English Forums > Tutorials and FAQs
Tutorial 2024/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
N0_Klu3:
Yes OPNsense is my only router/firewall.
I have dual WAN created a gateway group to double internet speed.
I created the rule on only 1 WAN gateway tho, and my a records point to the same IP.
I have 3 LANs (not VLANS) 10.0.0.1 (Main LAN) - 192.168.107.1 (IoT) - 192.168.200.1 (Guest)
My NAS Server (10.0.0.10) and OPNsense (10.0.0.1) are on 10.0.0.1/24 LAN, so no going through anything different there.
I wonder if with the dual WAN it needs a specific rule?
As with dual WAN I have to change the default gateway on the Allow LAN to any rule to the specific Multi_Gateway...
Like my LAN can no longer talk to my IOT Lan without having a specific rule to say allow...
I've just added the LAN Net to Loopback but still no dice
TheHellSite:
The error is not related to your dual WAN setup. ;D
I misread something in your HAProxy config...
--- Code: ---server jellyfin 10.0.0.10:8090 check inter 2s port 8090 ssl verify none
--- End code ---
You see that "ssl" word in your server config?
SSL and HTTP don't like each other! ;)
Since your services are NOT using HTTPS but only HTTP locally... you need to UNCHECK the SSL checkbox in the HAProxy real server config for both of your servers.
N0_Klu3:
--- Quote from: TheHellSite on October 09, 2021, 05:08:43 pm ---The error is not related to your dual WAN setup. ;D
I misread something in your HAProxy config...
--- Code: ---server jellyfin 10.0.0.10:8090 check inter 2s port 8090 ssl verify none
--- End code ---
You see that "ssl" word in your server config?
SSL and HTTP don't like each other! ;)
Since your services are NOT using HTTPS but only HTTP locally... you need to UNCHECK the SSL checkbox in the HAProxy real server config for both of your servers.
--- End quote ---
Oh my days!!!
That worked! I spent all night trying to figure it out.
Thank you so very much!
blackhand27:
Great Guide! Took me a bit since im using Godaddy for my domain name but figured out the cert mess and got my plex server working. Been hoping to get this setup so I can run a Synapse server at home.
I do seem to be having issues with my bitwarden site, I have the proper port set in HAProxy however I have a feeling its something with its configuration still using the internal cert vs the offload. Would anyone have some advice to see what I can look for?
figured it out, I reinstalled the server using self signed certs, for whatever reason it was still using the builtin lets encrypt certs and failing to connect.
lilsense:
--- Quote from: TheHellSite on September 14, 2021, 02:31:50 pm ---
--- Quote from: Lip90 on September 14, 2021, 01:08:53 pm ---@TheHellSite
I think the problem is with the SNI frontend. Here the SSL backend is specified as the default backend. He doesn't even look at the MAP file. he forwards everything to the SSL backend. When I set the openvpn backend as default Backend for a test in the SNI frontend, openvpn work but the other things not.
do you have an idea how I can solve this?
--- End quote ---
I was just about to write you exactly this! ;D
Your reply confirmed my guess.
Looking through the manual pages of HAProxy it seems that the "Default Backend" setting can only be overwritten by a "Use Backend" rule! Which a "Use map file" rule isn't able to.
https://www.haproxy.com/de/blog/the-four-essential-sections-of-an-haproxy-configuration/
But I can't imagine that this is the intended behaviour.
Anyways... you simply need to create a VPN_condition "host starts with vpn" and a "use backend OPENVPN_backend if VPN_condition=true" rule.
Add this rule to the SNI_frontend and set the default backend back to the SSL_backend.
--- End quote ---
Am I confused about this?
It looks like the current set up on page one will not work due to "default backend"??
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version