• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HAProxy, Letsencrypt and synology

Cache/Proxy
haproxy letsencrypt
3
13
3.8k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V
    vacquah
    last edited by vacquah Jul 19, 2019, 6:38 PM Jul 19, 2019, 6:37 PM

    @johnpoz - you have simplified it for me. For the dsm, I dont need external access. For the unifi controller, I think I will - but i can access it via the cloud account, correct?

    Seems I have the same items you have - synology box and unifi controller ( gen 2) and openvpn. I dont have plex.

    So just walk me through how to set these up they way you have. that should be good enough for me. Lets start with the dsm, please.

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz Jul 19, 2019, 7:09 PM Jul 19, 2019, 7:06 PM

      Well if you don't access your nas from outside, and you want a cert... Just create a CA in your pfsense and create a cert... I can for sure walk you through that with screenshots. There are few threads around here were I have done it for other things.. You just want your browser to then trust your CA you created and you can use that to create any ssl certs you need that you want your browser to trust.

      Unifi is a bit trickier - not sure why they have not put in a gui for managing the certs. But they have cmd line tool ketool.. If you know the password its much easier "aircontrolenterprise"

      I can walk you through that as well.. Let me see if can one of my threads about having your browser trusting the web gui cert, which will get you through the CA part, and then can walk you through how to do your nas and your unifi... What do you use for your local domain, I use local.lan..

      edit: here you go one most recent threads where went over this
      https://forum.netgate.com/topic/141033/tls-certificate-can-i-make-a-fake-ca/20

      Get that working for pfsense web gui, and then when I get home or this weekend will walk through with pictures how to use that CA you created for your nas and unifi controller.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • V
        vacquah
        last edited by Jul 26, 2019, 2:18 PM

        @johnpoz apologies for dropping off for awhile there. business travel. back home now.

        You asked what i use for my local domain. I had a domain registered and also setup wildcard acme certs for it in pfsense. Works well. I got stuck when trying to use haproxy and the wildcard cert for nas.mydomain.com and unifi.mydomain.com. hence my questions here.

        If going the route of using my internal CA in pfsense, then I'd like to use a .home local domain. I learnt that icann has decided not to issue it anymore so it safe ( right?)

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Jul 26, 2019, 3:00 PM

          Even if they use it public - not like you couldn't use it local.. Only issues you could run into is not being able to get to the exact domain name.. But normally in transparent mode of unbound, if not local it will ask public, etc.

          I use .lan for my local domain since I find it highly unlikely that will ever become a public tld.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • R
            renat_kaa @vacquah
            last edited by Jul 26, 2019, 3:51 PM

            @vacquah you don't have to install letsencrypt cert to your synology. Just put it to haproxy frontend and set SSL offloading on. Synology ip address and port should be added as haproxy backend.

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Jul 26, 2019, 3:53 PM

              he is not wanting to access it remote - he is wanting to access via other local machines.. Atleast that is my take on what he is wanting to do.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              R 1 Reply Last reply Jul 26, 2019, 4:12 PM Reply Quote 0
              • R
                renat_kaa @johnpoz
                last edited by renat_kaa Jul 26, 2019, 4:13 PM Jul 26, 2019, 4:12 PM

                @johnpoz I see... So, anyway, cert manager + haproxy could be used as internal proxy. Easy cert issuing procedure, easy publishing etc.

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by Jul 26, 2019, 4:25 PM

                  @Renat said in HAProxy, Letsencrypt and synology:

                  Easy cert issuing procedure, easy publishing etc

                  Maybe you think that is easy ;) But think it through - its not compared to 1 time install of cert on nas that is trusted for 10 some year and done that is only accessed by 1 guy anyway ;) And no need to bounce off a proxy for something that is right next to the client.

                  Its utterly pointless to hit reverse a reverse proxy to hit something that is next to you. Its also pointless to have name resolution point to the IP the proxy is listening on, etc. etc. And now you have to use a public name, and can not use rfc1918 as san, etc. etc.

                  Yes acme is great, ha proxy is great - for the proper use cases.. Getting rid of browser warning about cert issue for something that is local to you, and not needed to be accessed by public browsers, etc.

                  You could also just not use https locally - but many devices kind of force even now, etc. And your browser can bitch you even then, etc. There are many devices locally that are never going to be accessed remotely, etc. Where having your own local CA, that can create certs for whatever fqdn you might want to use and can be trusted for YEARS without having to change it out is the easier solution for this use case.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  R 1 Reply Last reply Jul 26, 2019, 4:35 PM Reply Quote 0
                  • R
                    renat_kaa @johnpoz
                    last edited by Jul 26, 2019, 4:35 PM

                    @johnpoz you're right) all things should be reasonable) But now more and more apps requires ssl connection. And most browsers warn non https connection)
                    By the way, one synology device don't need such activity))

                    1 Reply Last reply Reply Quote 0
                    • V
                      vacquah
                      last edited by Jul 26, 2019, 5:18 PM

                      Will be nice to learn how to do it both ways - using haproxy and just using the internal CAs as @johnpoz proposes. I went the haproxy route and couldnt get it to work. I have the certs issued and haproxy setup. Perhaps @Renat you can provide a guide how to do it and I will see if that can get me over the hump since I have already done most of the steps? ( some screenshots of haproxy setup). Also anything has to be done on the synology side?

                      1 Reply Last reply Reply Quote 1
                      13 out of 13
                      • First post
                        13/13
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.