PfSense HAProxy certificate export import
-
@VMlabman
If you enable the encryption in the backend, HAproxy requires an SSL certificate from the backend server to connect and the traffic is then encrypted based on this cert, whether it's validated or not. -
So for my nails since I’m having problems importing the certificate I’ll just create a self science certificate on the NA itself not checked encrypted SSL certificate in H a proxy back end and proxy will still encrypt the traffic. Am I understanding you correctly because I’m still using AJ proxy
-
@VMlabman
Yes, of course it does, as "encryption" is checked. -
Hello,
Add my NAS in I have it all set up using an alternate DNS entry from my standard of it's own in DNS so I can point it to the firewall / HAProxy as I did with my printer.
Qnap-1.myvmlab.net = 10.50.50.200 to the devices IP
mgmtqnap-01.myvmlab.net = 10.50.50.254 to the firewall / HAProxyWhen I ping them both I get the correct DNS resolution to the correct IP for the Host Name. When I go to https://mgmtqnap-01.myvmlab.net:5553 the browser both Firefox and Chrome timeout with no resolution or additional error. In HAProxy the backend is up. Note the NAS is using a self signed certificate at the moment. Any ideas?
-
@VMlabman said in PfSense HAProxy certificate export import:
When I go to https://mgmtqnap-01.myvmlab.net:5553 the browser both Firefox and Chrome timeout with no resolution or additional error.
You need the frontend port here!
I guess, it's listening on 443. If so, you can omit the port. -
@viragomann said in PfSense HAProxy certificate export import:
https://mgmtqnap-01.myvmlab.net:5553 the browser both Firefox and Chrome timeout with no resolution or additiona
WOW you made it work LOL I forgot about that part. All part of being new. It's working and passing through HAProxy. I can see the traffic pass via the stats page.
Thank you for saving me
-
@VMlabman said in PfSense HAProxy certificate export import:
WOW you made it work LOL I forgot about that part. All part of being new.
I know, HAproxy is a bit hard for beginners.
-
It was working until I removed the Root CA from my Browser. Once I removed it I get the Warning: Potential Security Risk Ahead when going to https://mgmtqnap-01.myvmlab.net/ Do I have to have the Root CA in my browser for it to work? I did see the traffic pass through HAProxy in Stats w/ the Root CA in my Browser.. Any ideas?
Could this be a case of not having a firewall rule right? I am not sure I ever got that right.
Thank you,
-
@VMlabman said in PfSense HAProxy certificate export import:
mgmtqnap-01.myvmlab.net
Do I have to have the Root CA in my browser for it to work?If it's a private CA, you need the certificate in the browser to trust the server certificate issued from it.
For public CAs the browser or the OS has all certificates included.
-
Got ya, I understand better now. On my printer the HAProxy is working but when I go into some of the pages on the device they do not load vs if I go directly to the IP address it's self. Any Ideas on that one?
Now to add another device. If I have a device that will only take a Certificate from say GoDaddy or Digital Ocean. Will HAProxy work with a default out of the box Certificate or would I have to use an ACME Certificate via my public domain name and somehow stop traffic / access from outside my LAN from using it with in HAProxy with an ACL?
Thank you,
-
@VMlabman said in PfSense HAProxy certificate export import:
On my printer the HAProxy is working but when I go into some of the pages on the device they do not load vs if I go directly to the IP address it's self. Any Ideas on that one?
But the pages load if you use the backends host name?
If I have a device that will only take a Certificate from say GoDaddy or Digital Ocean. Will HAProxy work with a default out of the box Certificate
You mean, the backend device pull its certificate directly from a public CA?
And you want to access the device from outside through the revere proxy? -
*On my printer the HAProxy is working but when I go into some of the pages on the device they do not load vs if I go directly to the IP address it's self. Any Ideas on that one?But the pages load if you use the backends host name?* Yes, sure does.
The other question is using HAProxy for a SSL on a Manages Switch it has few options and I think it's much more complicated for a beginner like myself. This is what I am looking at doing link text More fun
-
@VMlabman said in PfSense HAProxy certificate export import:
On my printer the HAProxy is working but when I go into some of the pages on the device they do not load vs if I go directly to the IP address it's self. Any Ideas on that one?
But the pages load if you use the backends host name?* Yes, sure does.
Possibly the backend is expecting the host name, it is configured for.
You can HAproxy set to send any host name to the backend.
To do so edit the concerned backend and add host-header set action and enter its host name.But this could also have other reasons. If the host header doesn't solve, you will have to investigate the issue with the debugging tools of the browser.
Find out, which pages are concerned. Maybe these are virtual directories?
Compare the paths, which the browser is requesting in both cases, working and not-working. -
@viragomann said in PfSense HAProxy certificate export import:
Possibly the backend is expecting the host name, it is configured for.
You can HAproxy set to send any host name to the backend.
To do so edit the concerned backend and add host-header set action and enter its host name.Where in the backend do I se the host-header. I don't see it and I even looked in the frontend. I know I am missing it as I am 100% sure it's right there in front of me.Thank you,
-
@VMlabman
As I wrote, this is an action which you can configure.
Possibly you need to configure an ACL for it, which is ever true.
I don't use this function for my purposes, however, so I cannot give more details.
-
@VMlabman You are missing the most crucial thing here. DNS! What is your goal ? What services are you trying to get SSL Certificates for? Web Services ? Mail Services ?
What is your DNS configuration? Without valid DNS and Domain you will not get a SSL Certificate with Let’s Encrypt.
In my High availability Cluster + hosting services my configuration consists of,
Acme / Pfsense on both node 01 & node 02 for SSL offloading.
Backend uses SSL Certificates too but both firewall and Servers have there own Certificates.
DNS - Split DNS with Digital Ocean API Configuration with DNS resolver.
This gives you more of an idea how it works. Never copy SSL certificates from a Server to use on another. This is a floored configuration. Both needs to have SSL certificates generated.
Regards.
-
Viragomann, I set the host header as shown
. The page is still not loading properly. screenshots attachedI am in a homelab having deployed HAProxy serving two devices a printers web management interface and a NAS web management interface. The NAS works great smooth and with out page load delays or errors. The printer on the other hand does not load several of it’s management pages. It does not give any errors at all. Just a partially load page when I use the https:// url vs. just the IPv4 address.
My DNS is setup using pfSense 2.7.2 resolver. I do have a Registered Domain as well. Yet for right now I am just working with devices that are are not going to be public facing. I am using pfSense for my certificates for the local devices.
After that I will move on the public facing sites with ACME and my Domain.
Thank you,
-
@VMlabman
Host name = FQDN!AND you need to enter the host name, which the printer wants to see.
You wrote, it works if you access the printer directly with its host name. Pick this and enter it in the host header. -
@VMlabman I would have not done it like this. No FQDN I.e prn.domain.com.
-
Hello,
Changes I made to http-request header set
I set name: mgmthpofficejetpro9015e
i set fmt: mgmthpofficejetpro9015e.myvmlab.netAre the name: and fmt: set correctly?
What I was trying to say was when I go to 10.50.50.100 i get to all works great. It gives me a Security warning I click OK and I get a page load different than I do with the https page request.
When i go to https://mgmthpofficejetpro9015e.myvmlab.net I get no errors but it does not load pages fully and thinks I am already logged into the page / site as it shows Sign-out in upper right corner.
