Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

Started by TheHellSite, May 31, 2021, 01:06:11 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 48 49 50
User actions
March 21, 2026, 08:51:31 PM #735
I have a somewhat difficult question: How can I implement a rule to allow "local" traffic only for specific named backends?

That means, I want to selectively block external access for specific domains.

I know how this works for IPv4: you can simply create a rule with a condition based on RFC1918 IPs and create a 4xx response if if does not match.

However, my situation is that my LAN clients use IPv6 GUAs generated from dynamic prefixes as assigned by my ISP, so I cannot specify the prefix to match. The WAN IPv6 is also from that prefix ("Request prefix only") and it is the target for the DNS names that HAproxy handles. Since that IPv6 always has more priority than any IPv4 or ULA IPv6, it will be the target for the HTTP(S) requests, thus NAT66 will not really cut it.

Access to lower layers than 4 is impossible within HAproxy, so I cannot use hop limits either. I have not even found a way to ask for the inbound interface because of this restriction.

All solutions I have pondered are too crude and involve scripting or using split DNS. Port-forwarding is also questionable, given the fact that there are internal layer 4 redirects to localhost with this setup already.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
June 10, 2026, 08:30:35 PM #736
This is an excellent tutorial. I'm fairly new to opnsense, and this was a great start to get me going getting the services up and running. @TheHellSite I appreciate the work you have dedciated to it, despite your busy schedule. Thank you.

With OPNsense 26.1.9, some of the settings have moved or not available, so there were placed I had to think and google to proceed. Ideally, the guide should be updated, but I know its a big ask.

There isn't a need to enable NAT reflection it seems (which puzzled me a little bit why it was working to connect from LAN). What I think happens is when a package from LAN destined for the public IP, opnsense will see that the package is for itself using its public facing IP and send it directly to HAproxy without NAT due to its `0.0.0.0:443` listen of `0_SNI_frontend`. So perhaps "part 6" should be updated? I'm left with the open question: When do we use option A) Split DNS or B) NAT reflection when option 0) Do nothing seems to work?

Is it always necessary to create a backend and a server when there is 1 to 1 relationship between the two? Can it be combined somehow? I assume this is a core design of HAProxy?
Print
Go Up Pages 1 ... 48 49 50
User actions