Hi there,I tried to activate DDNS via the API with ionos as suggested but miserably failed yet. Might be somewhat unusual but I only want to activate DDNS for two subdomains, not my entire domain ‚domain.com‘ (only ‚sub.domain.com‘). I come up to the step that I have created my update URL, the server responds with 200 properly on the Ionos API page. This should then have activated DDNS for the requested subdomains according to the doc. However there is the no entry for these subdomain on the DNS page.When I apply Update URL in the opnsense dyndns config and press ‚save and enforce update‘, my public IP is properly shown in the opnsense dyndns config page. But still the subdomain is not shown as a DynDNS subdomain at ionos ..as to be feared there is also no DNS with my public IP for the subdomain distributed … Do i miss a step ?? I am looking forward to any idea.Br br
FYI I got it working the Basic Auth.So 21.7.4 has an issue with HAProxy where changes to config are not being saved: https://forum.opnsense.org/index.php?topic=25480.0After I applied the patch it is working.For Basic Auth all I did was create a user under User Management(There does seem to be some restrictions around password length or complexity, I didnt spend a load of time testing)My 20+ Char passwords would not work until I dumbed it down a bit.So once you have a user go to your Backend Pools, choose your desired service, scroll down to Basic Authentication -> tick the box and add the username you just created.Boom it works.
## Automatically generated configuration.# Do not edit this file manually.#global uid 80 gid 80 chroot /var/haproxy daemon stats socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners nbproc 1 nbthread 4 hard-stop-after 60s maxconn 10000 tune.ssl.default-dh-param 4096 spread-checks 2 tune.chksize 16384 tune.bufsize 16384 tune.lua.maxmem 0 log /var/run/log local0 debug lua-prepend-path /tmp/haproxy/lua/?.luadefaults log global option redispatch -1 maxconn 5000 timeout client 30s timeout connect 30s timeout server 30s retries 3 default-server init-addr last,libc# autogenerated entries for ACLs# autogenerated entries for config in backends/frontends# autogenerated entries for stats# Frontend: 0_SNI_Frontend (listening on 0.0.0.0:80 and 0.0.0.0:443)frontend 0_SNI_Frontend bind 0.0.0.0:443 name 0.0.0.0:443 bind 0.0.0.0:80 name 0.0.0.0:80 mode tcp default_backend SSL_Backend # tuning options timeout client 30s # logging options# Frontend: 1_HTTP_Frontend (Listening on 192.168.1.50:80)frontend 1_HTTP_Frontend bind 192.168.1.50:80 name 192.168.1.50:80 accept-proxy mode http option http-keep-alive option forwardfor # tuning options timeout client 30s # logging options # ACL: NOSSL_Condition acl acl_60f9d6d0118252.11362730 req.ssl_ver gt 0 # ACTION: HTTPtoHTTPS_Rule http-request redirect scheme https code 301 if !acl_60f9d6d0118252.11362730# Frontend: 1_HTTPS_Frontend (listening on 192.168.1.50:443)frontend 1_HTTPS_Frontend http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" bind 192.168.1.50:443 name 192.168.1.50:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/60f9db5421ce96.24863488.certlist mode http option http-keep-alive option forwardfor # tuning options timeout client 15m # logging options # ACTION: Public_Sub_MapRule # NOTE: actions with no ACLs/conditions will always match use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/61698448328ff6.66158166.txt)] # Backend: SSL_Backend ()backend SSL_Backend # health checking is DISABLED mode tcp balance source # stickiness stick-table type ip size 50k expire 30m stick on src # tuning options timeout connect 30s timeout server 30s server HAP_VIP 192.168.1.50 send-proxy-v2 check-send-proxy# Backend: TruePlex_Backend ()backend TruePlex_Backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src # tuning options timeout connect 30s timeout server 30s http-reuse safe server TruePlex 192.168.1.12:32400 ssl verify none
It was fixed after the latest update, however, I am still having connections issues... I am getting handshake failures.
From all clients, nothing works.I can connect to the plex with the local IP without an issue.
I thought you were asking about an HAProxy + Let's Encrypt issue...Since you are using cloudflare certificates I am unable to help you. You are better off asking for help in the HAProxy forums or the cloudflare support regarding your issues.Let me finish by giving you these informations:1. The SSL Labs test pictures you sent me indicate that your certificate content (cn + alt name) seems to be wrong.2. Your HAProxy HTTPS frontend settings do not match the ones I provide in my guide.You could however just follow my tutorial step by step and would end up with a working setup.
Part 4, step 1. It says to change OPN Admin interface to another port(s) for http and https, usual 80, 443 because HA would expect traffic there.Is it obligatory or could I keep my real server on 8082 and setup HA to exect that and keep OPN as is on 80 & 443?I expect to use https with a self signed cert on the real server -instead of the current cert now in OPN-, or maybe only http on that port at the beginning.Thanks.
I am not sure what I am missing... I went over the HA HTTPS Frontend a dozen times and I am not seeing what's not matching...
Web Server = Interface = IP:PortHAProxy = ALL = 0.0.0.0:0 or 0.0.0.0:80+443OPNsense = LAN = 192.168.1.1:443This is the conflict! You can't have two or more services listening on the same "Interface + IP:Port". How would they know which traffic belongs to whom? As soon as one of them grabs the traffic the other one will never get it.TL;DR:1. Yes, you can run your real servers on any port (f.e. 8082).2. No you can't change the OPNsense back to port 443 because you wouldn't be able to reach the OPNsense web interface anymore and or HAProxy will refuse to start.3. I strongly advise you to also run your real server(s) with a self-signed SSL certificate to increase security. It is however not necessary.