@kom That did the trick! I knew it was something simple I was overlooking. Thanks for the help!

@clarence
I'm glad I found your post, maybe you can help me too.
I also use Dynu.com and am trying to setup SSL from Let's Encrypt but I can't get it to work and I'm thinking it has to do with authentication through Dynu.

I have one static IP address and want to be able to host 2 or 3 websites, all public.
I also like to watch Tom's videos at Lawrence Systems and watched the video you linked before I got started but it wasn't clear enough for me. I found this video which walks the way through the creation of the setup.
https://www.youtube.com/watch?v=FWodNSZXcXs

Now I setup essentially the same configuration he put together. In Acme I created 1 wildcard cert from Let's Encrypt for my domain and one specific to one of the websites. They all completed successfully. His setup worked mine didn't. So I did more searching and found your post here.

I did not know CAAs had to be created so I just added them to my Dynu DNS records.
I also added your suggestion for the added security settings to my setup.
Still my websites will connect through HAproxy but they still show "Not Secure".

You mentioned you had to create txt records. What are they and where do they go? What infomation needs to be in them? Is this because of the way Dynu works?

Any ideas what I could be missing.

Fixed in -devel:
https://redmine.pfsense.org/issues/11680

Ok, this was a side effect of this problem: https://forum.netgate.com/topic/162978/unbound-stop-working-on-127-0-0-1-after-2-5-1-upgrade

@hannesk
Put both of the 2 acl names behind the use_backend action.?

@task Update: i discovered that adding a manual route to my WAN ip in my device works. I'm tring to make is automatic by using the push command in open vpn Custom Options:

push "route X.X.X.X 255.255.255.255"

But adding the push route breaks the vpn connection. Any suggestion?
Thanks

@marcelloc
I have installed the WPAD package, added the DNS host overrides in the DNS Resolver

wpad pfsensedomain.local 192.168.1.1 wpad

added the DHCP additional BOOTP.

number: 252 type: string value: "http://192.168.1.1/wpad.dat" number: 252 type: string value: "http://192.168.1.1/wpad.da" number: 252 type: string value: "http://192.168.1.1/proxy.pac"

pfsense webConfigurator is set to https with webGUI redirect selected

However I am having issues downloading the wpad file

http://192.168.1.1/proxy.pac This site can’t be reached https://192.168.1.1/proxy.pac 404 Not Found nginx http://192.168.1.1/wpad0/proxy.pac This site can’t be reached https://192.168.1.1/wpad0/proxy.pac the pac file downloads

I seem to only be able to download the proxy.pac with

https://192.168.1.1/wpad0/proxy.pac

Am i missing something?

UPDATE: I had the wpad listen port set to the proxy port 3128, changing it to port 80 now downloads the file

The two 00's - is your domain stanmore or stanmoore?

You leave your description open, and then you try and hide it in the domain name? So not sure.

if your server is 192.168.8.36

Then create a host override in pfsense to point whatever.domain.tld to this IP..

Create a CA, then create a cert with this CA. Trust the CA in your browser - and then use that cert on your server. Done.. NO proxy needs to be involved. Makes no sense to use the proxy unless you want outside people to get in, and to be honest you wan to offload the ssl to the proxy and not do it on the server.

I have a few guides around here about doing just that - let me see if can dig one up and link to it.

Here - walk through I did back in 2019
https://forum.netgate.com/post/831783

edit: To finish that off.. Here is CA trusted by my browser.. And here are 2 devices using certs I signed with my trusted CA. Switch and Nas.

installed.jpg

Keep in mind that browsers have backed off on how long a cert could be good for - not that long ago you could make then for like 10 years and be done with it. But now browsers can have issue certs valid longer than say 1 year

https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/

So for your certs you can only do them for that long - or your browser will complain - some of mine where done before those changes went into effect..

Other advantage of just doing it this way - is you can add in IPs into the certs via SAN, and then either name or IP works and your cert is trusted.

switch via name or ip

switch.jpg

Notice in the cert for my nas above - its lists subject alternative names for nas.local.lan and 192.168.9.10

@lgwapnitsky No, I moved to a dedicated host for HAProxy and just about to deploy I realized it doesn't have that robust of support for directory accounts. I use Active Directory.

Also, since I asked pfSense 2.5 is came out and it's got a ton of new stuff: it now has the current (or very close to current) HAProxy, supports TLS1.3. I'll try again and come back if I'm successful, good luck to you too! :)

________

PS: If you're open to alternatives for authentication, take a look at Keycloak from (backed by) Red Hat. It does federation, clustering, it provides many clients (to integrate with). OpenID Connect, OpenID, LDAPS, SAML, hardwarekeys/tokens, socials, SMS, you name it, it does it all and it doesn't even need installation, you just run the WildFly (or Tomcat/JBoss/etc..) servlet. Just charge an iPad or 'cause you'll be doing plenty or reading. It's not hard though. :)

@sweety which version u have (squid and SG)?
Can u show Bypass Proxy for These Destination IPs?
Can u show the advanced options from squid(Integrations)?
Regards!!!

@viktor_g excellent, thanks.