OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs »
  • Tutorial 2023/09: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« previous next »
  • Print
Pages: 1 ... 18 19 [20] 21 22 ... 40

Author Topic: Tutorial 2023/09: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating  (Read 226620 times)

xkpx

  • Newbie
  • *
  • Posts: 21
  • Karma: 1
    • View Profile
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #285 on: July 23, 2022, 06:28:37 pm »
Lovely , Thanks for hard work !
Question: is it possbile to cover somehow  multi domain wildcard (for www.firewall.network.com ) -

I got problem with this settings it covers the subdomains but not www.
Common Name: *.network.com
Multidomain name: network.com

Any idea how to issue one cert for all services with subdomains and 1st level domain and www.
Or what is the right way to do this , or maybe to redirect www -> *.network.com without it?

** So far i issued new cert and added in HaProxy and its working so i guess this is the way
www.dev.network.com
« Last Edit: July 23, 2022, 07:12:16 pm by xkpx »
Logged

TheHellSite

  • Full Member
  • ***
  • Posts: 219
  • Karma: 65
    • View Profile
    • Click here for donations
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #286 on: July 27, 2022, 12:11:08 am »
Quote from: xkpx on July 23, 2022, 06:28:37 pm
Lovely , Thanks for hard work !
Question: is it possbile to cover somehow  multi domain wildcard (for www.firewall.network.com ) -

I got problem with this settings it covers the subdomains but not www.
Common Name: *.network.com
Multidomain name: network.com

Any idea how to issue one cert for all services with subdomains and 1st level domain and www.
Or what is the right way to do this , or maybe to redirect www -> *.network.com without it?

** So far i issued new cert and added in HaProxy and its working so i guess this is the way
www.dev.network.com

If you want to cover also the base domain and not only the subdomains of it, then you will have to change the certificate settings to:

Common Name: yourdomain.com
Alt names: *.yourdomain.com

You will also have to create a rule in HAProxy to respond to requests on your base domain (yourdomain.com). Alternatively just set the desired backend for your basedomain (i.e. WWW_backend) as default backend on the 1_HTTPS_frontend.

In the end you should have a working certificate and HAProxy redirection for all your subdomains (i.e. cloud.yourdomain.com) and your base domain (yourdomain.com).
« Last Edit: July 27, 2022, 12:12:45 am by TheHellSite »
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.
Additionally you can consider donating: https://www.buymeacoffee.com/thehellsite

phamd4

  • Newbie
  • *
  • Posts: 19
  • Karma: 0
    • View Profile
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #287 on: July 28, 2022, 11:50:22 am »
Hello,

Thank you so much for writing this guide.

I were able to get this working and got the A+ authentication as well as access my server from outside network. I tested using VPN and everything work including the lock on https.

However, I'm running in to problem with the very last part which is accessing my server using https within my network.

Attatched is the screenshot of my setting in unbound dns. I also made sure that unbound dns service is running as well.

Thank you again.
Logged

TheHellSite

  • Full Member
  • ***
  • Posts: 219
  • Karma: 65
    • View Profile
    • Click here for donations
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #288 on: July 28, 2022, 01:00:42 pm »
Check that the client devices in you LAN are actually using unbound dns resolver.

Edit: You have to put the OPNsense LAN IP in the DNS overide. Not the IP of the service. I explicitly say this in the tutorial.
« Last Edit: July 31, 2022, 11:34:24 am by TheHellSite »
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.
Additionally you can consider donating: https://www.buymeacoffee.com/thehellsite

schnerring

  • Newbie
  • *
  • Posts: 22
  • Karma: 11
    • View Profile
    • Michael Schnerring - Software Engineer
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #289 on: July 28, 2022, 07:04:43 pm »
I upgraded to 22.7. HAProxy spits out some deprecation warnings, but my config seems to be working fine.

edit: a PR with a fix has already been merged, so we just have to wait for a new haproxy plugin release
« Last Edit: July 28, 2022, 07:41:11 pm by schnerring »
Logged

phamd4

  • Newbie
  • *
  • Posts: 19
  • Karma: 0
    • View Profile
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #290 on: August 03, 2022, 09:02:59 am »
Hello,

Sorry for bothering you again. I have to restart my opnsense because my piHole were messing it up so I did a clean install. However, this time I am getting stuck at the last step verifying SSL to get the A+ score.

I received an error "Assessment failed: No secure protocols supported" I've tried to went back and double check my setting and I couldn't find any error. Checked my ACME and registered, my cert is verified okay. The ip of my domain is updated automatically on the server.

My goal is to aim to get this certified so I could use my domain to add to my adguard to implement DNS over HTTPS to block ad that route as well.

I'm also included the attachments you have requested.

THank you so much for your time.
Logged

phamd4

  • Newbie
  • *
  • Posts: 19
  • Karma: 0
    • View Profile
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #291 on: August 05, 2022, 05:21:10 am »
Hello,

I've tried to fresh re-installed Opnsense and followed your step again and finally i got A rating. not A plus but i think it worked.

Thank you so much.

This time I read your comment and got to accessed the local as well. However, for some reason I'm still getting blocked by my ISP router.

If I connected from external network I received 503 Service Unavailble. I think this make sense since I didn't allow external IP to connect my server yet (which is one of your last step)

When I connected from my lan network, my ISP router log-in page keep popping up. I've tried to put my Opnsense router to the DMZ port and tried to port forward 80 and 443 of my router internal LAN ipaddress but still didn't work. I couldn't get pass my ISP router's log in page.

Thank you again for taking your time and write this.
Logged

phamd4

  • Newbie
  • *
  • Posts: 19
  • Karma: 0
    • View Profile
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #292 on: August 05, 2022, 06:02:03 am »
Sorry, I forgot to add my config log
Logged

phamd4

  • Newbie
  • *
  • Posts: 19
  • Karma: 0
    • View Profile
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #293 on: August 05, 2022, 09:48:57 am »
Hello,

I think I figured it out.

My mistake were at the very last step where you now have everything setup and wildcard which is *.zzzz.com. I copied the screenshot without understanding what I'm doing so I remove my host and kept it as zzzz where my domain is .com and I were able to access my TrueNas.

Then I understand about the public and local domain if I put my map at my local domain then i can only access it via local network. if I put it at the public map files then I can  access it at the external network and local network. Do I have it understand correctly?

However I have this one last problem I hope you can help me point out. I have adguard installed on the same IP as my opnsense. I changed my port https of my opnsense according to your guide and the port adguard's web UI listening is also different. However, when I add them in the Real server according to their port which they currently listening to. I cannot get them working. It still happening where my external network connect to it, I have the 503 error which make sense since I am only allow local. But when I access them locally I hit the ISP main router log-in page.

I hope what i wrote make sense. I'm so close, I hope someone can guide me to the right direction.

Thank you all.
Logged

8dgrpsu

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #294 on: August 06, 2022, 12:28:31 am »
Thanks for this guide saved me after 2 days, the next bit is passing remote desktop through, i saw this Reddit post but I am not sure how i add to your setup or do I need to create new?

https://www.reddit.com/r/OPNsenseFirewall/comments/l2usx5/opnsense_haproxy_remote_desktop_gateway/
Logged

TheHellSite

  • Full Member
  • ***
  • Posts: 219
  • Karma: 65
    • View Profile
    • Click here for donations
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #295 on: August 06, 2022, 07:12:14 pm »
Quote from: phamd4 on August 05, 2022, 09:48:57 am
Then I understand about the public and local domain if I put my map at my local domain then i can only access it via local network. if I put it at the public map files then I can  access it at the external network and local network. Do I have it understand correctly?

Yes.

Quote from: phamd4 on August 05, 2022, 09:48:57 am
However I have this one last problem I hope you can help me point out. I have adguard installed on the same IP as my opnsense. I changed my port https of my opnsense according to your guide and the port adguard's web UI listening is also different. However, when I add them in the Real server according to their port which they currently listening to. I cannot get them working. It still happening where my external network connect to it, I have the 503 error which make sense since I am only allow local. But when I access them locally I hit the ISP main router log-in page.

Well I can't help you there... If your other services are working then you probably have your internal network misconfigured, given that you have another router in front of your opnsense.
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.
Additionally you can consider donating: https://www.buymeacoffee.com/thehellsite

TheHellSite

  • Full Member
  • ***
  • Posts: 219
  • Karma: 65
    • View Profile
    • Click here for donations
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #296 on: August 06, 2022, 07:13:23 pm »
Quote from: 8dgrpsu on August 06, 2022, 12:28:31 am
Thanks for this guide saved me after 2 days, the next bit is passing remote desktop through, i saw this Reddit post but I am not sure how i add to your setup or do I need to create new?

https://www.reddit.com/r/OPNsenseFirewall/comments/l2usx5/opnsense_haproxy_remote_desktop_gateway/

1. You can easily add this to my/your current setup. Just follow the guide in the reddit thread.

2. Not related to my tutorial so I won't be helping here.
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.
Additionally you can consider donating: https://www.buymeacoffee.com/thehellsite

phamd4

  • Newbie
  • *
  • Posts: 19
  • Karma: 0
    • View Profile
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #297 on: August 07, 2022, 01:51:38 am »
Hello,

I finally got it.

I think my problem were that my firefox browser keep pusing the connection to http thus my ISP router log-in page keep pop up. However, when I use edge or chrome the https connection pushed through and I were able to access the service.

May I ask how would I fix this problem? I tried to delete the certificate from firefox and tried to re-install the firefox but when I tried to access my service it keep asking me this connection is not secured and forced me to use http.

Thank you again.
« Last Edit: August 07, 2022, 05:58:20 am by phamd4 »
Logged

TheHellSite

  • Full Member
  • ***
  • Posts: 219
  • Karma: 65
    • View Profile
    • Click here for donations
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #298 on: August 08, 2022, 08:37:48 pm »
Delete all of the firefox history (cache, cookies, website settings ...).
if that doesn't work, it is your network, not your browser.
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.
Additionally you can consider donating: https://www.buymeacoffee.com/thehellsite

Aphid667

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #299 on: August 08, 2022, 09:25:21 pm »
First of all, thank you for taking the time and effort to write this impressive guide. Despite this guide I still run into problems  :-[

I have a few web servers running that each have their own subdomain name. I am now trying to make the switch from pfsense to opnsense and have followed your guide to set up haproxy. Currently there is no service running on the domain name. However, when I now try to access my web server via both lan and wan I kept getting error 503 service not available. These web servers are all visualized on a proxmox server.

A second question I have, single post above you talk about "You have to put the OPNsense LAN IP in the DNS overide. Not the IP of the service." I am confused about this piece, is it possible to explain a little more about this.

Thanks in advance for feedback
Logged

  • Print
Pages: 1 ... 18 19 [20] 21 22 ... 40
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs »
  • Tutorial 2023/09: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2