OPNSense HAProxy and Cloudflare

[lilsense]

Would someone be able to convert this video into Opnsense HAPRoxy. I am having a hard time making mine to work.

https://www.youtube.com/watch?v=LlbTSfc4biw

[sorano]

Well, it seems a bit much asking someone else to create a video for you but I'm proxying a domain from Cloudflare to HAProxy and the Cloudflare settings are pretty much the same as in the video.

I have not bothered to do the Full (strict) SSL/TLS mode but the Full mode works fine for me.

If you already have a proper HAProxy setup it should not require any additional configuration in HAProxy except maybe creating an ACL that allows Cloudflare IP's only.

[fabian]

As the original developer of the nginx plugin, I know that there is also a specific header as the real IP source.

[lilsense]

I am not asking for a new vid. I am asking for help setting up the HAP to work. I followed the vid and I am unable to start the HAP.

[lilsense]

As the original developer of the nginx plugin, I know that there is also a specific header as the real IP source.

do you have a process to go this with nginx as opposed to HAP? I think nginx uses more resources, but I think it will be ok.

[sorano]

Take a look at this guide to get HAProxy up and running:

https://forum.opnsense.org/index.php?topic=23339.0

[lilsense]

one issue is that it uses Let's encrypt instead of the Certs on the Opnsesne in the Trust section.

[sorano]

Why is that an issue though?
That's what I'm doing and it works with Cloudflares Full mode.

Otherwise you can generate a CSR under System - Trust - Certificates, put that in Cloudflare to get your cert and then import your cloudflare cert in OPNsense and use that in HAProxy.

[fabian]

do you have a process to go this with nginx as opposed to HAP? I think nginx uses more resources, but I think it will be ok.

https://github.com/opnsense/plugins/blob/master/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml#L702

You can do that in HAProxy as well but it is maybe not provided by the plugin itself.

[lilsense]

I am not sure what I am looking at that XML.

I found this:
https://www.loadbalancer.org/blog/how-to-add-cloudflare-in-front-of-a-load-balancer/

would this be done on the Opnsense?

[fabian]

This is a header sent by CF to tell your app who is talking to it on the other end.

[lilsense]

can this be done with wireguard?

[fabian]

can this be done with wireguard?

no that is a VPN. Cloudflare does not work if you use a VPN to bypass it.

If you use Cloudflare with your HTTPS, you will have the following connection:
Client Out -> In Cloudflare (Blackbox) Out -> In OPNsense Load Balancer
Since your LB will get the IP of Cloudflare as remote IP, your logs will be quite useless unless you configure a real IP source to log the right IP address.

[lilsense]

Take a look at this guide to get HAProxy up and running:

https://forum.opnsense.org/index.php?topic=23339.0

I am trying to follow this using the lets encrypt, but it seems that cloudflare DNS is not working and I am unable to get the ssl working.

I get the following error: AcmeClient: domain validation failed (dns01)

[lilsense]

One thing is so scattered was the DNS resolve for cloudflare... it looks like the Let's Encrypt is trying to use/create TXT witha certain value. How do I make this work in cloudflare. when I update this information the data changes.