HAProxy, Letsencrypt and synology

vacquah · Jul 19, 2019, 6:38 PM

@johnpoz - you have simplified it for me. For the dsm, I dont need external access. For the unifi controller, I think I will - but i can access it via the cloud account, correct?

Seems I have the same items you have - synology box and unifi controller ( gen 2) and openvpn. I dont have plex.

So just walk me through how to set these up they way you have. that should be good enough for me. Lets start with the dsm, please.

johnpoz · Jul 19, 2019, 7:09 PM

Well if you don't access your nas from outside, and you want a cert... Just create a CA in your pfsense and create a cert... I can for sure walk you through that with screenshots. There are few threads around here were I have done it for other things.. You just want your browser to then trust your CA you created and you can use that to create any ssl certs you need that you want your browser to trust.

Unifi is a bit trickier - not sure why they have not put in a gui for managing the certs. But they have cmd line tool ketool.. If you know the password its much easier "aircontrolenterprise"

I can walk you through that as well.. Let me see if can one of my threads about having your browser trusting the web gui cert, which will get you through the CA part, and then can walk you through how to do your nas and your unifi... What do you use for your local domain, I use local.lan..

edit: here you go one most recent threads where went over this
https://forum.netgate.com/topic/141033/tls-certificate-can-i-make-a-fake-ca/20

Get that working for pfsense web gui, and then when I get home or this weekend will walk through with pictures how to use that CA you created for your nas and unifi controller.

vacquah · Jul 26, 2019, 2:18 PM

@johnpoz apologies for dropping off for awhile there. business travel. back home now.

You asked what i use for my local domain. I had a domain registered and also setup wildcard acme certs for it in pfsense. Works well. I got stuck when trying to use haproxy and the wildcard cert for nas.mydomain.com and unifi.mydomain.com. hence my questions here.

If going the route of using my internal CA in pfsense, then I'd like to use a .home local domain. I learnt that icann has decided not to issue it anymore so it safe ( right?)

johnpoz · Jul 26, 2019, 3:00 PM

Even if they use it public - not like you couldn't use it local.. Only issues you could run into is not being able to get to the exact domain name.. But normally in transparent mode of unbound, if not local it will ask public, etc.

I use .lan for my local domain since I find it highly unlikely that will ever become a public tld.

renat_kaa · Jul 26, 2019, 3:51 PM

@vacquah you don't have to install letsencrypt cert to your synology. Just put it to haproxy frontend and set SSL offloading on. Synology ip address and port should be added as haproxy backend.

johnpoz · Jul 26, 2019, 3:53 PM

he is not wanting to access it remote - he is wanting to access via other local machines.. Atleast that is my take on what he is wanting to do.

renat_kaa · Jul 26, 2019, 4:13 PM

@johnpoz I see... So, anyway, cert manager + haproxy could be used as internal proxy. Easy cert issuing procedure, easy publishing etc.

johnpoz · Jul 26, 2019, 4:25 PM

@Renat said in HAProxy, Letsencrypt and synology:

Easy cert issuing procedure, easy publishing etc

Maybe you think that is easy ;) But think it through - its not compared to 1 time install of cert on nas that is trusted for 10 some year and done that is only accessed by 1 guy anyway ;) And no need to bounce off a proxy for something that is right next to the client.

Its utterly pointless to hit reverse a reverse proxy to hit something that is next to you. Its also pointless to have name resolution point to the IP the proxy is listening on, etc. etc. And now you have to use a public name, and can not use rfc1918 as san, etc. etc.

Yes acme is great, ha proxy is great - for the proper use cases.. Getting rid of browser warning about cert issue for something that is local to you, and not needed to be accessed by public browsers, etc.

You could also just not use https locally - but many devices kind of force even now, etc. And your browser can bitch you even then, etc. There are many devices locally that are never going to be accessed remotely, etc. Where having your own local CA, that can create certs for whatever fqdn you might want to use and can be trusted for YEARS without having to change it out is the easier solution for this use case.

renat_kaa · Jul 26, 2019, 4:35 PM

@johnpoz you're right) all things should be reasonable) But now more and more apps requires ssl connection. And most browsers warn non https connection)
By the way, one synology device don't need such activity))

vacquah · Jul 26, 2019, 5:18 PM

Will be nice to learn how to do it both ways - using haproxy and just using the internal CAs as @johnpoz proposes. I went the haproxy route and couldnt get it to work. I have the certs issued and haproxy setup. Perhaps @Renat you can provide a guide how to do it and I will see if that can get me over the hump since I have already done most of the steps? ( some screenshots of haproxy setup). Also anything has to be done on the synology side?