OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs »
  • Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« previous next »
  • Print
Pages: 1 [2] 3 4 ... 19

Author Topic: Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating  (Read 77687 times)

TheHellSite

  • Full Member
  • ***
  • Posts: 109
  • Karma: 26
    • View Profile
Re: Tutorial: OPNsense, HAProxy, Let's Encrypt, Wildcard Certs, 100% A+ SSLLabs
« Reply #15 on: June 09, 2021, 12:03:57 pm »
Quote from: sorano on June 07, 2021, 02:21:02 pm
Since HAProxy is already listening on 0.0.0.0 (all available IPv4 interfaces) I resolve the Split DNS to the internal IP of my DMZ CARP IP (but any internal IPv4 interface will do as long as you allow 80/443).
So this means you are actually also using sort of a virtual IP.  :D
Okay so you say the easier way is like this:
- Firewall rule on WAN allowing 443+80
- SNI_frontend listening on 0.0.0.0:80+443 (Which covers all interfaces)
- SSL_frontend listening on 127.0.0.1:443
- Split DNS pointing to f.e. the LAN IP of OPNsense.

You are right, with that you could skip the virtual IPs.
I would however still prefer to use a virtual IP for the SSL_frontend as I don't want to hijack the localhost for it. I just prefer to keep things seperated.

Quote from: sorano on June 07, 2021, 02:21:02 pm
I also have certain domains I don't want reachable from the Internet so I use two map file rules, one for internal domains along with a condition that checks that source is RFC1918.
For this I guess you have to use 0.0.0.0 on the SNI_frontend otherwise you would need another NAT rule forwarding 443-LAN traffic to the virtual IP.

EDIT 20210611:
Implemented @sorano's enhancements  :)
« Last Edit: June 11, 2021, 12:51:08 am by TheHellSite »
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.

TheHellSite

  • Full Member
  • ***
  • Posts: 109
  • Karma: 26
    • View Profile
Re: Tutorial: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ SSLLabs Rating
« Reply #16 on: June 13, 2021, 04:13:00 pm »
  • Changelog 20210613
    • The tutorial is now using a wildcard CNAME record.
    • Enabled Proxy Protocol in the "SSL_backend", "HTTPS_frontend" and "HTTP_frontend" configuration so that the IPs of clients accessing HAProxy will now no longer be overwritten with the "SSL_server" IP.
      https://www.haproxy.com/blog/using-haproxy-with-the-proxy-protocol-to-better-secure-your-database/
« Last Edit: June 13, 2021, 05:30:19 pm by TheHellSite »
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.

pintu1228

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: Tutorial 2021/07: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #17 on: July 08, 2021, 04:49:36 pm »
This is exactly what I was looking for, have had trouble coming from pfsense to opnsense to setup haproxy/let's encrypt.  I have cloudflare setup to use DNS.

I am using google domain, how do I go about setting up the 1st part (Dynamic DNS), do I need to create 3 custom records:

domain.com (A type)
*.domain.com (A type)
www.domain.com (CNAME)

And also I created separate dynamicDNS for plex.domain.com to use for part 7 (configure Dynamic DNS on opnsense).

Thanks
« Last Edit: July 08, 2021, 04:57:46 pm by pintu1228 »
Logged

TheHellSite

  • Full Member
  • ***
  • Posts: 109
  • Karma: 26
    • View Profile
Re: Tutorial 2021/07: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #18 on: July 09, 2021, 12:28:11 pm »
Quote from: pintu1228 on July 08, 2021, 04:49:36 pm
I am using google domain, how do I go about setting up the 1st part (Dynamic DNS), do I need to create 3 custom records:

domain.com (A type)
*.domain.com (A type)
www.domain.com (CNAME)

It all depends on what you would like to achieve!
You can set your DynDNS to update the IP of "domain.com" and then have a CNAME record in the form of "subdomain.domain.com" pointing to the IP of "domain.com".

However since you might also want to host a website on "domain.com / www.domain.com", you will probably want a subdomain for your domain first!
I myself always create individual 1st-level-subdomains for each physical location that is sitting in a different building / city / country having there own public IP.

f.e. location.domain.tld = earth.thehellsite.com / moon.thehellsite.com / mars.thehellsite.com and so on

And then (as I already explained in my tutorial) a wildcard 2nd-level-subdomain.
Which means that any string in the 2nd-level-subdomain is pointing to my 1st-level-subdomain.

f.e. any_string.location.domain.tld = *.earth.thehellsite.com = abcxyz.earth.thehellsite.com / 123.earth.thehellsite.com


If you do it my way then you only need to set up three things in your Google DNS zone.

  • An "A Record", f.e. location.domain.tld
  • A wildcard "CNAME Record", f.e. *.location.domain.tld
  • A "CAA Record", as explained in the tutorial

Your DynDNS should then be updating the "A Record".




But again, there are many different ways to achieve this.
You just need to find out how you would like to do it.
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.

_Alchemist_

  • Newbie
  • *
  • Posts: 46
  • Karma: 1
    • View Profile
Re: Tutorial 2021/07: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #19 on: July 14, 2021, 01:45:11 pm »
Thanks a lot for the write up, I will try this out as soon as I can :)

The only thing that could be added on Part 4.3 is to use an Alias for Port 80 and 443 to only use one Firewall Rule ;)
« Last Edit: July 14, 2021, 01:48:20 pm by _Alchemist_ »
Logged
OPNsense VM1: 2 vCore (i3-10100), 2GB RAM, 40GB SSD (NVMe), 10 Gbit/s NIC (X520-DA2)
OPNsense VM2: 2 vCore (i3-10100), 2GB RAM, 40GB SSD (NVMe), 10 Gbit/s NIC (X520-DA2)

TheHellSite

  • Full Member
  • ***
  • Posts: 109
  • Karma: 26
    • View Profile
Re: Tutorial 2021/07: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #20 on: July 14, 2021, 03:40:05 pm »
Quote from: _Alchemist_ on July 14, 2021, 01:45:11 pm
Thanks a lot for the write up, I will try this out as soon as I can :)

The only thing that could be added on Part 4.3 is to use an Alias for Port 80 and 443 to only use one Firewall Rule ;)

Good Idea!
Will add this in my next update.
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.

saarko

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
Re: Tutorial: OPNsense, HAProxy, Let's Encrypt, Wildcard Certs, 100% A+ SSLLabs
« Reply #21 on: July 27, 2021, 11:44:25 pm »
Quote from: sorano on June 07, 2021, 02:21:02 pm

I also have certain domains I don't want reachable from the Internet so I use two map file rules, one for internal domains along with a condition that checks that source is RFC1918.

And one for external domains where I also require additional authentication.

Dear @TheHellSite,
thanks for the great tutorial! It works well.

Dear @sorano,

thanks for your input. The hint with map file works well. However, I am unable to create a rule with multiple "OR" conditions for various sub-domains to match and check it with an "AND" condition to test if it is an internal IP. It shall cover your described rule.

Currently I try to create a rule like:
use map file 1
IF
condition 1 "subdomain1" OR condition 2 "subdomain2"
AND condition 3 "local IP (RFC1918)" is matched


How did you solve this with the conditions and rules within OPNsense HAProxy plugin?

thanks in advance for your help and reply.
Saarko
« Last Edit: July 27, 2021, 11:46:03 pm by saarko »
Logged

TheHellSite

  • Full Member
  • ***
  • Posts: 109
  • Karma: 26
    • View Profile
Re: Tutorial 2021/07: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #22 on: July 28, 2021, 09:18:12 pm »
Thanks for the feedback!

I had a chat with @sorano and changed my config a little bit in the meantime.

I will update my post in a few days, hopefully. Very busy with work atm.
This will also solve your problem @saarko.
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.

lilsense

  • Full Member
  • ***
  • Posts: 248
  • Karma: 7
    • View Profile
Re: Tutorial 2021/07: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #23 on: July 29, 2021, 07:34:44 pm »
I followed this, however, decided against using the LE and now not getting 100% A+. is there something I am missing...
Logged

TheHellSite

  • Full Member
  • ***
  • Posts: 109
  • Karma: 26
    • View Profile
Re: Tutorial 2021/07: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #24 on: July 29, 2021, 08:07:09 pm »
Quote from: lilsense on July 29, 2021, 07:34:44 pm
I followed this, however, decided against using the LE and now not getting 100% A+. is there something I am missing...

Since you didn't use "LE"? (I guess you mean Let's Encrypt certificates) you should probably check out this page.
https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide

So if I would have had to guess it is most likely due to the fact that the key length of your certificate is too short!

If you followed the rest of my guide (OPNsense settings + HAProxy settings) accordingly and didn't miss any configuration steps, you should be getting 100% A+ at SSLLabs!
Again, provided that your certificate has a long enough key length...



I hope you can understand that it is very hard to help you out, since you didn't share any more details about your config, the SSLLabs test results, the certificate you are using ...
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.

TheHellSite

  • Full Member
  • ***
  • Posts: 109
  • Karma: 26
    • View Profile
Re: Tutorial 2021/07: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #25 on: July 29, 2021, 10:23:29 pm »
  • Changelog 20210729
    • Added an alias for the HAProxy ports and updated the WAN interface firewall rule with it.
      This leaves us with only one firewall rule instead of two and makes even more sense if one is using additional frontends on different ports.
      Thanks @_Alchemist_ for the suggestion.
    • The tutorial is now using a map file instead of "condition + rule" for service configuration.


@saarko
I didn't manage to finish part 7 "local-access-only subdomains" today.
I will try to do this tomorrow!

In the meantime you can already change your config over to map files.  :)
See part 5, step 7 to step 10. This is the only thing that has changed for using map files.
Map files will also make part 7 very easy for you!
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.

lilsense

  • Full Member
  • ***
  • Posts: 248
  • Karma: 7
    • View Profile
Re: Tutorial 2021/07: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #26 on: July 30, 2021, 05:43:22 pm »
ggetting this from hap:

[WARNING] 210/114212 (27105) : Proxy '1_HTTPS_Frontend': no-sslv3/no-tlsv1x are ignored for bind '192.168.1.50:443' at [/usr/local/etc/haproxy.conf.staging:71]. Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.
Warnings were found.
Configuration file is valid
Logged

TheHellSite

  • Full Member
  • ***
  • Posts: 109
  • Karma: 26
    • View Profile
Re: Tutorial 2021/07: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #27 on: July 30, 2021, 06:21:48 pm »
Quote from: lilsense on July 30, 2021, 05:43:22 pm
ggetting this from hap:

[WARNING] 210/114212 (27105) : Proxy '1_HTTPS_Frontend': no-sslv3/no-tlsv1x are ignored for bind '192.168.1.50:443' at [/usr/local/etc/haproxy.conf.staging:71]. Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.
Warnings were found.
Configuration file is valid

Please post a screenshot of your entire HTTPS_frontend config, including advanced.
You can redact your rules.
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.

lilsense

  • Full Member
  • ***
  • Posts: 248
  • Karma: 7
    • View Profile
Re: Tutorial 2021/07: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #28 on: July 30, 2021, 06:51:11 pm »


Code: [Select]
# Frontend: 1_HTTPS_Frontend
frontend 1_HTTPS_Frontend
    # WARNING: ciphersuites cannot be used with flavour libressl.
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 10.10.1.50:5555 name 10.10.1.50:555 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/60f9db54XXX3488.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s
Logged

TheHellSite

  • Full Member
  • ***
  • Posts: 109
  • Karma: 26
    • View Profile
Re: Tutorial 2021/07: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
« Reply #29 on: July 30, 2021, 07:08:35 pm »
Quote from: lilsense on July 30, 2021, 06:51:11 pm


Code: [Select]
# Frontend: 1_HTTPS_Frontend
frontend 1_HTTPS_Frontend
    # WARNING: ciphersuites cannot be used with flavour libressl.
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 10.10.1.50:5555 name 10.10.1.50:555 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/60f9db54XXX3488.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

I was already assuming what you did (wrong) and your config is confirming it.  ;D

First of all. This is not an error but only a warning which won't make HAProxy refuse to start.
Your setup should still be working if you did everything else correctly.

This warning is appearing because you set "ssl-min-version = TLS1.2" in your HTTPS_frontend config.
Which is pretty much pointless since my config example is already blocking "sslv3 tls1.0 tls1.1" using the "Bind options" in the HTTPS_frontend field. This is why HAProxy is giving you a warning.
You can of course also remove my bind options and only use "min-ssl-version = TLS1.2", this is up to you.
Either way will work and allow only TLS1.3 connections.


Quote from: lilsense on July 30, 2021, 06:51:11 pm
Code: [Select]
# Frontend: 1_HTTPS_Frontend
frontend 1_HTTPS_Frontend
    # WARNING: ciphersuites cannot be used with flavour libressl.
...
What you should be aware of is that I specifically mentioned that my guide might not work well on LibreSSL due to the fact that not all features of the last HAProxy version is supported by the LibreSSL firmware variant of OPNsense, yet!
« Last Edit: July 30, 2021, 07:12:41 pm by TheHellSite »
Logged
All of my posts are submitted with the best of knowledge and belief.


My post was helpful to you?
Feel free to click [applaud] to the left underneath my profile.

  • Print
Pages: 1 [2] 3 4 ... 19
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs »
  • Tutorial 2022/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2022 All rights reserved
  • SMF 2.0.18 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2