Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[opnuser1]

Not necessary, just leave the port in the server settings blank.

Holy moly!  I just blanked the port on the real servers of the previous configuration you helped me with and now things work quite well!!

server1
this is the one that handles my reverse proxy and all the subdomains.  everything is working now!!

server2
I think this is the one that needs help due to the fact that it needs 80 first before setting up 443.  Anyway, this one is not working as in i can't get in from outside on port 80 to run the install script.  So this one gets a 500 internal server error.

[TheHellSite]

Thank you.  yes it is confusing due to my lack of knowledge.  I'm going to redo the diagram and post it again based on these latest comments.

Yes, i do not intend to load balance.  You already understand that better than I do.

I didn't realize I could keep using my previous setup you helped me with.  I will continue with that.  I was about to go through your whole tutorial from scratch, and just remove that redirect rule.

Okay since you want the loadbalancing done on your other reverse proxy and your script things on the other server you will need this in total.

For the HTTP access
server1_condition host contains server1.domain.com
server2_condition host contains server2.domain.com
server1_backend containing server1_server (port left blank)
server2_backend containing server2_server (port left blank)
server1_rule containing server1_backend as target
server2_rule containing server2_backend as target
http_frontend:80 containing server1_rule and server2_rule


AND
for the https access/redirection the things I told you to configure earlier.

Code Select Expand

The guide below lists only those options that need to be changed, all other options need to be left untouched in their default state.

1. Create the real servers
        1.1 TCP_SERVICE1_server: IP, Port, SSL unticked
        1.2 TCP_SERVICE2_server: IP, Port, SSL unticked

2. Create the backends
        2.1 TCP_SERVICE1_backend
                Mode:    TCP
                Servers: TCP_SERVICE1_server

        2.2 TCP_SERVICE2_backend
                Mode:    TCP
                Servers: TCP_SERVICE2_server

3. Create the conditions
        3.1 TCP_SSL_condition
                Condition type: SSL Hello Type
                SSL Hello Type: 1 - client hello

        3.2 TCP_SERVICE1_condition
                Condition type: SNI TLS extension matches (TCP request content inspection)
                SNI Matches:    service1.domain.tld

        3.3 TCP_SERVICE2_condition
                Condition type: SNI TLS extension matches (TCP request content inspection)
                SNI Matches:    service2.domain.tld

4. Create the rules
        4.1 TCP_RequestInspectDelay_rule
                Select conditions:    Nothing selected
                Execute function:     tcp-request inspect delay
                TCP inspection delay: 5s

        4.2 TCP_RequestContentAccept_rule
                Select conditions:               TCP_SSL_condition
                Logical operator for conditions: none
                Execute function:                tcp-request content accept

        4.3 TCP_SERVICE1_rule
                Select conditions:               TCP_SERVICE1_condition
                Logical operator for conditions: none
                Execute function:                Use specified Backend Pool
                Use backend pool:                TCP_SERVICE1_backend

        4.4 TCP_SERVICE2_rule
                Select conditions:               TCP_SERVICE2_condition
                Logical operator for conditions: none
                Execute function:                Use specified Backend Pool
                Use backend pool:                TCP_SERVICE2_backend

5. Edit the SNI_frontend
   Note: This step assumes that you are not following my whole tutorial.
         However you have to at least finish the following steps of my tutorial:
         - Part 4: everything
         - Part 5: step 1-3 and step 10 (only create the SNI_frontend but without a Default Backend Pool)

         The exact order of the rules below is very important here!
         The "TCP_RequestInspectDelay_rule" always has to be the first rule.
         The "TCP_RequestContentAccept_rule" always has to be the second rule.

        5.1 Add the rules to the SNI_frontend in the following order:
                Select Rules: 1. TCP_RequestInspectDelay_rule
                              2. TCP_RequestContentAccept_rule
                              3. TCP_SERVICE1_rule
                              4. TCP_SERVICE2_rule


Set the SNI_frontend to listen on 0.0.0.0:443
Set the HTTP_frontend to listen on 0.0.0.0:80



When you are done post the haproxy config export.
But please in a codebox, no need to upload the file.
And don't forget to remove sensitive info.

[opnuser1]

(deleted)

[opnuser1]

OK, I gave it a shot.  Not sure if my http config is correct.  Servers seem to be working except for the one that needs http, I am currently checking it out.

But here is my config.

Code Select Expand



#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         0.0.0.0 local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: SNI_frontend ()
frontend SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp

    # logging options
    option tcplog
    # ACL: TCP_SSL_condition
    acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
    # ACL: NoSSL_condition
    acl acl_644d62959d73a1.59974462 ssl_fc
    # ACL: server1_condition
    acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com
    # ACL: server2_condition
    acl acl_644c5719768e71.87060950 req.ssl_sni -i domain2.com

    # ACTION: TCP_RequestInspectDelay_rule
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: TCP_RequestContentAccept_rule
    tcp-request content accept if acl_644c56b6785678.47181279
    # ACTION: server1_rule
    use_backend server1_backend if !acl_644d62959d73a1.59974462 acl_644c5700ee7657.09485748
    # ACTION: server2_rule
    use_backend server2_backend if !acl_644d62959d73a1.59974462 acl_644c5719768e71.87060950

# Frontend: HTTP_frontend ()
frontend HTTP_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp

    # logging options
    option tcplog
    # ACL: NoSSL_condition
    acl acl_644d62959d73a1.59974462 ssl_fc
    # ACL: server2_condition
    acl acl_644c5719768e71.87060950 req.ssl_sni -i domain2.com
    # ACL: server1_condition
    acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com
    acl acl_644c56b6785678.47181279 req.ssl_hello_type 1

    # ACTION: server2_rule
    use_backend server2_backend if !acl_644d62959d73a1.59974462 acl_644c5719768e71.87060950
    # ACTION: server1_rule
    use_backend server1_backend if !acl_644d62959d73a1.59974462 acl_644c5700ee7657.09485748
    # ACTION: TCP_RequestInspectDelay_rule
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: TCP_RequestContentAccept_rule
    tcp-request content accept if acl_644c56b6785678.47181279

# Backend: server1_backend ()
backend server1_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server server1_server 192.168.1.234

# Backend: server2_backend ()
backend server2_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server server2_server 192.168.1.231



# statistics are DISABLED



[opnuser1]

(sorry)

[TheHellSite]

I was reading this link:
https://blog.entrostat.com/routing-multiple-domains-using-haproxy-http-and-https-ssl/

And it says:

What you'll notice here is that I bind to port 80 using mode http but I bind to port 443 using mode tcp. This is to avoid the need for certificates on the 443 bind. Basically, what I'm doing here is routing 443 to a host and I expect that host to have the certificate set up.

Which makes me wonder do I need separate servers per port?  So 4 total...so that I can use different modes for each port?

Please don't take this the wrong way....
But dude, you are getting to a point where I am questioning your ability to simply do what you have been told to do.
You could have been done with whatever you are trying to achieve at this point by just following what I am saying. But no, you are out there looking for other solutions and then asking ME if this is the way?!

I am even telling you why you don't need separate servers+backends for this and you just don't listen/read or refuse to understand.

Remember I am providing a free tutorial and you are asking questions that are out of scope of this tutorial since the beginning. And I still helped you. However this is slowly getting to a point where I am just refusing to help any further.
So for the sake of my time (and yours) just do what I told you to do.

[opnuser1]

yes, this is indeed a wonderful totrial.  Sorry again.

I was just wondering.  My actual attempt was indeed trying to follow your instructions.

I see where I didn't follow your instructions.  My bad, yes I'm a moron.  Sorry about that too.

[opnuser1]

When you are done post the haproxy config export.
But please in a codebox, no need to upload the file.
And don't forget to remove sensitive info.

haproxy config below:

Code Select Expand


#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         0.0.0.0 local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: SNI_frontend ()
frontend SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp

    # logging options
    option tcplog
    # ACL: TCP_SSL_condition
    acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
    # ACL: TCP_server1_condition
    acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com
    # ACL: TCP_server2_condition
    acl acl_644c5719768e71.87060950 req.ssl_sni -i domain2.com

    # ACTION: TCP_RequestInspectDelay_rule
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: TCP_RequestContentAccept_rule
    tcp-request content accept if acl_644c56b6785678.47181279
    # ACTION: TCP_SERVICE1_rule
    use_backend TCP_SERVICE1_backend if acl_644c5700ee7657.09485748
    # ACTION: TCP_SERVICE2_rule
    use_backend TCP_SERVICE2_backend if acl_644c5719768e71.87060950

# Frontend: HTTP_frontend ()
frontend HTTP_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp

    # logging options
    option tcplog
    # ACL: http_server1_condition
    acl acl_6457247ca14984.71641345 hdr_sub(host) -i domain1.com
    # ACL: NoSSL_condition
    acl acl_644d62959d73a1.59974462 ssl_fc
    # ACL: http_server2_condition
    acl acl_64572496aeac32.73416688 hdr_sub(host) -i domain2.com

    # ACTION: http_server1_rule
    use_backend TCP_SERVICE1_backend if acl_6457247ca14984.71641345 !acl_644d62959d73a1.59974462
    # ACTION: http_server2_rule
    use_backend TCP_SERVICE2_backend if acl_64572496aeac32.73416688 !acl_644d62959d73a1.59974462

# Backend: TCP_SERVICE1_backend ()
backend TCP_SERVICE1_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server TCP_SERVICE1_server 192.168.1.234

# Backend: TCP_SERVICE2_backend ()
backend TCP_SERVICE2_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server TCP_SERVICE2_server 192.168.1.231



# statistics are DISABLED



[phamd4]

Hello sir,

I followed your guide and everything worked for the past year. However, today for some reason, my server doesn't respond to my domain anymore. I have adguard and truenas setup so when I run those command ad.xxxx.xxxx, it resolved. However, if I just run mydomain.xxx then it doesn't resolve to my public IP address anymore.

May I ask what maybe the problem?

Thank you so much for your time sir.

[TheHellSite]

Hello sir,

I followed your guide and everything worked for the past year. However, today for some reason, my server doesn't respond to my domain anymore. I have adguard and truenas setup so when I run those command ad.xxxx.xxxx, it resolved. However, if I just run mydomain.xxx then it doesn't resolve to my public IP address anymore.

May I ask what maybe the problem?

Thank you so much for your time sir.

Since you didn't provide any error codes you will have to give me some more info.
But I can assure you that if you didn't change anything on the OPNsense or in HAProxy it is likely an error in your DNS Zone.

Please post an haproxy Export. (check for sensitive info!)

Also tell me your certificate Common Name and Alt Names (replace your real domain name) as configured in the Let's Encrypt plugin certificate settings.

Lastly the relevant content of your DNS Zone (A record, CNAME record) at your domain registrar that are pointing to your domain.(replace sensitive Info)


Please keep any replaced info in the same style everywhere.

[phamd4]

Hello sir,

Thank you for getting back to me.

Attached is my HAProxy config

Code Select Expand


logo

    root@localdomain

Lobby
Reporting
System
Interfaces
Firewall
VPN
Services
ACME Client
Adguardhome
Captive Portal
DHCPv4
DHCPv6
Dnsmasq DNS
Dynamic DNS
FreeRADIUS
HAProxy
Settings
Statistics
Maintenance
Log File
Config Export
Intrusion Detection
Monit
Network Time
OpenDNS
Unbound DNS
Wake on LAN
Web Proxy
Zenarmor
Power
Help

    Services: HAProxy: Config Export

    Config Export
    Config Diff

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    6
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_630c2xxx9944 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_630c25xxx249944

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/630c280xxx7137226.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_630c2982907624.21524463 src 20.xxx.0/24 20xxx0/24 20xxx.0/24

    # ACTION: LOCAL_SUBDOMAINS_map-rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/630c2909dfxxx.10265915.txt)] if acl_630c2xxx7624.21524463
    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/630c262xxx9c50.82551607.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: opnsense_backend ()
backend opnsense_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server opnsense_server 20.14.0.1:55443 ssl verify none

# Backend: truenas_backend ()
backend truenas_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server truenas_server 20.xxx.4 ssl verify none

# Backend: proxmox_backend ()
backend proxmox_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server proxmox_server 20.xxx47:8xxx6 ssl verify none

# Backend: ad_backend ()
backend ad_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server ad_server 20.xxx.1:56xxx43 ssl verify none

# Backend (DISABLED): proxmox_backend_1 ()

# Backend (DISABLED): truenas_backend_1 ()



# statistics are DISABLED



OPNsense (c) 2014-2023 Deciso B.V.

As for my domain for the certificate I followed your guide and have it at
Common name *.xxxan.to

As for the DNS Zone I'm using your guide https://desec.io
CNAME is *.mydomainname.to
I don't have A record (I didn't see it in your guide)

I checked and my dyanmic DNS server still update my IP address to desec. Also when I tried to restart my authentication service, I see my token on desec being rewnewed. So I think that aspect it work.

I can access my domain if i have that server running i.e. adguard, plex. However, if I just type in my domain name it doesn't resolve my public ip anymore. I think it at desec end but I've tried to add and delete my domain but nothing seemed to work.

[TheHellSite]

Hello sir,

Thank you for getting back to me.

Attached is my HAProxy config

Code Select Expand


logo

    root@localdomain

Lobby
Reporting
System
Interfaces
Firewall
VPN
Services
ACME Client
Adguardhome
Captive Portal
DHCPv4
DHCPv6
Dnsmasq DNS
Dynamic DNS
FreeRADIUS
HAProxy
Settings
Statistics
Maintenance
Log File
Config Export
Intrusion Detection
Monit
Network Time
OpenDNS
Unbound DNS
Wake on LAN
Web Proxy
Zenarmor
Power
Help

    Services: HAProxy: Config Export

    Config Export
    Config Diff

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    6
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443)
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on 127.4.4.3:80)
frontend 1_HTTP_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_condition
    acl acl_630c2xxx9944 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_630c25xxx249944

# Frontend: 1_HTTPS_frontend (Listening on 127.4.4.3:443)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/630c280xxx7137226.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    # ACL: LOCAL_SUBDOMAINS_SUBNETS_condition
    acl acl_630c2982907624.21524463 src 20.xxx.0/24 20xxx0/24 20xxx.0/24

    # ACTION: LOCAL_SUBDOMAINS_map-rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/630c2909dfxxx.10265915.txt)] if acl_630c2xxx7624.21524463
    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/630c262xxx9c50.82551607.txt)]

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_server 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: opnsense_backend ()
backend opnsense_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server opnsense_server 20.14.0.1:55443 ssl verify none

# Backend: truenas_backend ()
backend truenas_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server truenas_server 20.xxx.4 ssl verify none

# Backend: proxmox_backend ()
backend proxmox_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server proxmox_server 20.xxx47:8xxx6 ssl verify none

# Backend: ad_backend ()
backend ad_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server ad_server 20.xxx.1:56xxx43 ssl verify none

# Backend (DISABLED): proxmox_backend_1 ()

# Backend (DISABLED): truenas_backend_1 ()



# statistics are DISABLED



OPNsense (c) 2014-2023 Deciso B.V.

As for my domain for the certificate I followed your guide and have it at
Common name *.xxxan.to

As for the DNS Zone I'm using your guide https://desec.io
CNAME is *.mydomainname.to
I don't have A record (I didn't see it in your guide)

I checked and my dyanmic DNS server still update my IP address to desec. Also when I tried to restart my authentication service, I see my token on desec being rewnewed. So I think that aspect it work.

I can access my domain if i have that server running i.e. adguard, plex. However, if I just type in my domain name it doesn't resolve my public ip anymore. I think it at desec end but I've tried to add and delete my domain but nothing seemed to work.

Please post a screenshot of your desec dns zone. (remove sensitive info) But please overwrite the removed info with something so I can still understand how you set this up.
Are you using a domain of type "example.dedyn.io" or do you own a real domain like "example.yourdomain.com"?

Please also note that if you want to cover your domain "subdomain.DOMAIN.com", given that you have one, you will have to use Common Name "domain.com" and Alt Name "*.domain.com" otherwise only the subdomains of your domain will be covered by your certificate!

[phamd4]

Hello,

I read your suggestion and just blindly tried to add the A Record in my desec, with my public IP address and voila, I were able to access my public IP. May I ask what happened or changed? I apologize if my question is not very smart. If I add my A record like this, will I be able to have my IP address automatically update? I know with your guide, through the token management, It receive IP update from my Opnsense dynamicDNS. However, if my record is using A Record, I have to manually enter the IP in myself.

THank you so much for your time.

[TheHellSite]

OK, I gave it a shot.  Not sure if my http config is correct.  Servers seem to be working except for the one that needs http, I am currently checking it out.

But here is my config.

Code Select Expand



#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         0.0.0.0 local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: SNI_frontend ()
frontend SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    mode tcp

    # logging options
    option tcplog
    # ACL: TCP_SSL_condition
    acl acl_644c56b6785678.47181279 req.ssl_hello_type 1
    # ACL: NoSSL_condition
    acl acl_644d62959d73a1.59974462 ssl_fc
    # ACL: server1_condition
    acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com
    # ACL: server2_condition
    acl acl_644c5719768e71.87060950 req.ssl_sni -i domain2.com

    # ACTION: TCP_RequestInspectDelay_rule
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: TCP_RequestContentAccept_rule
    tcp-request content accept if acl_644c56b6785678.47181279
    # ACTION: server1_rule
    use_backend server1_backend if !acl_644d62959d73a1.59974462 acl_644c5700ee7657.09485748
    # ACTION: server2_rule
    use_backend server2_backend if !acl_644d62959d73a1.59974462 acl_644c5719768e71.87060950

# Frontend: HTTP_frontend ()
frontend HTTP_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp

    # logging options
    option tcplog
    # ACL: NoSSL_condition
    acl acl_644d62959d73a1.59974462 ssl_fc
    # ACL: server2_condition
    acl acl_644c5719768e71.87060950 req.ssl_sni -i domain2.com
    # ACL: server1_condition
    acl acl_644c5700ee7657.09485748 req.ssl_sni -m sub -i domain1.com
    acl acl_644c56b6785678.47181279 req.ssl_hello_type 1

    # ACTION: server2_rule
    use_backend server2_backend if !acl_644d62959d73a1.59974462 acl_644c5719768e71.87060950
    # ACTION: server1_rule
    use_backend server1_backend if !acl_644d62959d73a1.59974462 acl_644c5700ee7657.09485748
    # ACTION: TCP_RequestInspectDelay_rule
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5s
    # ACTION: TCP_RequestContentAccept_rule
    tcp-request content accept if acl_644c56b6785678.47181279

# Backend: server1_backend ()
backend server1_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server server1_server 192.168.1.234

# Backend: server2_backend ()
backend server2_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server server2_server 192.168.1.231



# statistics are DISABLED



Yes, this shows me your haproxy export, but it doesn't tell me wether this is working for you like intended or not.

Also why do you have a "NoSSL_condition" and why did you link it to the serviceX_rules of the HTTP_frontend?
Remove it, this is totally unecessary and I never said that you need this.

[TheHellSite]

Hello,

I read your suggestion and just blindly tried to add the A Record in my desec, with my public IP address and voila, I were able to access my public IP. May I ask what happened or changed? I apologize if my question is not very smart. If I add my A record like this, will I be able to have my IP address automatically update? I know with your guide, through the token management, It receive IP update from my Opnsense dynamicDNS. However, if my record is using A Record, I have to manually enter the IP in myself.

THank you so much for your time.

Again, please describe your domain setup (main domain name, subdomains, dns zone content, dyndns update TARGET domain/subdomain, ...)!
Otherwise I will not be able to help you very much.