Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy, Letsencrypt and synology

    Cache/Proxy
    haproxy letsencrypt
    3
    13
    3.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vacquah
      last edited by vacquah

      @johnpoz - you have simplified it for me. For the dsm, I dont need external access. For the unifi controller, I think I will - but i can access it via the cloud account, correct?

      Seems I have the same items you have - synology box and unifi controller ( gen 2) and openvpn. I dont have plex.

      So just walk me through how to set these up they way you have. that should be good enough for me. Lets start with the dsm, please.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Well if you don't access your nas from outside, and you want a cert... Just create a CA in your pfsense and create a cert... I can for sure walk you through that with screenshots. There are few threads around here were I have done it for other things.. You just want your browser to then trust your CA you created and you can use that to create any ssl certs you need that you want your browser to trust.

        Unifi is a bit trickier - not sure why they have not put in a gui for managing the certs. But they have cmd line tool ketool.. If you know the password its much easier "aircontrolenterprise"

        I can walk you through that as well.. Let me see if can one of my threads about having your browser trusting the web gui cert, which will get you through the CA part, and then can walk you through how to do your nas and your unifi... What do you use for your local domain, I use local.lan..

        edit: here you go one most recent threads where went over this
        https://forum.netgate.com/topic/141033/tls-certificate-can-i-make-a-fake-ca/20

        Get that working for pfsense web gui, and then when I get home or this weekend will walk through with pictures how to use that CA you created for your nas and unifi controller.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • V
          vacquah
          last edited by

          @johnpoz apologies for dropping off for awhile there. business travel. back home now.

          You asked what i use for my local domain. I had a domain registered and also setup wildcard acme certs for it in pfsense. Works well. I got stuck when trying to use haproxy and the wildcard cert for nas.mydomain.com and unifi.mydomain.com. hence my questions here.

          If going the route of using my internal CA in pfsense, then I'd like to use a .home local domain. I learnt that icann has decided not to issue it anymore so it safe ( right?)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Even if they use it public - not like you couldn't use it local.. Only issues you could run into is not being able to get to the exact domain name.. But normally in transparent mode of unbound, if not local it will ask public, etc.

            I use .lan for my local domain since I find it highly unlikely that will ever become a public tld.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • R
              renat_kaa @vacquah
              last edited by

              @vacquah you don't have to install letsencrypt cert to your synology. Just put it to haproxy frontend and set SSL offloading on. Synology ip address and port should be added as haproxy backend.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                he is not wanting to access it remote - he is wanting to access via other local machines.. Atleast that is my take on what he is wanting to do.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                R 1 Reply Last reply Reply Quote 0
                • R
                  renat_kaa @johnpoz
                  last edited by renat_kaa

                  @johnpoz I see... So, anyway, cert manager + haproxy could be used as internal proxy. Easy cert issuing procedure, easy publishing etc.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    @Renat said in HAProxy, Letsencrypt and synology:

                    Easy cert issuing procedure, easy publishing etc

                    Maybe you think that is easy ;) But think it through - its not compared to 1 time install of cert on nas that is trusted for 10 some year and done that is only accessed by 1 guy anyway ;) And no need to bounce off a proxy for something that is right next to the client.

                    Its utterly pointless to hit reverse a reverse proxy to hit something that is next to you. Its also pointless to have name resolution point to the IP the proxy is listening on, etc. etc. And now you have to use a public name, and can not use rfc1918 as san, etc. etc.

                    Yes acme is great, ha proxy is great - for the proper use cases.. Getting rid of browser warning about cert issue for something that is local to you, and not needed to be accessed by public browsers, etc.

                    You could also just not use https locally - but many devices kind of force even now, etc. And your browser can bitch you even then, etc. There are many devices locally that are never going to be accessed remotely, etc. Where having your own local CA, that can create certs for whatever fqdn you might want to use and can be trusted for YEARS without having to change it out is the easier solution for this use case.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      renat_kaa @johnpoz
                      last edited by

                      @johnpoz you're right) all things should be reasonable) But now more and more apps requires ssl connection. And most browsers warn non https connection)
                      By the way, one synology device don't need such activity))

                      1 Reply Last reply Reply Quote 0
                      • V
                        vacquah
                        last edited by

                        Will be nice to learn how to do it both ways - using haproxy and just using the internal CAs as @johnpoz proposes. I went the haproxy route and couldnt get it to work. I have the certs issued and haproxy setup. Perhaps @Renat you can provide a guide how to do it and I will see if that can get me over the hump since I have already done most of the steps? ( some screenshots of haproxy setup). Also anything has to be done on the synology side?

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.