Messages

136

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: April 11, 2022, 09:23:22 pm »

Just a quick notifcation for everyone following the thread.
It seems like Let's Encrypt changed something regarding wildcard certificates.

I updated the picture in Part 3 - Step 6 to reflect the changes necessary in order to obtain a certificate.

You will have to remove the alt name "*.yourdomain.tld" and change the common name to "*.yourdomain.tld".

137

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: April 01, 2022, 05:58:31 pm »

It seems that it is the same issue as This thread
I have the same issue after update and reboot.
For temporary fix, edit the VIP, save without any changes, then apply.
You will able to start HAProxy again.

Thank you for posting the workaround!

138

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: April 01, 2022, 05:58:07 pm »

I'm probably out of place saying this, as is not my thread, but should't this discussion go to another thread and leave this one for it's original purpose?
It has branched off now to "how can I enable TLS on my website", from "how can I log the client ip not the proxy ip on the backend webserver" and "how do I use proxy_protocol".
What do you think?

Absolutely true! 

I don't want to sound like an asshole here, but this tutorial was intended to get the basics working for new users.
This is also why I stopped answering questions about issues like "my service_abc has the requirement_xyz how work?".

If there are any questions in that regard then people should consider posting them...
here: https://forum.opnsense.org/index.php?board=28.0
or here: https://discourse.haproxy.org/

139

Virtual private networks / SiteToSite routing problems with different gateways

« on: March 17, 2022, 06:49:47 pm »

Hello,

I have a small routing problem with my SiteToSite VPN setup.

I only need clients of Site B to access the network of Site A.
Site A also has RoadWarriors connecting to it.
Access from Site A to Site B is not necessary.

I configured WireGuard on both sites as seen below.
The Site A WireGuard RoadWarrior firewall rule allows access to any. (1__site-a-firewall-rules.png)
The Site A WireGuard SiteToSite firewall rule allows access to any. (1__site-a-firewall-rules.png)
Then I created a WG_STS_A gateway on Site B pointing to the peer address of Site A.
Then I created a firewall rule on Site B that routes requests to the Site A subnets via the WG_STS_A gateway. (3__site-b-firewall-rules.png)

Everything is working almost just fine.
Site B has access to all LAN clients of Site A except for the modem webinterface.
Clients on Site A that would like to access the modem webinterface reach it using the WAN_MODEM gateway. (2__site-a-interface-wan_modem.png)
The modem webinterface access is working fine for all local clients on Site A and for all WireGuard RoadWarrior clients connected to Site A.

However Site B clients can not access the modem webinterface. Ping is also not working.
The firewall logs indicate that Site B clients can reach the modem address (10.55.1.1) but the reponse seems to get lost.
The firewall logs don't indicate any dropped / blocked packages.

I hope someone can tell me what I am missing here.

Code: [Select]

WireGuard on Site A
===================
    RoadWarrior Config
    ==================
        Tab:            Local
        Name:           RoadWarrior
        Instance:       0
        Tunnel Address: 10.55.11.1/24
        Peers:          notebook, phone, ... many more (except Site-B)
        Disable Routes: enabled

            Peer Example
            ============
            Tab:        Endpoints
            Name:       notebook
            AllowedIPs: 10.55.11.21/32
                        (notebook peer)

    SiteToSite Config
    =================
        Tab:            Local
        Name:           SiteToSite
        Instance:       1
        Tunnel Address: 10.55.22.1/30
        Peers:          Site-B
        Disable Routes: disabled
                        (I had to disable this so Site A clients could respond to Site B requests.)
                        ((Otherwise I would have had to manually create a STS_B_Gateway and STS_B_Route in the OPNsense settings.))

            Peer Example
            ============
            Tab:        Endpoints
            Name:       Site-B
            AllowedIPs: 10.55.22.2/32, 10.136.0.0/16
                        (Site B peer), (Site B subnets)



WireGuard on Site B
===================
    SiteToSite Config
    =================
        Tab:            Local
        Name:           SiteToSite
        Instance:       1
        Tunnel Address: 10.55.22.2/32
        Peers:          Site-A
        Disable Routes: enabled

            Peer Example
            ============
            Tab:        Endpoints
            Name:       Site-A
            AllowedIPs: 10.55.0.0/16
                        (Site A subnets)

140

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: March 15, 2022, 07:15:48 pm »

I can go my website on internal http://192.168.82.11:32400 is ok but when I access http://mywebsite.com browser go to https://mywebsite.com and show error

Code: [Select]

503 Service Unavailable
No server is available to handle this request.
How can I fix this and show my website https://mywebsite.com ok? Thanks!

First.
The entry "plex PLEX_backend" in the mapfile means that you will have to access it using the "plex" subdomain. --> In your case "plex.mywebsite.com"!

Alternatively just set the PLEX_backend as default backend on your HTTPS_frontend.

Second.
http will always get redirected to https. This is intended and you will most probably want this! This is configured using the HTTPtoHTTPS_rule and NoSSL_condition.

Third.
Apart from the above your config looks good. (just took a very short look at it)

Fourth.
You might have to disable the SSL checkbox in the PLEX_server settings.
But only if you are REALLY accessing it locally using http://IP:32400 and the service is NOT redirecting you to HTTPS. But I highly doubt this since Plex is running on a self-signed SSL cert by default...

141

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 27, 2022, 11:30:42 am »

I mean it is self-explanatory.

To answer your question: You will want this enabled.

142

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 22, 2022, 08:35:47 pm »

Obviously your Webserver and not your NAS....... 

Also you just exposed your Domain again 

Please don't get me wrong but I really hope you know what you are doing by self-hosting and exposing any services from your private internet connection!
There are many risks involved and you don't seem to me like someone that is aware of everything he is doing and why it needs to be done.

143

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 22, 2022, 07:14:45 pm »

Just set your Webserver as default backend on the https frontend.

144

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 22, 2022, 09:29:18 am »

Please repost your current config.

145

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 21, 2022, 03:29:31 pm »

Sure, just add it to your tutorial if you like.
I have 2 TCP servers running. OpenVPN and v2ray
(both of them have SNI header with it)

I'm sure not all of the TCP services can use haproxy, for example minecraft server without additional tools.
(One of the ways is to add one more rule to redirect other SSL connections to SSL_backend, and set minecraft server as default backend of 0_SNI, as no conditions or rules in haproxy can catch connections that doesn't have SNI header).

Thank you for confirming!

146

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 21, 2022, 01:21:52 pm »

Just take a look at the config file, I feel strange for some part of it
1. You don't need to type WAN IP in 0_SNI_frontend
instead, it should be 0.0.0.0:80 and 0.0.0.0:443
0.0.0.0 means any IP that points to your router.

2. What is your router IP?
If your router is 192.168.1.1, then 1_HTTP_frontend and 1_HTTPS_frontend will obviously conflict with 0_SNI_fronted
Since 0_SNI_fronted is already listening to 80 and 443 port of your router, you won't able to listen it with 192.168.1.1
Please follow Part 4-2 to create Virtual IP, and set 1_HTTP_frontend and 1_HTTPS_frontend to the virtual IP

If you don't want to create any Virtual IP, please remove 0_SNI_frontend
set 1_HTTP_frontend with 0.0.0.0:80 and 1_HTTPS_frontend 0.0.0.0:443 instead
Since all of your servers are running in http mode, it should work for having no SNI frontend

I am already on him with the fix.
Also explained to him that the HTTP(s)_frontend IPs could cause issues.
His Apache is also misconfigured badly.

147

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 21, 2022, 01:13:24 pm »

I have just tried TCP mode with map file, there is a few more steps to achieve the goal instead of placing the map rule directly to 0_SNI
(I checked the package and found SNI inside, however, haproxy doesn't recognize it in TCP mode, that's why we need to force it to recognize SNI)

As I said in the tutorial I am not running any services that would require me to load balance / reverse proxy plain TCP traffic. This is why I never tested it and only could provide theoretical assumptions on how it could work.
So thank you very much for providing a good guide on this.

If you don't mind I will add this to the tutorial (credits to your post) when I find the time!

Just a quick question: Which service are you running in tcp mode? Does the service send the SNI header?
Or does you solution work with any TCP based service? Becuase as far as I am aware the service needs to add the SNI header otherwise the access URL is not beeing sent to HAProxy.

148

22.1 Legacy Series / Re: Checksum issues with VirtIO in QEMU/KVM environment and OPNsense 22.1

« on: February 18, 2022, 04:19:34 pm »

This change is permanent. Previously if you had more than one VLAN and modified settings from it that affected the parent all the VLANS tried to apply their settings to the parent which is undefined behaviour solely dependent on the order of the interfaces in the configuration.

For MAC addresses the situation was even worse...


Cheers,
Franco

Hello Franco,

firstly thank you for your hard work in making OPNsense greater with every update.


Now back to topic...

My Setup

I am also running 2x OPNsense virtualized on two different Proxmox hosts both VMs with only VirtIO NICs.
One Proxmox system has an AMD CPU and the other an Intel CPU.

Both OPNsense VMs have the CPU type set to "host".
"If you want an exact match, you can set the CPU type to host in which case the VM will have exactly the same CPU flags as your host system." - PVE Wiki

vmbrX is the interface bridge on the Proxmox host.

- vmbr2=vtnet2 is the "LAN" interface and has many VLANs and the parent interface (vtnet2) is also assigned to a subnet.
--> of course no issues should occure

- vmbr1=vtnet1 is being used to access the Modem webinterface, directly assigned.
--> of course no issues should occure

- vmbr0=vtnet0 is my "WAN" interface.
This has been assigned vtnet0_vlan7 (Telekom VDSL) directly on the OPNsense and not on the Proxmox host interface settings. It then has been set to PPPoE mode to establish the WAN connection.
In case this matters: My WAN speed is 100/40 Mbit.


My question

What I don't understand is why am I not experiencing any issues?
Is my WAN speed to slow to notice the issue?
I am doing pretty much the same as all the others.

The only interface left unassigned is my vtnet0 WAN interface. So I should in theory experience the issues others are having.

Find attached my interface config.

149

22.1 Legacy Series / Re: Slow download thoughput from WAN on ESXi 7.0 after update to 22.1, upload OK

« on: February 18, 2022, 12:07:25 pm »

EDIT: Wrong Thread.

150

Tutorials and FAQs / Re: Tutorial 2022/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: February 15, 2022, 06:27:48 pm »

You still don't understand. 
Your first mapfile was correct.

Just do this and tell me if it works.

1. create a mapfile with the below content.

Code: [Select]

#public subdomains mapping
flood WEBSERVER_backend
frank WEBSERVER_backend
www WEBSERVER_backend
torrent WEBSERVER_backend
grafana WEBSERVER_backend
nas WEBSERVER_backend
kvm WEBSERVER_backend
monitoring WEBSERVER_backend
speedtest WEBSERVER_backend
sync WEBSERVER_backend
tracker WEBSERVER_backend
cloud NAS_backend
dav NAS_backend
2. create the following backends and servers

Code: [Select]

WEBSERVER_backend --> contains --> WEBSERVER_server

WEBSERVER_server=192.168.1.100:80


NAS_backend --> contains --> NAS_server

NAS_server=192.168.1.118:80
3. Try to access your webserver and nas.

Code: [Select]

# WEBSERVER_backend
flood.yourdomain.com
frank.yourdomain.com
www.yourdomain.com
torrent.yourdomain.com
grafana.yourdomain.com
nas.yourdomain.com
kvm.yourdomain.com
monitoring.yourdomain.com
speedtest.yourdomain.com
sync.yourdomain.com
tracker.yourdomain.com


# NAS_backend
cloud.yourdomain.com
dav.yourdomain.com


If it still doesn't work then I can only offer you paid support. I hope you understand. It is my free time and I can only help for free up to a certain point.