Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[PathwayCat]

Hi,

So I've obviously done something wrong, just not sure what.

I got to part 4, step 1, changed my web gui port as suggested. And now I can't reach the gui either by localhost:55443 or via ipaddress:55443. The response is unable to connect or the connection was reset.

Any suggestions for me to fix this. Pretty new to opnsense and networking in general, so it could be something obvious

EDIT: Editing to say I didn't find a solution or understand why it happened. Just rolled back to a previous backup.

[teohz]

Seems the solution I provided fails to fallback to other map files. Will re-post if resolved.

[thesisko78]

The tutorial is great, but it is not showing me the pictures anymore.
Is their an solution?

Greetings
Jan

[cookiemonster]

They still show fine. Maybe you have some blocker on your side, like a browser extension or network-wide.

[pottproll]

Next go to: Services --> ACME Client --> Certificates

Great Tutorial, thank you very much!
FYI: Lets Encrypt ended the support for OCSP and cert requests containing "ocsp must staple" fail, see: https://letsencrypt.org/2024/12/05/ending-ocsp/
I had to recreate the cert without ocsp must staple but still have A+ Rating.

[rfonteyn]

Following this tutorial, haproxy failed to start.

However, after troubleshooting, I realised it was unable to use the virtual ip 127.4.4.3 as frontend for :80 and :443.

Changing the frontend definittions to 127.0.0.1 solved my issue.

[neptunus]

...

I just wanted to say thank you for this great tutorial. Without it, I probably wouldn't have been able to get HAProxy working properly so quickly. I have to admit, I did encounter some challenges along (caching issues with my browser) the way to get it working. Persistence pays off.

THANK YOU TheHellSite



Small question:
If I use https://www.ssllabs.com/ssltest/ to check my rating I get a A rating and not a A+ rating.
Everything is working fine (Both internally and externally). I would like to get an A+ score. Where can I best look for this in my config?

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    ocsp-update.mindelay 300
    ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_Backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_6858481c927846.22561467 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_6858481c927846.22561467

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3.:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/68584d170605b3.78042743.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_685d465d816dc2.01366113 src 192.168.1.0/24 192.168.10.0/24 192.168.20.0/24

    # ACTION: LOCAL_SUBDOMAINS_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/685d45a1ac5eb2.67005920.txt)] if acl_685d465d816dc2.01366113
    # ACTION: PUBLIC_SUBDOMAINS_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6858488725c281.06683664.txt)]

# Backend: SSL_Backend ()
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: MIRAGE_backend ()
backend MIRAGE_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server MIRAGE_server 192.168.10.22:8443 ssl verify none

# Backend: BUMBLEBEE_backend ()
backend BUMBLEBEE_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server BUMBLEBEE_server 192.168.10.2:443 ssl verify none

# Backend: SPRINGER_backend ()
backend SPRINGER_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server SPRINGER_server 192.168.10.26:8123



# statistics are DISABLED

Snippet from https://www.ssllabs.com/ssltest/
For some reason the test indicates that:

Code Select Expand

Session resumption (caching) No (IDs assigned but not accepted)
Strict Transport Security (HSTS) No


Code Select Expand

Protocol Details
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initiated Renegotiation No
BEAST attack Mitigated server-side (more info) 
POODLE (SSLv3) No, SSL 3 not supported (more info)
POODLE (TLS) No (more info)
Zombie POODLE No (more info) 
GOLDENDOODLE No (more info) 
OpenSSL 0-Length No (more info) 
Sleeping POODLE No (more info) 
Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more info)
SSL/TLS compression No
RC4 No
Heartbeat (extension) No
Heartbleed (vulnerability) No (more info)
Ticketbleed (vulnerability) No (more info)
OpenSSL CCS vuln. (CVE-2014-0224) No (more info)
OpenSSL Padding Oracle vuln.
(CVE-2016-2107) No (more info)
ROBOT (vulnerability) No (more info)
Forward Secrecy Yes (with most browsers)   ROBUST (more info)
ALPN Yes   h2 http/1.1
NPN No
Session resumption (caching) No (IDs assigned but not accepted)
Session resumption (tickets) No
OCSP stapling No
Strict Transport Security (HSTS) No
HSTS Preloading Not in: Chrome  Edge  Firefox  IE
Public Key Pinning (HPKP) No (more info)
Public Key Pinning Report-Only No
Public Key Pinning (Static) No (more info)
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance No
Incorrect SNI alerts No
Uses common DH primes No
DH public server param (Ys) reuse No
ECDH public server param reuse No
Supported Named Groups secp384r1
SSL 2 handshake compatibility No
0-RTT enabled No