Port 80 and 443 to more than one computer.

[neggard]

I have one NAS and one webserver.

The webserver have port 80 and 443 open for web and ssl, I have Lets encrypt cert, on this server.
Now I also have a NAS from synology and want to use Lets encrypt on that device too.

My webserver is hosting example1.com domain and on my nas I want domain2.com
But how could this be done?

I think I can on my webserver with open port redirect traffic to domain2.com so it work but how do I do when lets encrypt need port 80 and 443 for renew lets encrypt?

[monstermania]

Hi,
you need a reverse proxy to manage this with OPNsense. Under 'System -> Firmare -> Plugins -> haproxy'  you can install the plugin into OPNsense.

best regards
Dirk

[neggard]

Thank you, I try this when I come home.

[Julien]

Thank you, I try this when I come home.

this is interesting for us too,
managed to install the HAPproxy,
is there a tutorial for the configuration ?
we have two exchanges servers serving two different domains and want to fix the 443 issue with the reserve.
 

[smajor]

I didn't realize haproxy was a plugin... definitely interested in any configuration tips one finds.  I'm in the same situation with Lets Encrypt.

[franco]

There's also the older load balancer plugin, which used to be part of the base installation. But not a lot of people use it it seems.

You can find pfSense docs for it and they do apply pretty well.


Cheers,
Franco

[smajor]

Has anyone made any progress with this... man, haproxy is just a beast.

I can't figure out if BOTH frontends and backends are necessary for my purpose and, I assume, the purpose of the original poster.  I have two domains on two different servers behind NAT.  I'd like:

www.example.com to point to 10.0.1.200 on both port 80 and 443

and

www.example.net to point to 10.0.1.201 on both port 80 and 443

I assume the "frontend" will need to watch for the particular fqdn on those ports and direct to the appropriate system, I again assume defined in "servers"?

Not sure where the backend fits into it all...

[Julien]

i can't seem to get this working as well.
i have two servers behind the nat and both needs 443 ports to be forwarded to both of them. can't seem to get it fixed.

[ChrisH]

HAProxy is really cool once you figure out how it works.

A backend is just a collection of servers. ACLs (used below) are conditions.

In your case:
- create servers for your two Exchange boxes
- create one backend and put both servers into it
- create an ACL with name "example.com" -> Expression "host ends with" -> Value "example.com"
- create an ACL with name "example.net" -> Expression "host ends with" -> Value "example.net"
- create an action with name "example.com" -> test type "IF" -> ACL "example.com" -> choose action "use server" -> use server "first Exchange"
- create an action with name "example.net" -> test type "IF" -> ACL "example.net" -> choose action "use server" -> use server "second Exchange"
- create a frontend -> Listen address "your WAN address:80" -> actions "example.com", "example.net"

Now install the Let's Encrypt plugin and get certs for example.com and example.net (don't forget autodiscover. etc)
- create a frontend -> Listen address "your WAN address:443" -> SSL offloading enabled -> certificates "example.net", "example.com" -> actions "example.com", "example.net"

That should (broadly) cover it.

Edit: Don't forget to disable NAT for ports 80 and 443 and to add a firewall rule to allow access to 80 and 443.

[Julien]

HAProxy is really cool once you figure out how it works.

A backend is just a collection of servers. ACLs (used below) are conditions.

In your case:
- create servers for your two Exchange boxes
- create one backend and put both servers into it
- create an ACL with name "example.com" -> Expression "host ends with" -> Value "example.com"
- create an ACL with name "example.net" -> Expression "host ends with" -> Value "example.net"
- create an action with name "example.com" -> test type "IF" -> ACL "example.com" -> choose action "use server" -> use server "first Exchange"
- create an action with name "example.net" -> test type "IF" -> ACL "example.net" -> choose action "use server" -> use server "second Exchange"
- create a frontend -> Listen address "your WAN address:80" -> actions "example.com", "example.net"

Now install the Let's Encrypt plugin and get certs for example.com and example.net (don't forget autodiscover. etc)
- create a frontend -> Listen address "your WAN address:443" -> SSL offloading enabled -> certificates "example.net", "example.com" -> actions "example.com", "example.net"

That should (broadly) cover it.

Edit: Don't forget to disable NAT for ports 80 and 443 and to add a firewall rule to allow access to 80 and 443.

Hi ChrisH,
hope you can help me get this working as I am stuck here.
we don't want to go back to pfsense.
We have two servers using port 443 exchange and spam filter.
both are using a valid SSL and A record pointing to the public IP.
mail.domain.com
spam.domain.com

on the Servers I have created both exchange and the spam filter with their IP
on the backends and frontends the same

the ACL i have created Compose expression with the expression host starts with mail
and parametre mail.domain.com and Query Backend to the exchange server
did the same for the spam filter but used it FQDN and chosed the right server on the Query Backend

I've created a action for both mail and filter with the type if and select the ACL I've created for each server

I understand I have to disable the NAT for port 80 and 443.
do I have to allow port 443 source any port 443 destination WAN address port 443 ?

thank you for your support

[ChrisH]

Yes, the firewall rule should allow access from any to the addresses and ports you have configured in the HAProxy frontends.

[Julien]

Chris thank you for your answer.
I can't get this to work really.
Our Certificates are 3rd partys and not let encrypt.
is this a relevant to get this working ?

[ChrisH]

No, where you got the certificates is not relevant.
Can you post screenshots? What does the HAProxy log say? Does the service even start?

[Julien]

No, where you got the certificates is not relevant.
Can you post screenshots? What does the HAProxy log say? Does the service even start?

Hi Chris the service does start and no error on the log at all.
backend and frontend are configured with the action .
if we are using mail.domain.com and spam.domain.com which options are we supposed to use on the Compose expression ?

[ChrisH]

Sorry, I need more data to help you effectively.
"Host regex" and (mail|spam)\.domain\.com should work.