Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[TheHellSite]

Dear @TheHellSite,
thanks for the great tutorial! It works well.

Dear @sorano,

thanks for your input. The hint with map file works well. However, I am unable to create a rule with multiple "OR" conditions for various sub-domains to match and check it with an "AND" condition to test if it is an internal IP. It shall cover your described rule.

Currently I try to create a rule like:
use map file 1
IF
condition 1 "subdomain1" OR condition 2 "subdomain2"
AND condition 3 "local IP (RFC1918)" is matched


How did you solve this with the conditions and rules within OPNsense HAProxy plugin?

thanks in advance for your help and reply.
Saarko

• 20210730
  
  • Added an explanation on how to configure local-access-only subdomains in HAProxy.

[lilsense]

so not sure what you are referring to...

I used the cloudflare... what option is needed for the cert that's different from the  norm.

[TheHellSite]

So not sure if you understand what I am trying to tell you.........

I followed this, however, decided against using the LE and now not getting 100% A+. is there something I am missing...

Firstly, when you made your one-liner about the bad SSLLabs result, I asked you for details about your config and the SSLLabs result.
You gave NONE.
How could anyone be able to help you with that little information given?! 
This makes me even a bit angry.

Secondly, you asked why HAProxy is giving you a warning, so I explained to you in a very detailed manner why that is.
And now you are saying that you don't know what I am referring to?
Like, I even quoted the issue.

Thirdly, I am really willing to help anyone that follows my guide.
I am doing this in my free time free of charge.
But in return the least you could do is to say thank you, before asking for help about an issue that is most likely due to the fact that you didn't read my tutorial correctly and that you are not using Let's Encrypt certificates.


So with that being sad.
Maybe you should think about what I just said.
And then, if you are willing to, share just a tiny little bit more details about: your certificate, your SLLLabs result, ... like anything that could be of help and not just one-liners without any context.
Your issue could have already been solved if you had provided those information in the first place.

[lilsense]

here you go...


Protocols
TLS 1.3   Yes
TLS 1.2   Yes
TLS 1.1   Yes
TLS 1.0   Yes
SSL 3   No
SSL 2   No


Cipher Suites
# TLS 1.3 (server has no preference)
TLS_AES_128_GCM_SHA256 (0x1301)   ECDH x25519 (eq. 3072 bits RSA)   FS   128
TLS_AES_256_GCM_SHA384 (0x1302)   ECDH x25519 (eq. 3072 bits RSA)   FS   256
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   ECDH x25519 (eq. 3072 bits RSA)   FS   256
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   ECDH x25519 (eq. 3072 bits RSA)   FS   128
OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14)   ECDH x25519 (eq. 3072 bits RSA)   FS   256P
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)   ECDH x25519 (eq. 3072 bits RSA)   FS   256P
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   128
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   128
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)   ECDH x25519 (eq. 3072 bits RSA)   FS   256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   256
# TLS 1.1 (suites in server-preferred order)
# TLS 1.0 (suites in server-preferred order)
(P) This server prefers ChaCha20 suites with clients that don't have AES-NI (e.g., Android devices)   

[TheHellSite]

Please don't get me wrong, but...

You know what it's like trying to help you?
It's like trying to teach a stone how to sing.
You can try as long as you want and still fail.
Because...
A) He doesn't understand you.
and
B) He is not answering your questions.




This is the last time I am asking you.
Give a screenshot of your ENTIRE SSLLabs result.
A SCREENSHOT. But with your domain name and IP blacked out.

[saarko]

• 20210730
  
  • Added an explanation on how to configure local-access-only subdomains in HAProxy.

thanks, works like a charm.
My "mistake" was that I thought to need a condition to trigger a map rule. Since it is not necessary, it is even easier, except for the RFC1918 condition of course.

[Crappysauce]

First off, thank you so much for this guide. Really helped.

I was having issues connecting to my server due to handshake errors which I think got fixed after generating new ciphers using the Mozilla SSL Config generator and changing the HAProxy and OpenSSL versions to match my setup.

After that, HAProxy seemed to refuse to redirect me to my Vaultwarden server, unless I turned off the SSL option in my Real Server setting. It still shows that I'm secured with the proper (wildcard cert from Let's Encrypt).

Do I need the SSL option enabled? The SSL test still gave me an A+...

[TheHellSite]

I was having issues connecting to my server due to handshake errors which I think got fixed after generating new ciphers using the Mozilla SSL Config generator and changing the HAProxy and OpenSSL versions to match my setup.

Are you on the latest version of OPNsense and are the installed plugins up to date?
Just out of interest, which versions of OPNsense, HAProxy and Let's Encrypt are you running?

After that, HAProxy seemed to refuse to redirect me to my Vaultwarden server, unless I turned off the SSL option in my Real Server setting. It still shows that I'm secured with the proper (wildcard cert from Let's Encrypt).

Do I need the SSL option enabled? The SSL test still gave me an A+...

The reason you couldn't connect was due to a misconfiguration in your real server, as you figured out yourself.
You enabled the "SSL -  Enable or disable SSL communication with this server. " checkbox in your real server for Vaultwarden even though the port used to connect doesn't offer SSL encryption.
https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
https://github.com/dani-garcia/vaultwarden/wiki/Private-CA-and-self-signed-certs-that-work-with-Chrome



You need to think of a reverse proxy setup like this.

WWW ---Stage 1---> yourdomain.tld ---Stage 2---> OPNsense + HAProxy + LE ---Stage 3---> internal services

Stage 1 + 2
Public facing external traffic. Traffic in these stages is now always encrypted with a verified SSL certificate. In this case it is created and verified by Let's Encrypt.

Stage 3
Local facing internal traffic. Traffic in this stage can or can not be encrypted, depending on your service setup. This is the traffic from HAProxy to your internal service. It doesn't need to be encrypt because you can consider your internal network as trusted.
However it is still strongly advised to also run this traffic encrypted.
In HAProxy you only need to check the "SSL" box in your real server setting for this.
But then you also need to actually enable SSL encryption on that service, f.e. by installing a self-signed certificate on that service and enabling HTTPS. Even though using a self-signed certificate will give you a warning by your browser when accessing the service directly and not through the reverse proxy, the traffic is still encrypted, the certificate is just unverified.
How to actually do this this depends on the service but this should be covered somewhere in its manual.

You can read more about this here: https://www.globalsign.com/en/ssl-information-center/dangers-self-signed-certificates



I will add this explanation to the FAQ.

[Crappysauce]

Are you on the latest version of OPNsense and are the installed plugins up to date?
Just out of interest, which versions of OPNsense, HAProxy and Let's Encrypt are you running?

Everything is at the latest version:
OPNSense: 21.7
HAProxy Plugin: 3.4
Let's Encrypt: 2.6

The reason you couldn't connect was due to a misconfiguration in your real server, as you figured out yourself.
You enabled the "SSL -  Enable or disable SSL communication with this server. " checkbox in your real server for Vaultwarden even though the port used to connect doesn't offer SSL encryption.
https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
https://github.com/dani-garcia/vaultwarden/wiki/Private-CA-and-self-signed-certs-that-work-with-Chrome

I knew I was forgetting something 
I'll read up on his quides and get it all sorted.

Thank you again for your guide and help 

[newbee]

Hi

@TheHellsite Thank you so much for your time and knowledge

If you have a fixed IP, does the DynDNS Configuration step need to be done? if skipped is there other settings i should put in?

If it is a must when we signup, there are 2 options :

configure your own domain
or
register under dyn.io

i have my own domain names about 10. Do i add each one to there system to get certs then duplicate the process to reverse proxy and cert the other domains?

If you use your real domain eg. www.123.com Do i need to go to my current domain registrar and change name servers to point to desec??

Thank you for the help. just want to get these vms up so i can programme again going to cry.

[TheHellSite]

Hi

If you have a fixed IP, does the DynDNS Configuration step need to be done? if skipped is there other settings i should put in?

If you have a fixed IP that for sure never ever changes.
Then yes, you can safely skip setting up DynDNS on your OPNsense.
You will then only need to configure an A-Record in the DNS zone of your domains / subdomains pointing to your static IP.
You can set this up at your domain hosting provider.

Feel free to share a bit more about your current domain set up.
This will make it easier for me to help you.
- What are your domains?
- What are your subdomains?
- What is your domain hosting provider?

If it is a must when we signup, there are 2 options :

configure your own domain
or
register under dyn.io

i have my own domain names about 10. Do i add each one to there system to get certs then duplicate the process to reverse proxy and cert the other domains?

update: i used my domain name. i think that was wrong.

Seems like deSEC now also supports managing domains that are "hosted / registered" at a different hosting provider.
If I understood this correctly it allows you to manage the DNS zone of your domain at deSEC without actually transfering your domain away from you current hosting provider.

Since you are saying that you already have some domains / subdomains registered.
Something like "sub1.yourdomain1.com" ... "sub4.yourdomain5.com" and so on...

In this case you should check if your current domain hosting provider supports the DNS challenge.
And that the Let's Encrypt Plugin on OPNsense supports the DNS challenge for your hosting provider.
If not, then you have two options if you would like to use wildcard certificates...

Option 1 - Proceed setting up the managed DNS for your desired domains at deSEC. Then follow my tutorial beginning with part 2 step 3.

Option 2 - Transfer your domains to a hosting provider that supports the DNS challenge and that is also supported by the Let's Encrypt plugin.





Feel free to share more information about your domain / subdomain scenario along with the name of your hosting provider.
Of course don't expose your real domain names.

[newbee]

Wow thank you

Yes IP is fixed 100%.
- What are your domains? .com and .co.uk eg. example.com is my primary one.
- What are your subdomains? cloud.example.com dev.example.com
- What is your domain hosting provider? 123reg.co.uk

Have got to step Part 2 step 7. setting up opnsense dynamic DNS. So far have followed all steps par i registered example.com and not "anything.dedyn.io".

So before continuing i will check 123reg.co.uk options

[TheHellSite]

For your own safety please replace your real domain name with "example", if the above is your real domain name!

I quickly checked 123reg and it seems like they do not offer an API so you can't use the DNS challenge.

Which gives you only 2 options.

1 - From now on managing the DNS zone of your 123reg domains at deSEC.
https://www.123-reg.co.uk/support/domains/how-do-i-change-the-nameservers-for-my-domain-name/
+ see image attached.

2 - Moving your domain to another registrar.

[newbee]

Thank you,

name servers updated. I have added A and MX records (set MX prefence to "10", is that right?).

In the opnsense Dynamic DNS, stuck on update URL. just type update.example.com?

[newbee]

Is dynamic dns still needed for fixed IP. You did say start from part 2 step 3. This update URL makes me think?