Messages

106

Tutorials and FAQs / Re: Tutorial 2022/08: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: September 20, 2022, 08:47:40 pm »

Great tutorial!

I'm running into a problem accessing the sites within the network after following this tutorial and enabling Cloudflare proxy. Without the Cloudflare proxy I can access the sites both externally and internally but when I enable the Cloudflare proxy I'm unable to access the sites from the internal network.

This post, https://vitobotta.com/2019/12/23/real-ip-haproxy-ingress-behind-cloudflare/, explains how to get the correct IP but I'm not clear on how to implement that in the OPNsense HAProxy implementation. I found a similar question on the forums, https://forum.opnsense.org/index.php?topic=26419.msg127542#msg127542, but there wasn't any answer.

I created a condition with the Cloudflare IPs but I don't know where to go from there, any suggestions?

Sorry, but this is out of scope of this tutorial.

107

Tutorials and FAQs / Re: Tutorial 2022/08: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: September 06, 2022, 09:16:08 am »

I've been following this wonderfully crafted tutorial, so "THANK YOU" to the op for this.
Question (I know this might outside the scope of this tutorial):

• If I want HAProxy to handle *.my1stdomain.xyz which would be for specific services (already have this working flawlessly),
  but I would like to forward *.my2nddomain.xyz to nginx proxy manager running on docker so that nginx proxy manager will be used to manage that.

Is that something this setting can help to implement?

This has been answered 12 messages back.
https://forum.opnsense.org/index.php?topic=23339.msg143886#msg143886

108

Tutorials and FAQs / Re: Tutorial 2022/08: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: August 30, 2022, 03:39:32 pm »

However, there is an instance where it would be very nice to be able to white-list one (or a couple) of specific IPs, so that I could access my services at home from my office. I am not able to install software at the office, and there are other restrictions preventing me from using a VPN.

This is a very easy task, given that the IPs are static!

I don't know how you restricted local access but if you followed my tutorial you will just have to do this.
Take a look at part 7 of the tutorial.

Create the public subdomains map file, create a condition containing all the whitelist public IPs and create the corresponding redirect rule just as I did with the local access subdomains map file.

109

Tutorials and FAQs / Re: Tutorial 2022/08: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: August 30, 2022, 01:41:06 pm »

Then tried the rule on the SNI frontend, the http frontend and  https frontends. Essentially all frontends trying to make the exception there but in all cases after the sni, the http to https rule gets evaluated first, defeating any exception I've tried.

If it's not too much a deviation, could I have a suggestion on how to approach it? In sum, I'm looking for a way to route my http custom port to a back end as an exception in this Tutorial setup.

The order of the rules is important! Make sure that all "http-redirect-to-backend" rules are placed BEFORE the HTTPtoHTTPS rule on the HTTP_frontend.

110

Tutorials and FAQs / Re: Tutorial 2022/08: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: August 30, 2022, 01:37:07 pm »

I am trying to follow the instructions to enable HAProxy for internal domains. However, I can't seem to get the frontend listener for the virtual ip to work. Service binding is disabled for the virtual ip.

When the frontend listener for the virtual ip is enabled:

1. haproxy cannot start (when webgui is running).
2. webgui cannot start (when haproxy is running).

Part 4 - Step 1.

If you would have followed the tutorial STEP BY STEP you wouldn't have any issues... Just stick to the tutorial and don't skip a single step.

111

Tutorials and FAQs / Re: Tutorial 2022/08: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: August 10, 2022, 02:26:45 pm »

Thank you much for this amazing tutorial. I have referred a few people from reddit to this.

Questions I hope someone can help me with: If I have xdomain.com, xczxdomain.com and ltsdomain.com;

• does this support multi domain usage?
  can I use this tutorial to assign a particular domain for a given service?
  do I need to recreate the whole entries for each or at which point do I make the adjustment?

Of course it does! Just make sure the domains point to any public IP of your OPNsense.

You will have to make three changes to the setup.

1. Let's Encrypt: Here you will have to add one certificate for each domain.
If their DNS Zones are managed at different domain registrars you will also have to create the corresponding DNS-01 challenges for each registrar or move their DNS Zones to deSEC (Managed DNS).

2. HAProxy HTTPS Frontend: Add the newly created certificates for each individual domain.

3. HAProxy Public Subdomain Map File: Change the map file content from f.e. "plex PLEX_backend" to "plex.xdomain.com PLEX_backend", "cloud.xczxdomain.com CLOUD_backend" and so on. This way HAProxy can map each subdomain to the correct domain and backend.

112

Tutorials and FAQs / Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: August 08, 2022, 10:21:09 pm »

Currently there is no service running on the domain name. However, when I now try to access my web server via both lan and wan I kept getting error 503 service not available.

Well, if there is no service running, then HAProxy will spit out the 503 message because it can not reach the service. 

Code: [Select]

# Backend: cloud_backend ()
backend cloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server cloud_server 192.168.7.5:80 ssl verify required ca-file /etc/ssl/cert.pem

Code: [Select]

    server cloud_server 192.168.7.5:80 ssl verify required ca-file /etc/ssl/cert.pemAre you really uploading the self-signed cert of the service to the OPNsense and checking it with HAProxy?
Otherwise that line is wrong.

A second question I have, single post above you talk about "You have to put the OPNsense LAN IP in the DNS overide. Not the IP of the service." I am confused about this piece, is it possible to explain a little more about this.

It is very well explained in part 6 of the post. Nothing I could really add here.
I also provided documentation links that explain the solutions.
But to maybe explain your question.
If you put the service IP in the DNS override, the client will connect to the service and therefore WON'T be able to use the Let's Encrypt - HAProxy cert.
If you put the OPNsense LAN IP in the DNS override, the client will first connect to HAProxy using a valid cert and then HAProxy talks to the client using either no or the self-signed cert of the service.

I hope you understand that I don't have the time to teach everyone how something works.
Thanks to the internet and search machines you should be able to find that out yourself.

113

Tutorials and FAQs / Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: August 08, 2022, 08:37:48 pm »

Delete all of the firefox history (cache, cookies, website settings ...).
if that doesn't work, it is your network, not your browser.

114

Tutorials and FAQs / Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: August 06, 2022, 07:13:23 pm »

Thanks for this guide saved me after 2 days, the next bit is passing remote desktop through, i saw this Reddit post but I am not sure how i add to your setup or do I need to create new?

https://www.reddit.com/r/OPNsenseFirewall/comments/l2usx5/opnsense_haproxy_remote_desktop_gateway/

1. You can easily add this to my/your current setup. Just follow the guide in the reddit thread.

2. Not related to my tutorial so I won't be helping here.

115

Tutorials and FAQs / Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: August 06, 2022, 07:12:14 pm »

Then I understand about the public and local domain if I put my map at my local domain then i can only access it via local network. if I put it at the public map files then I can  access it at the external network and local network. Do I have it understand correctly?

Yes.

However I have this one last problem I hope you can help me point out. I have adguard installed on the same IP as my opnsense. I changed my port https of my opnsense according to your guide and the port adguard's web UI listening is also different. However, when I add them in the Real server according to their port which they currently listening to. I cannot get them working. It still happening where my external network connect to it, I have the 503 error which make sense since I am only allow local. But when I access them locally I hit the ISP main router log-in page.

Well I can't help you there... If your other services are working then you probably have your internal network misconfigured, given that you have another router in front of your opnsense.

116

Tutorials and FAQs / Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: July 28, 2022, 01:00:42 pm »

Check that the client devices in you LAN are actually using unbound dns resolver.

Edit: You have to put the OPNsense LAN IP in the DNS overide. Not the IP of the service. I explicitly say this in the tutorial.

117

Tutorials and FAQs / Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: July 27, 2022, 12:11:08 am »

Lovely , Thanks for hard work !
Question: is it possbile to cover somehow  multi domain wildcard (for www.firewall.network.com ) -

I got problem with this settings it covers the subdomains but not www.
Common Name: *.network.com
Multidomain name: network.com

Any idea how to issue one cert for all services with subdomains and 1st level domain and www.
Or what is the right way to do this , or maybe to redirect www -> *.network.com without it?

** So far i issued new cert and added in HaProxy and its working so i guess this is the way
www.dev.network.com

If you want to cover also the base domain and not only the subdomains of it, then you will have to change the certificate settings to:

Common Name: yourdomain.com
Alt names: *.yourdomain.com

You will also have to create a rule in HAProxy to respond to requests on your base domain (yourdomain.com). Alternatively just set the desired backend for your basedomain (i.e. WWW_backend) as default backend on the 1_HTTPS_frontend.

In the end you should have a working certificate and HAProxy redirection for all your subdomains (i.e. cloud.yourdomain.com) and your base domain (yourdomain.com).

118

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: July 11, 2022, 04:24:06 pm »

Hello,

first I have to say thank you for this perfect tutorial. I have setup my haproxy for my webservers and everything works fine for internal and external use. Now I've tried to implement OpenVPN on Port 443 in TCP mode. I added the configuration parts as mentioned in Reply #171. The config of haproxy seems to be corrrect, but I can't connect via vpn. I've tried to setup a second vpn-server on port 1194 with upd and i works staight away. Only the vpn in tcp-mode on port 443 refuses to work. Here is my haproxy config:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 40s
    timeout server 40s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Hört auf 0.0.0.0:80 und 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options
    # ACL: SSL_hello
    acl acl_62c874b4f2fdc4.23213917 req_ssl_hello_type 1

    # ACTION: tcp_request_inspect_delay
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: tcp_request_content_accept_ssl
    tcp-request content accept if acl_62c874b4f2fdc4.23213917
    # ACTION: VPN_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62c87ba1538c16.11776198.txt)]

# Frontend: 1_HTTP_frontend (Hört auf 192.168.161.1:80)
frontend 1_HTTP_frontend
    bind 192.168.161.1:80 name 192.168.161.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_condition
    acl acl_62360185bf9055.41837138 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_62360185bf9055.41837138

# Frontend: 1_HTTPS_frontend (Hört auf 192.168.161.1:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 192.168.161.1:443 name 192.168.161.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62360bcec06250.52672470.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_FQDN_condition
    acl acl_62361ba046b312.42897137 src darkstar.example.xyz
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_62361a89a23796.93721092 src 192.168.110.0/24

    # ACTION: LOCAL_SUBDOMAINS_map-rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/623619b6c7da11.06632077.txt)] if acl_62361ba046b312.42897137 || acl_62361a89a23796.93721092
    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/623607a0728a46.68273508.txt)]

# Backend: nextcloud_backend (Nextcloud Backend)
backend nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    # ACL: nextcloud-caldav
    acl acl_6236326bbeed09.73911658 path_beg -i /.well-known/caldav
    # ACL: nextcloud-carddav
    acl acl_6236329a31b372.83647612 path_beg -i /.well-known/carddav

    # ACTION: nextcloud-caldav-carddav
    http-request set-path /remote.php/dav if acl_6236326bbeed09.73911658 || acl_6236329a31b372.83647612
    http-reuse safe
    server nextcloud_host 192.168.160.10:443 ssl verify none

# Backend: SSL_backend (SSL Backend TCP)
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    server SSL_Server 192.168.161.1 send-proxy-v2 check-send-proxy

# Backend: bitwarden_backend (Bitwarden Backend)
backend bitwarden_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    # ACL: bitwarden-admin
    acl acl_62362f799a0826.60491269 path_beg -i /admin

    # ACTION: bitwarden-admin_block
    http-request deny if acl_62362f799a0826.60491269
    http-reuse safe
    server bitwarden_host 192.168.160.20:80

# Backend: zyxel-1_backend (Zyxel-1 Backend)
backend zyxel-1_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server zyxel-1 192.168.150.8:443 ssl verify none

# Backend: zyxel-2_backend (Zyxel-2 Backend)
backend zyxel-2_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server zyxel-2 192.168.150.9:443 ssl verify none

# Backend: checkmk_backend (CheckMK Backend)
backend checkmk_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server checkmk_host 192.168.150.21:8080

# Backend: ampache_backend (Ampache Backend)
backend ampache_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server ampache_host 192.168.160.15:443 ssl verify none

# Backend: jellyfin_backend (Jellyfin Backend)
backend jellyfin_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server jellyfin_host 192.168.160.16:8096

# Backend: guacamole_backend (Guacamole Backend)
backend guacamole_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    http-reuse safe
    server guacamole_host 192.168.150.22:8080

# Backend: vpn_backend (OpenVPN Backend)
backend vpn_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 40s
    timeout server 40s
    server vpn_host 192.168.110.1:1195
Here the OpenVPN config:

Code: [Select]

dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp-server
cipher AES-256-CBC
auth SHA512
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local 192.168.110.1
client-disconnect "/usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh server1"
tls-server
server 10.10.1.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
username-as-common-name
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Local Database' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'vpn.shuvit.space' 1"
lport 1195
management /var/etc/openvpn/server1.sock unix
max-clients 5
push "route 192.168.110.0 255.255.255.0"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.4096.sample
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float
I hope, that someone could help! Thanks in advance.

I have just tried TCP mode with map file, there is a few more steps to achieve the goal instead of placing the map rule directly to 0_SNI
(I checked the package and found SNI inside, however, haproxy doesn't recognize it in TCP mode, that's why we need to force it to recognize SNI)

1. Create a "Condition" to request client hello
Name: SSL_Hello
Condition type: Custom condition (option pass-through)
Option pass-through: req_ssl_hello_type 1


2. Create a "Rule" to wait accept SSL hello
Name: tcp_request_content_accept_ssl
Select conditions: SSL_Hello
Execute function: tcp-request-content-accept


3. Create a "Rule" to wait for inspect
Name: tcp_request_inspect_delay
Optional condition: none
Execute function: tcp-request-inspect-delay
TCP inspection delay: 5s


4. Place the Rule to 0_SNI_frontend in following order
tcp_request_inspect_delay
tcp_request_content_accept_ssl
map

(hmdir_ru is my map rule)


Update according to findings in #183

5. Change the no_SSL condition to Traffic is SSL (locally deciphered)


*Remark
It is advised to use another map file for 1_HTTPS_frontend if necessary
If you really don't want to create another map file, use "SNI TLS extension matches (locally deciphered)" instead

Might want to ask @Bunch for help, since I am still not using any non SSL services.

I can only give you the below config. I figured that one out a while back with another user (@Lip90).
As far as I can remeber it worked fine but it was neccessary to establish the connection twice because the first time (always) failed.

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 debug

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options
    option log-separate-errors
    option tcplog
    # ACL: OPENVPN_condition
    acl acl_6143a3ff7e6bf2.30491250 req_ssl_hello_type 1

    # ACTION: OPENVPN_rule
    use_backend OPENVPN_backend if !acl_6143a3ff7e6bf2.30491250
    # WARNING: pass through options below this line
    tcp-request inspect-delay 5s
    tcp-request content accept if !{ req_ssl_hello_type 1 }

# Frontend: 1_HTTP_frontend (Listening on 0.0.0.0:80)
frontend 1_HTTP_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: NoSSL_condition
    acl acl_6138b110159553.96461818 req.ssl_ver gt 0

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_6138b110159553.96461818

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6138b32401a006.77997133.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 15m

    # logging options
    option httplog
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_6141ef8f0a8841.88130105 src 192.168.0.0/16

    # ACTION: LOCAL_SUBDOMAINS_map-rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6141ef3275d630.55285385.txt)] if acl_6141ef8f0a8841.88130105
    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6138b15d48a964.28077676.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: OPENVPN_backend ()
backend OPENVPN_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server OPENVPN_server 127.0.0.1:1194


119

Tutorials and FAQs / Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: July 05, 2022, 03:24:45 pm »

Here is my reference config.

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends


# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/60a6828680bca8.63910725.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/60bdf8931a97c9.33132019.txt)]

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_condition
    acl acl_607ae66cdeaed1.61504267 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_607ae66cdeaed1.61504267

# Backend: PLEX_backend ()
backend PLEX_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 1h
    http-reuse safe
    server PLEX_server 192.168.215.60:32400 ssl verify none

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy


If you compare it with yours. You will see that your real server is the problem!

120

Tutorials and FAQs / Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: July 05, 2022, 08:56:40 am »

Your haproxy is configured correctly. VIP is indeed optional.

Your real server IP:Port (SSL enabled yes or no / SSL verify yes or no) is the only issue left that could cause it from the haproxy side. Otherwise your web server is misconfigured.