally it's all coming together. The key was to make one frontend for 0.0.0.0:443, and then add rules there to point to different backends. Not several frontends for 0.0.0.0:443.

And to replace parts of the paths, one need to create rule with option pass through, like this:

Code Select Expand


    # ACTION: foobar_away
    http-request set-uri %[path,regsub(/bar/,/)] if acl_5aef6814c09b63.87584580


and have that in backendpool rules. I couldn't find another way to add it than pass-through option for rule.

Any ideas? I changed the topic name from mangling to rewrite as that seems to be better term for it. In a meanwhile I got Let's encrypt working, and a basic forward from port 443 without path change.

I have one IP. I'd like to catch all *:443 traffic, and based on domain, or URL point it to different services. So

Code Select Expand


1. https://foo.com/       -> WAN -> *:443 -> decrypt -> foo.intranet:80/
2. https://foo.com/bar -> WAN ->  *:443 -> decrypt -> bar.intranet:3000/
3. https://foo22.com/bar -> WAN ->  *:443 -> decrypt -> bar22.intranet:8080/


The basic first one works fine. But I don't find option to put both rules into one *:443 via GUI. I suppose I should rewrite the host and url both in incoming and outgoing traffic. I suppose I could install HAproxy, and manually write the haproxy.cnf, and start the service manually to avoid the GUI shortcomings. Or is there any other way?

Can there be several binds to *:443?

I am currently trying like this, it partly works already (tried to change names to english):

Code Select Expand


frontend default_ssl
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl  crt-list /var/etc/haproxy/ssl/5aeeda9fd8e5e2.51517701.crtlist
    mode http
    option http-keep-alive
    #default_backend nextcloud_bep
    default_backend Grafana
    # tuning options
    timeout client 30s

    acl acl_nc hdr(host) -i nexctloud.my.com
    use_backend nextcloud_bep if acl_nc

    acl acl_5aeedb998d8044.83346815 path_beg -i /.well-known/acme-challenge/
    use_backend acme_challenge_backend if acl_5aeedb998d8044.83346815

    acl acl_home hdr(host) -i home.my.com
    acl acl_cauges path_beg -i /gauges
    use_backend Grafana if acl_home acl_gauges


backend Grafana
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    acl acl_5ae5eeecbbf009.46818008 hdr(host) -i home.my.com
    reqirep ^([^\ :]*)\ /gauges/(.*)     \1\ /\2
    http-request add-header X-Forwarded-For %[src]
    reqirep ^Host:\ home.my.com   Host:\ grafana.intranet:3000

    acl hdr_location res.hdr(Location) -m found
    rspirep ^Location:\ (https?://home.my.com(:[0-9]+)?)?/gauges(/.*) Location:\ /\3 if hdr_location
    rspirep ^

    http-request add-header X-Forwarded-For %[src] if acl_5ae5eeecbbf009.46818008
    server grafana grafana.intranet:3000

backend nextcloud_bep
    # health check: http_check
    option httpchk OPTIONS / HTTP/1.0
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server nextcloud nc.intranet:8090 check inter 2s



Ok, the firewall opening was no issue afterall. Just had to do an alias for port 8443, as that seems to be the way to open custom ports.

But, how to create the rules with gui?

Another question: How does one open ports from firewall for HA proxy?

So I try testing that with 8443 port. Now that it's not port to be forwarded (NAT) anywhere, OPNsense rules won't allow me adding that port for destination "WAN address". For some reason it just allows to pick from predefined port list (e.g. HTTP, FTP) but won't allow me write 8443 there. Which I have set HAproxy to bind to at 0.0.0.0.

Hi,

how does one do things like this in GUI? So replacing path parts with regexp placements?

reqirep  ^([^ :]*)\ /mirror/foo/(.*)     \1\ /\2


See sample here: https://www.haproxy.com/blog/howto-write-apache-proxypass-rules-in-haproxy/

Edit: describing a bit more:

So I want my external url to be rewritten by HAproxy for my internal server:

https:/my.com/myexturl/index.html?stuff=1
=>
http://foo.intranet/index.html?stuff=1

Like about this haproxy config:

    http-request set-header Host foo.intranet
    reqirep  ^([^ :]*)\ /myexturl/(.*)     \1\ /\2

    acl hdr_location res.hdr(Location) -m found
    rspirep ^Location:\ (https?://my.com(:[0-9]+)?)?/myexturl(/.*) Location:\ /\3 if hdr_location
    # ProxyPassReverseCookieDomain my.com foo.intranet
    acl hdr_set_cookie_dom res.hdr(Set-cookie) -m sub Domain= foo.intranet
    rspirep ^(Set-Cookie:.*)\ Domain=foo.intranet(.*) \1\ Domain=my.com\2 if hdr_set_cookie_dom
    # ProxyPassReverseCookieDomain / /myexturl/
    acl hdr_set_cookie_path res.hdr(Set-cookie) -m sub Path=
    rspirep ^(Set-Cookie:.*)\ Path=(.*) \1\ Path=/myexturl\2 if hdr_set_cookie_path

Now some of those I can find through menues, but e.g. the plain reqirep at the beginning I can't. How to do it via GUI?

Ok, good to know it's better nowadays, thanks!

I went there and connected the serial. I had this prompt in front of me:

Code Select Expand

db>

which I thought is likely debugger. So I wrote "reboot" there, and it started upgrade - reboot - upgrade cycle. It went on for while, and then eventually booted to 18.1.1. Then I got VPN working, and did the upgrade to 18.1.5. Which again rebooted successfully.

So everything seems to be fine now. What ever glitch it was between 17 -> 18 upgrade, it's over now. Just prepare for being next to the box if you do such upgrade.

Hi,

I'm asking for tips what's to be expected after upgrade gone bad with remote box.

I do have a OPNSense at remote location. Same HW as my home, apu2. At home I've successfully upgraded from 17 something to current every time there has been upgrade available. This remote box I tried to uograde yesterday for the first time in about half a year. I had ovpn on, and at first the uograde upgraded pkg. Then I suppose lot of 17 stuff. And a reboot I recall. Then the next upgrade required unlocking the 18 upgrade. I did.

After I then pressed the upgrade to 18 button, I got told it takes several reboots. I allowed it to go forward. The last message was about upgrading kernel and reboot. The next boot never brought up the OVPN or dynamicDNS update.

Luckily it's NATting as should, so people get to internet. I need to drive there having serial cable to see how to bring it back.

What do you think I'll face there, and what are the recovery actions?

If it's the worst, messed up install, will it work if I clean install 18 and import the 17 backup config?

Thumbs up reboot would fix it...

Ansible would be pretty good tool to make sure the files contain the portions and settings you manually maintain. I wonder how much it would overlap with maintaining other settings as well.

Perhaps one day there will be ansible network module for OPNSense so that all settings may be automatized and version controlled. DNS blaclists would be good starting point.

I have schedules set. Is there a way to update them over API?

If you only try to block ads, why not use the most simple method available?
Use the DNS servers from here: https://adguard.com/en/adguard-dns/overview.html

Free, easy, simple, 0 maintenance, effective :)

P.S. Hopefully works with finish ad servers as well :D

I was thinking of running dns ad block, but I thought to give proxy a try. It's more fine grained blocking, once I just figure out how.

Hi,

I enabled transparent squid with adblocking, using UT1 list. It's great feature! However it didn't stop many Finnish ad sites, so I started digging into files and their formats. I noticed the urls or expressions don't get included, only domain list is added, and even that is formatted to include dot [.] in front of each domain. Is this just work in progress, or does opnsense squid not support the urls and expressions?

Another thing, what's the easiest way of adding my own list? Is it enough to have it in .gz file on own web server and adding it to remote control lists? Or have you noticed UT1 would take such input? It seems there is pretty good local list available for adblock plus: http://adb.juvander.net/Finland_adb.txt , which would be worth converting to squid format for myself, in case if it supported url and expressions files.

Here's how the file list looks like in UT1 block list for ads:

Code Select Expand

$ tree publicite/
publicite/
├── domains
├── expressions
├── urls
└── usage


Here's how expressions should work: http://www.squidguard.org/Doc/expressionlist.html

Hi,

I fancy a physical button at home, which would kill certain devices network connectivity. Think of kid not stopping playing after several mentions about dinner.... :)

So I could use my BT button which controls rules in my OpenHAB home automation box. That could then call API of OPNSense to toggle certain FW group on/off.

Is there such API, or any samples doing it e.g. using curl? I didn't find API in docs.

BR,
ikke