Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[sleepyal]

New here so please take it easy on me.  I'm having a strange issue following this tutorial.  Everything works out fine until I get to the Public Services part.  After I configure "0_SNI_frontend" as pictured the service is disabled and I am unable to enable it again until I either delete or disable the public service.  Haven't been able to find any conversation about this particular issue.  Any help would be greatly appreciated.

My HAProxy config is attached.

[Cromagnonaut]

Since last week i been getting this: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING when trying to log into my opnsense server, any quick fix for this? Thanks

User specific issue.
Working fine here on more than 6 different instances of OPNsense + HAProxy configured as per tutorial.
And, as always, not even a HAProxy config export included, must be hard to read the first post...

My guess is this is somehow related to Firefox. Could be a coincidence, but I did a fresh configuration of HAProxy following the guide today and had the same error on Firefox initially when loading the pages. When using Chromium, everything works as expected (except random 503 errors, but this is another topic ...). Nothing in the error / log files.

Maybe this helps for troubleshooting. For completeness, I have attached my config file.

BTW, @TheHellSite: Do you have another way of giving beers other than buymeacoffee? It uses stripe which some of us (including me) might not have. I would like to sponsor the effort! :)

[TheHellSite]

Since last week i been getting this: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING when trying to log into my opnsense server, any quick fix for this? Thanks

My guess is this is somehow related to Firefox. Could be a coincidence, but I did a fresh configuration of HAProxy following the guide today and had the same error on Firefox initially when loading the pages. When using Chromium, everything works as expected (except random 503 errors, but this is another topic ...). Nothing in the error / log files.

Maybe this helps for troubleshooting. For completeness, I have attached my config file.

BTW, @TheHellSite: Do you have another way of giving beers other than buymeacoffee? It uses stripe which some of us (including me) might not have. I would like to sponsor the effort! :)

Added another option to donate. :)

Check your PM.

[_Alchemist_]

Hello TheHellSite,

I have recently switched back to using OPNsense and HAProxy and again used your tutorial.

As I mainly use IPv6 today, I had to slightly modify two steps to make it work with my setup:

Part 4 - System preparation

Step 4: To allow IPv4 and IPv6 with the same firewall rule, all I had to do was change "TCP/IP Version" from "IPv4" to "IPv4+IPv6":



Part 5 - HAProxy configuration

Step 10: To make HAProxy listen on ports 80 and 443 on its IPv6 as well as IPv4 addresses, all I had to add here was "[::]:80" and "[::]:443":



After applying these changes, I can now securely access my services behind HAproxy from IPv4 and IPv6 networks.
Do you think you could add these changes to your tutorial? Anyway, thanks for all your work :)

[TheHellSite]

Hello TheHellSite,

I have recently switched back to using OPNsense and HAProxy and again used your tutorial.

As I mainly use IPv6 today, I had to slightly modify two steps to make it work with my setup:

Part 4 - System preparation

Step 4: To allow IPv4 and IPv6 with the same firewall rule, all I had to do was change "TCP/IP Version" from "IPv4" to "IPv4+IPv6":



Part 5 - HAProxy configuration

Step 10: To make HAProxy listen on ports 80 and 443 on its IPv6 as well as IPv4 addresses, all I had to add here was "[::]:80" and "[::]:443":



After applying these changes, I can now securely access my services behind HAproxy from IPv4 and IPv6 networks.
Do you think you could add these changes to your tutorial? Anyway, thanks for all your work :)

Will add if I find some time. However this should be self-explanatory, especially for someone implementing IPv6.

[bucky2780]

Part 6 - Access from internal networks using split DNS

I would like to get internal access working... the tutorial is a revelation. Thanks again.

I need some help to understand what you are trying to do here: 
I don't recognise the IP address of the plex server you are pointing to. I did not see that IP address anywhere else in the tutorial.
Essentially I'd like the internal plex be directed to the reverse proxy, as if it originated from outside... that way no changes needed in the backend.

What IP address should I use in the override? Should I point to haproxy front end or directly to the backend service ? What ip are you using in this section?

I'm somewhat confused by this...
---------------------------------------------------
I played with this a little more, and solution is simple. The IP address in part 6 of the tutorial sample threw me.

Using unbound... create an A record with multiple cname records pointing to the lan ip. (opnsense interface). This is similar to what I'm doing today with nginx... so no problems.
When inside the network, directs to the https request to my LAN IP which is my router and haproxy interface. it works well....

[shuvitcrew]

I have posted, that I have troubles with the configuration of a OpenVPN-Server with HAProxy in Post #283. I have to apologise for the confusion I have caused. The HAProxy config was absolut perfect - thanks to author of this thread - the problem was a incorrect certificate in the OpenVPN server - today I've got it solved! The right configuration can be found in post #171 - that works perfect! The hint I could give is that you have to put the virtual adress of your VPN server in the "real server" IP adress field.

[pitt1717]

was wondering if anyone can lend a hand.

I am trying to get the Collabora CODE server running behind the HAProxy. I followed the guide and got nextcloud up. But i am unsure how to translate the apache proxy pass rules from the below link into the gui form of HA Proxy


https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html#id1

thanks all

[cookiemonster]

was wondering if anyone can lend a hand.

I am trying to get the Collabora CODE server running behind the HAProxy. I followed the guide and got nextcloud up. But i am unsure how to translate the apache proxy pass rules from the below link into the gui form of HA Proxy


https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html#id1

thanks all
[/quote
Please read the first post. This isn't a thread for HAProxy support.

[patrick010]

I'm following this great tutorial, but am running in to some issues;
First the VIP, that doesn't work. As soon as I create the HTTP_frontend Public Service (Part 5, step 10), and apply, HAProxy doesn't start anymore. When I leave the VIP part out and use localhost it does work.
Furthermore, when I get to Part 6, Option B step 2, a NAT rule which supposedly is created in Part 4 - Step 3 must be altered. However, in that particular step no NAT rule is created, only a WAN rule. Did I somehow miss this NAT rule?
Lastly, I get 503 when I try to browse to the public url. I can curl the server's IP from the OPNsense shell and my pc. Is this the missing NAT rule?
Should anyone want to take a look at this, my config is attached :)
Oh, and I'm on OPNsense 23.7.7_3

[linjojo]

Thanks for a great tutorial! I have followed it but tried to adapt it to my use case, but I think I am missing something that someone else perhaps has run into?

Eventually, I plan to have a couple of public services but I am not really there yet :) In the meantime, I have a couple of services running on a docker host which I would like to just expose internally via a proxy with the domain name that I have purchased. These are services running without any ssl so only http but I think I might have missed something around that as I get redirected to https, or is that expected? Trying to reach any of these services I get a 503 Service Unavailable.

Perhaps worth mentioning is that I am using AdGuard with Unbound set as my Upstream DNS, and added the services as overrides in Unbound eg. test.thisismydomain.com with the internal IP of OPNsense as the target (10.0.1.1). Is that correct?

Sorry for all the questions. I could ofc run nginx or traefik on my docker host instead, just thought I would try this out first  :)

Code Select Expand


curl -vvvv http://test.thisismydomain.com
*   Trying 10.0.1.1:80...
* Connected to test.thisismydomain.com (10.0.1.1) port 80 (#0)
> GET / HTTP/1.1
> Host: test.thisismydomain.com
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< content-length: 0
< location: https://test.thisismydomain.com/
<
* Connection #0 to host test.thisismydomain.com left intact

Code Select Expand

2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62741 to 10.0.1.1:443 (1_HTTPS_frontend/HTTP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62741 to 10.0.1.1:443 (1_HTTPS_frontend/HTTP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62742 to 10.0.1.1:80 (0_SNI_frontend/TCP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62741 to 10.0.1.1:443 (0_SNI_frontend/TCP)
2023-11-07T14:23:45 Informational haproxy Connect from 10.0.1.11:62740 to 10.0.1.1:80 (0_SNI_frontend/TCP)

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats

# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 and 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_64f0ce32710c92.22370601 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_64f0ce32710c92.22370601

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/64f0da0792f405.45981915.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBNETS_condition
    acl acl_64f0df6633f1c3.71515106 src_is_local

    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/64f0ded2f1b488.73578425.txt)] if acl_64f0df6633f1c3.71515106

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_SERVER 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: test_backend ()
backend test_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server test 10.0.1.110:49005

# statistics are DISABLED

[nmiller0113]

Not really asking for help so much that I'm curious if anyone else has had to recently turn off OCSP stapling in order to get their services not to error in Firefox? This was working fine for a year and I've not changed a single setting in HAProxy or ACME, but all of a sudden now it doesn't work properly and I've since had to disable it to get my services accessible in Firefox again. I've dug around and cannot find a clear answer as to why.

[nmiller0113]

Not really asking for help so much that I'm curious if anyone else has had to recently turn off OCSP stapling in order to get their services not to error in Firefox? This was working fine for a year and I've not changed a single setting in HAProxy or ACME, but all of a sudden now it doesn't work properly and I've since had to disable it to get my services accessible in Firefox again. I've dug around and cannot find a clear answer as to why.

Interesting. I finally found the spot /tmp/haproxy/ssl where the OCSP update file was placed so I added the CRON back and re-enabled the store setting in HAProxy, and monitored the folder and saw it was updating. So I then re-issued my cert with OCSP stapling required and now it's magically working again. Not sure what I fixed, but it's not like enabling of it is terribly difficult so I'm pretty sure I didn't change anything from the previous configuration when I re-enabled it!

[@lex]

Hi,

I'm having trouble (since today) accessing my server from within my LAN (internally) due to the self-signed certificate on the server itself (I'm OK from the outside as I have a good certificate on the opnsense).  The browsers now refuse an exception.

What can I do ?  Am I the only one ?

Thanks !

[TheHellSite]

Am I the only one ?

Yes you are. Issues with direct access to the local IP of the target service from within the same network has nothing to do with this tutorial.