Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[TheHellSite]

Is dynamic dns still needed for fixed IP. You did say start from part 2 step 3. This update URL makes me think?

Not needed! A record is enough.
Dynamic DNS is basically only updating the A record in your DNS Zone.

[newbee]

Hi,

So was setting up all night and all morning.

I skipped and removed dyndns plugin.
I completed the rest of the steps, except for the map as no subdomains setup yet.
I also didnt add a wild card for subdomains to the cert, when i did add it the cert failed. once removed the cert installed fine.
When i checked the local ip in browser, it works. When i type www.example.com it fails and cant ping address.

Had a hunt for what it could be, in the end decided to reboot opnsense and see if it shows errors.

Now rebooted HaProxy status is down and will not start.
I have looked in every log and there is only this:

2021-08-10T15:15:37   root[90544]   /usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy   
2021-08-10T15:15:30   root[91171]   /usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy   
2021-08-10T15:00:29   root[26043]   /usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy   
2021-08-10T14:59:58   syslog-ng[29102]   syslog-ng starting up; version='3.33.2'   
2021-08-10T14:59:56   syslog-ng[70806]   syslog-ng shutting down; version='3.33.2'   
2021-08-10T14:59:55   root[49764]   /usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy

thinking to remove HAProxy and start again?

[TheHellSite]

No need to.
Look in your PMs.

[Lip90]

Hi there,
First of all, thank you very much for the tutorial. I still have two questions. I hope you are so nice to answer me .

I want to make OPENvpn and various websites accessible via 443.

1st question:
I create a subdomain for each service. Can this subdomain then point to the same DYNDNS cname entries?
For example:
openvpn.domain.com -> CNAME -> 123.dyndns.com
seafile.domain.com -> CNAME -> 123.dyndns.com

2nd question:
How to configure HAproxy for openvpn.
Could you explain it to me as well as you did in the tutorial or add the point to the tutorial?

[TheHellSite]

1st question:
I create a subdomain for each service. Can this subdomain then point to the same DYNDNS cname entries?
For example:
openvpn.domain.com -> CNAME -> 123.dyndns.com
seafile.domain.com -> CNAME -> 123.dyndns.com

Yes, this is exactly what the CNAME record is for! https://en.wikipedia.org/wiki/CNAME_record

If you follow my guide and use desec.io as your DynDNS provider then you can even use a wildcard CNAME record. As you can see in the attached picture.
"*.tutorial.dedyn.io" means that "a.tutorial.dedyn.io, b.tutorial.dedyn.io, c.tutorial.dedyn.io, ..." will all point to "tutorial.dedyn.io" which points to "8.8.8.8".

So if you decide to use a wildcard subdomain, then you will only need to create that single subdomain "*.domain.com".
But keep in mind that not all DNS providers / domain registrars support this!

2nd question:
How to configure HAproxy for openvpn.
Could you explain it to me as well as you did in the tutorial or add the point to the tutorial?

For this your OpenVPN server needs to run in TCP mode. (Your clients need to connect to your OpenVPN server using a TCP tunnel.)
This is because HAProxy doesn't support UDP load balancing!

If you are using OpenVPN over TCP, then the configuration is pretty straight forward.
The only difference to my example Plex configuration is that you will have to set the backend "OpenVPN_backend" to TCP mode instead of HTTP mode.
See the FAQ "Why are we doing 2-Level-SNI?" and "How can we load balance TCP traffic that we don't want to get SSL offloaded, f.e. OpenVPN over TCP?".
This should explain how to set this up.
I suggest that you first make your Seafile server working and after that proceed with your OpenVPN server.

As I am currently not using OpenVPN or any other service that requires TCP load balancing, I won't be adding this to the tutorial any time soon.

[Lip90]

Thanks for your answer.

I have now followed your instructions exactly before I play with a changed configuration. When I try to call up the page cloudserver.xyz.dedyn.io, I always get a 503 Service Unavailable message.

Do you have any idea what I'm doing wrong?

[TheHellSite]

Post your HAProxy config. But remove your public IP or anything that reveals your identity. But leave all local IPs in it.
There is an export option in HAProxy.

[Lip90]

Hi,

this is my HAproxy config:

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 debug

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend
    # tuning options
    timeout client 30s

    # logging options
    option tcplog

# Frontend: 1_HTTP_frontend (Listening on 192.168.64.1:80)
frontend 1_HTTP_frontend
    bind 192.168.64.1:80 name 192.168.64.1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: NoSSL_condition
    acl acl_6138b110159553.96461818 req.ssl_ver gt 0

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_6138b110159553.96461818

# Frontend: 1_HTTPS_frontend (Listening on 192.168.64.1:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 192.168.64.1:443 name 192.168.64.1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6138b32401a006.77997133.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 15m

    # logging options
    option httplog

    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/6138b15d48a964.28077676.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_server 192.168.64.1 send-proxy-v2 check-send-proxy

# Backend: SEAFILE_backend ()
backend SEAFILE_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server SEAFILE_server 192.168.1.11:81 ssl verify none
Mapfile:

Code: [Select]

Name: PUBLIC_SUBDOMAINS_map
Content: cloudserver SEAFILE_backend
Do you need something else?

[sorano]

Dropping this in here to make sure noone misses it:

https://forum.opnsense.org/index.php?topic=24668.0

[Lip90]

This could be my Problem. How can i install the fix? Sorry for this dump question i did this never befoe.


Gesendet von iPhone mit Tapatalk

[sorano]

This could be my Problem. How can i install the fix?

Lol no!! Not at all. That is a security vulnerability and not your problem.

If the information you posted is correct your problem is that you are not using FQDN in your map file.

[Lip90]

Oh ok.

you mean i must change the mapfile to

cloudserver.domain.com SEAFILE_backend


Gesendet von iPhone mit Tapatalk

[sorano]

Oh ok.

you mean i must change the mapfile to

cloudserver.domain.com SEAFILE_backend


Gesendet von iPhone mit Tapatalk

Yeah

[TheHellSite]

Dropping this in here to make sure noone misses it:

https://forum.opnsense.org/index.php?topic=24668.0

Thanks!

If the information you posted is correct your problem is that you are not using FQDN in your map file.

Not necessarily, I think!
I also didn't place the whole FQDN in my mapfiles, instead I am just using the subdomains.
This works just fine. But I guess it is arguable if using the complete FQDN is the better option.
https://www.haproxy.com/documentation/hapee/latest/configuration/map-files/syntax/

Code: [Select]

plex PLEX_backend
iot IOT_backend
...

Code: [Select]

# Backend: SEAFILE_backend ()
backend SEAFILE_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server SEAFILE_server 192.168.1.11:81 ssl verify none

Your map file should still work even without using FQDNs.

Your HAProxy config also looks fine.
The only thing that makes me curious is your "SEAFILE_server" configuration!
You might wanna take a look at the "configured port" or the "SSL checkbox"!
I highly doubt that your seafile server is listening on port 81 for HTTPS traffic, which is what you have configured by ticking the SSL checkbox.
The SSL checkbox means that the server is using HTTPS/SSL on the specified port. However if the server isn't actually using HTTPS/SSL on that port then the connection will obviously not work.

[Lip90]

Many thanks for the help. FQDN is not necessary.

By changing to no ssl, the Seafile server now works.