HTTPS to PfSense and HTTP after? possible?
-
@viragomann yes, through ACME, set for the full domain name (cloud.mydomain.org) and also carried into the app (kubernetes pod) itself.
-
@menethoran and, ive tried reaching out to the truecharts team (the creators of the truenas scale applications, but, they are not... um... good at this kind of thing (is the best possible way i can put it). Theyre all "follow the video, click this button" kind of people, with i think, only 1 dev that understands the interplay between their pods and truenas...
-
@menethoran said in HTTPS to PfSense and HTTP after? possible?:
When i try to connect to cloud.mydomain.com ill get an error that 192.168.2.2 took too long to respond. (when connecting from an outside connection
192.168.2.2 from outside?
From outside your network you will have to connect to the public IP. -
@viragomann my mistake, i think i was seeing a latent error message (just hanging around from chrome) on my phone. trying to connect via firefox gives a 521 error (if my cloudflare SSL/TLS is set to flexible) and just seems to hang, eventually timing out, but not before it looks like it resolves the address to reflect my internal address ie: i connect to https://cloud.mydomain.com, long delay, address changes to https://192.168.2.2:9443/login and then times out) (if i have the SSL/TLS settings in cloudflare set to FULL)
so, it LOOKS like the traffic is being routed to where its supposed to go, but not sure why its translating the address to the internal one
-
@menethoran said in HTTPS to PfSense and HTTP after? possible?:
https://192.168.2.2:9443
And this works from inside your network?
Why port 9443?
Did you consider to change the port for pfSense WebGUI to something else than 443?
-
@viragomann no, i cant connect to 192.168.2.2:9443 from outside my network. Sorry, i think i phrased something wrong.
If i try to connect to https://cloud.mydomain.com the address bar will convert that to https://192.168.2.2:9443/login when it times out (like its hitting HAProxy or my NAT settings and translating it correctly but now actually hitting the pod on the NAS.and its set to 9443 becausevfor some stupid reason, ports lower than 9000 cant be assigned when creating the pods (that may be changed at a later date, but i assume its to keep people from using ports that the NAS does, who knows what happens in the minds of devs)
-
@viragomann and yes, my PfSense web interface is on 8443.
-
@menethoran said in HTTPS to PfSense and HTTP after? possible?:
no, i cant connect to 192.168.2.2:9443 from outside my network
I was asking for inside connection.
and its set to 9443 becausevfor some stupid reason, ports lower than 9000 cant be assigned when creating the pods (that may be changed at a later date, but i assume its to keep people from using ports that the NAS does, who knows what happens in the minds of devs)
So you connect to port 443 from the internet and forward it to port 9443 on your web server?
-
@menethoran i should also say, ive tried using traefik (as a pod) but, honestly, im completely lost with the way it integrates (because it was "designed" as a pod for truenas by truecharts, they do all the backend stuff and there are no ways that ive found to change anything in traefik by its GUI, and there is no access to the backend (cli), so, ive kind of disregarded it as a usable piece of software. at least for now. So, im trying to get PfSense/HAProxy to work correctly with the NAS and its pods
-
@viragomann yes, i can connect perfectly fine to https://192.168.2.2:9443 from inside my network. I can even connect to https://cloud.mydomain.com from inside my own network and it translates to https://192.168.2.2:9443 perfectly fine and everything works.
And yes, my PfSense is set up to forward connections coming in as https straight to 192.168.2.2:9443... but only works from inside my network.
(Or, i have HA Proxy set up to handle it... )
-
@menethoran
Consider to check your SSL settings with an online checker, e.g. https://www.ssllabs.com/ssltest, to get an idea what's wrong with it. -
@viragomann not entirely sure what the test tells me...
-
@menethoran
This is a test history for cloud.rndtech.org. So this host name was already tested on SSL Labs.
Is this your own domain? Or do you have a subdomain within this? -
@viragomann rndtech.org is the domain, cloud is its sub (i own rndtech.org)...
and, this is a test i ran like 10 minutes ago
well, at least i can stop having to substitute mydomain.com :)
-
@menethoran
I'm wondering why it shows different IP addresses for the same server.
So you can open a test to view its result or hit "clear cache" to run a new one. -
@viragomann probably cloudflare...
Youre welcome to take a peek at the results (its a lot of stuff thats a bit above my paygrade...)
https://www.ssllabs.com/ssltest/analyze.html?d=cloud.rndtech.org
-
@menethoran
Yes, I already viewed. Everything looks find, apart from supporting TLS 1.0 and 1.1.
But obviously Chrome doesn't like the Cloudflare cert, though it works here in Firefox.Okay, now I get redirected to https://192.168.2.2:9443 as well.
Calling your host, I get to Cloudflare and the server sends 302 (Object moved) > location: https://192.168.2.2:9443/login, which naturally fails.
So seems to me, there is something wrong in the Cloudflare configuration. But I'm not familiar with that.
-
now i dont even know whats going on... everything (*.mydomain.com) redirects to my local ombi instance (i was trying to get my http traffic up and running...
-
@menethoran so do you want to use cloudflare as your proxy, or do you want to use haproxy?
I use haproxy to do ssl offloading, I install a acme cert on haproxy. cloudflare is only being used for dns that points the fqdn of my domain to my pfsense wan IP. haproxy answers this does the ssl stuff and then sends it to my overseerr running on docker on my nas. I use to do this with ombi as well, but after testing both overseerr is better than ombi in many ways.
-
@johnpoz i only want cloudflare to handle my DNS.
And ill definitely look into overseer, ive found ombi to be a little cumbersome at times, kind of needy, and likes to just stop working for no reason :)I have been using (or trying to get it to work) HAProxy. and ive also been having to mess with traefik (because of the way the pods are set up as kubernetes in truenas) But that has caused infinitely more headaches with less progress (read: exactly 0 progress). Probably becasue its sort of like an apple app, it looks pretty and its super powerful, but since you dont have access to any of the backend stuff on it, its pretty much useless unless you just want to click buttons (or if you want to click buttons and follow walkthroughs, but doesnt come close to covering the more technical or difficult setups like what i, and probably most of us, have.)
Maybe thats a big problem ive been having then, ive been leaving cloudflare proxy my subdomains. (im fairly new at this if you remember any of my other posts, and youve helped with this same issue from different angles.)
Thanks for pointing out, or shining light on the cloudflare proxy thing, ill have to turn it off and see if i can get HAProxy to work. Ill report back later (gotta go pick up a kid and start tonights drinking)
