English Forums > Tutorials and FAQs

Tutorial 2021/11: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

<< < (20/27) > >>

TheHellSite:

--- Quote from: lilsense on October 15, 2021, 07:25:02 pm ---
--- Quote from: TheHellSite on September 14, 2021, 02:31:50 pm ---I was just about to write you exactly this!  ;D
Your reply confirmed my guess.

Looking through the manual pages of HAProxy it seems that the "Default Backend" setting can only be overwritten by a "Use Backend" rule! Which a "Use map file" rule isn't able to.
https://www.haproxy.com/de/blog/the-four-essential-sections-of-an-haproxy-configuration/
But I can't imagine that this is the intended behaviour.

Anyways... you simply need to create a VPN_condition "host starts with vpn" and a "use backend OPENVPN_backend if VPN_condition=true" rule.
Add this rule to the SNI_frontend and set the default backend back to the SSL_backend.

--- End quote ---

Am I confused about this?

It looks like the current set up on page one will not work due to "default backend"??

--- End quote ---

I am not sure what you mean?
The setup still works as described. I also got OpenVPN over TCP working but haven't had the time yet to add it to my tutorial.

thegriffen:
Hi everyone

First of all.. Awesome guide and even so, that you update it with new stuff as it comes along.

Iv been kinda hitting my head for a day or two now and gotta throw in the towel, and put my troubles in here.

im running a small test setup, where im gonna have a couple of web services running, but the thing is here, they are running traefik with there own LE ssl validation and so. but i cant get HAproxy to work propper.

My config looking like this:

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 debug

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_Frontend ()
frontend 0_SNI_Frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:8888 name 0.0.0.0:8888
    mode tcp
    default_backend SSL_Backend
    # tuning options
    timeout client 30s

    # logging options
    option tcplog

    # ACTION: Public_Domain_Map_Rule_2
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6178606dd3b431.48344137.txt)]
    # ACTION: Public_Domain_Map_Rule_3
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6178704b1d59f6.07557436.txt)]

# Frontend: 1_Http_Frontend ()
frontend 1_Http_Frontend
    bind 0.0.0.0:80 name 0.0.0.0:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: NoSSL_Condition
    acl acl_61781026415d99.64392811 req.ssl_ver gt 0

    # ACTION: HttpToHttps_Rule
    http-request redirect scheme https code 301 if !acl_61781026415d99.64392811

# Frontend: 1_Https_Frontend ()
frontend 1_Https_Frontend
    bind 0.0.0.0:443 name 0.0.0.0:443 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 15m

    # logging options
    option httplog

    # ACTION: Public_Domain_Map_Rule_1
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/617812015049f9.00974692.txt)]

# Backend: SSL_Backend (Loopback)
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_Server 127.0.0.1 send-proxy-v2 check-send-proxy

# Backend: Central_OpenSense_FW_Backend (OpenSense Firewal)
backend Central_OpenSense_FW_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server Central_OpenSense_FW_SRV 10.10.5.2:55443 ssl verify none

# Backend: FRCD_Backend (domain1.com)
backend FRCD_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server DMZ_domain1_SRV 10.10.20.40:443 ssl alpn h2,http/1.1,http/1.0 verify none

# Backend: FRCD_2_Backend (domain2:8888)
backend FRCD_2_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server DMZ_domain2_SRV 10.10.20.41:8888

Best regrads

TheHellSite:

--- Quote from: thegriffen on October 27, 2021, 12:37:59 am ---Hi everyone

First of all.. Awesome guide and even so, that you update it with new stuff as it comes along.

Iv been kinda hitting my head for a day or two now and gotta throw in the towel, and put my troubles in here.

im running a small test setup, where im gonna have a couple of web services running, but the thing is here, they are running traefik with there own LE ssl validation and so. but i cant get HAproxy to work propper.
--- End quote ---

I don't really understand what you need haproxy for if you are already using traefik?
Can you please elaborate further what...

1. You are trying to achieve by using HAProxy?

2. What issue you are facing with HAProxy right now?

3. Explain your local network layout further!

bringha:
Hi there,

first of all a big big thank you for this awesome and comprehensive tutorial. Very helpfull and a great contribution.

I have an additional question and I am not sure whether I suffer from a big misuderstanding.

I configured my Dyndns as suggested with dedyn.io and have now a domain.dedyn.io properly working. Your tutorial now assumes to create wildcard certificates for the *.domain.dedyn.io (in my case)

I have a main domain registered with a poster somewhere else which is domain.com. Historically I reach my dyndns based subdomains via CNAME DNS entries at my main domain provider's DNS systems, eg home.domain.com points then to home.domain.dedyn.io.

It is now possible to let the acme client generate wildcard certificates also for *.domain.com accordingly in addition/replacing the wildcard certs for *.domain.dedyn.io?

Looking forward to your reply.

Br br

TheHellSite:

--- Quote from: bringha on November 04, 2021, 10:46:42 am ---I configured my Dyndns as suggested with dedyn.io and have now a domain.dedyn.io properly working. Your tutorial now assumes to create wildcard certificates for the *.domain.dedyn.io (in my case)

I have a main domain registered with a poster somewhere else which is domain.com. Historically I reach my dyndns based subdomains via CNAME DNS entries at my main domain provider's DNS systems, eg home.domain.com points then to home.domain.dedyn.io.

It is now possible to let the acme client generate wildcard certificates also for *.domain.com accordingly in addition/replacing the wildcard certs for *.domain.dedyn.io?
--- End quote ---

Basically there are two options to solve this

1. You replace "deSEC" as your DynDNS provider and use the DynDNS of your main domain registrar. If he supports this...
--> What is your domain registrar? (Where your real "domain.com" is registered...)

2. You transfer the DNS zone from your main "domain.com" to deSEC. Again, if your current domain registrar supports this.
This way your domain is still hosted at your current domain registrar, but deSEC will be managing all the DNS related stuff. (A records, ...)

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version