HAProxy + ACME [FIXED]
-
I have to say I've tried multiple different tuts trying to get this working…
It seems that there is just 1 thing every tut is missing cause it doesn't matter which one I used nothing seems to work...
Currently getting a 503 which makes me think that haproxy is working... but... This is as close as I've come.Installed
-
pfsense 2.4.2
-
haproxy package 0.54_2
-
acme package 0.1.23
Looking to setup multiple sub domains to pass through firewall
And also setup multiple local domains
-
plex.local or plex.domain.local
-
http1.local
-
http2.local
And I would like to get ACME to server SSL certs for them all.
-
-
A nice wish-list, only need 3 steps:
- configure pfSense so it works
- configure haproxy so it works
- configure acme package so it works
And your done :o , besides what you 'want', it is important for me to know what you 'did'.
As currently there is just to little information here to tell what setting you might have missed that causes a 503.
Please share haproxy.cfg (from bottom of haproxy settings tab) and some additional screenshots that you have for acme configuration. Also check and tell what haproxy's stats page LastChk is telling about the servers, are they marked as 'down' ?https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/haproxy_troubleshooting
Other than that, acme cannot provide certificates for your http1.local's domain as it wont be able to check for its existence / ownership on pubic accessible http webserver or public dns txt records..
-
I'm sitting with clean install, and the packages installed…
-
Ok so your sitting, that seems like a safe position.. and now what do you expect will happen.?
Have you tried anything else?
-
As stated, I've tried multiple tutorials…
and to clear my many attempts I cleared everything, Cause I was still seeing squid in the menu even though I had removed it.
I wanted a fresh install to start from.
-
So things I was stuck with… that I thought could be issues.
- Dynamic DNS as I only have a DHCP IP from my ISP a few tutorials utilized DDNS which I have not setup.
-
A (IPv4) record .domain.com to my IP
-
CNAME(s) set to subdomain.*
-
HAProxy listening on same port as pfsense
-
Or simple Rule not set correctly
-
My original issues were while playing with vlan that didn't work and then later finding out I need a switch that supported them, which is ordered and in route… but I figured I could still set the rest up while I waited.
-
So you have a domain name www.domain.com , if you ping that domain it results in your wan-ip? DDNS is only 'required' when the ip changes and you want to update it dynamically.. A static A record should work fine while it doesnt.. (most dynamic ip's for residential connections ive worked with stay the same for weeks or even over a year..) so not using DDNS should not be a problem not in the short term / testing phase anyhow.
pfSense webgui and haproxy using the same port should 'technically' not be a problem, however i prefer to use different ports as from a security and simplicity standpoint it could be ambiguous which service is accepting the connection if either service is not running properly ..
You did have a firewall rule that allows TCP traffic on the WAN interface from any:any to wan-ip:80 ?
You did have haproxy configured with a frontend listening on wan-ip:80 ?What happened when you try to browse the http://domain.com ? does it timeout? does it show a 503 error? Does stats page of haproxy show the backend is 'up'? Does it work internally?
If you want to properly use vlan's indeed you need a switch that supports vlans, and know/learn how to configure them on the switch.. trunk-port vs access-port with 1 selected native and/or several tagged vlans over a port.. will need a bit of practice to get it configured right..
Anyhow if you can configure things 90% like you think they should be, and show that configuration in screenshots, and explain what part of it doesn't work yet then i can probably help you get it working..
-
Ok, so DDNS not so much a requirement which is what I thought, I've also held my IP for over a year before.
The pfSense port I'll leave as is for simplicity.
Yes, I originally had a WAN Rule ipv4 and ipv6 any:any to wan on 80 an 443
Trying to browse my domain would either send me to a 503 or a pfSense binding error screen, depending if the domain was set in HAProxy ACL
If I manually use the local IP it would obviously work.I'll start configuring HAProxy
-
Ok, I've gotten a little further… this is without ACME at this point... Starting to think the squid packages that I removed were causing background issues...
www.domain is getting pointed to server locally & externally
- don't know how since I never set www. to do anything yet… is the default backend setting causing this?
sub1.domain, and .domain are getting pointed to server externally but not internally… so thinking loopback issue... or caching...
Will test a few more things after dinner...
-
yes first make sure the basic's work for a simple :80 webservice and perhaps a selfsigned certificate for testing before going for complete acme configuration..
If haproxy returns a 503 usually that is because the server healthchecks are failing. Check on stats page why if that happens.
haproxy indeed sends any traffic it receives on a frontend to the default backend. If traffic arrives on the frontend depends on what ip the dns resolution of www.domain returns.
If it works externally and not internally then a likely cause is the transparent-client-ip feature in the backend.. try disabling that option. Or better make sure client and server are on different networks.. (vlans might help there when the switch arrives)
-
Ok, That was going to be my next question… how to stop the loopback issue.
Transparent ClientIP not checked...
So if I have my servers on 192.168.1.1 and my devices on 192.168.2.1 ect... I'll be able to access the domains locally?
Or, Is there a way to redirect my domain internally to a local domain... sub1.domain.com to sub1.domain.local?
Which would be best practice?
-
Internally you could go for a split-dns solution to reply the webserver 192.168.1.100 ip when a request for sub1.domain.com is made.. But i prefer to keep it simple and have all clients both externally and internally follow (more or less) the same route to the destination.
Sending a redirect could be done also, but well the users would be using 2 different domains for the same website / or a specific page on it, making a favorite to a page wont work when going outside anymore.. Or sending a link to a colleague thats outside..
There shouldn't be much of a 'loopback issue' when using haproxy (not like you would have with portforwards..). as the client resolves the pfSense wan-ip, haproxy accepts the connection, and makes another connection to the webserver.. That should 'just work'.. or is the wan-ip not actually on pfSense but on a upstream isp provided router.?.
So to check, the clients do resolve the wan-ip of pfSense when internally requesting the domain? You have made simple 'pass' rules? (no portforwards should be needed..) Does any error appear? Does stats page 'count' a new connection on frontend when you try to connect?
-
Ok so I started working on getting HTTPS to work…
I've set HTTP redirect to HTTPS, but can't seem to disable it to just test basic http... not a big deal right now... but a pain for troubleshooting...
I'm having trouble finding "good practice" guides for setting up the backend SSL to talk with cert manager...
Here is my HAproxy settings ATM..
# Automaticaly generated, dont edit manually. # Generated on: 2017-12-07 22:10 global maxconn 10 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 log-send-hostname HAproxy server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend WAN_HTTP bind wan_ip:80 name wan_ip:80 mode http log global option http-keep-alive timeout client 30000 default_backend ssl-redirect_http_ipvANY frontend WAN_HTTPS bind wan_ip:443 name wan_ip:443 mode http log global option http-keep-alive timeout client 30000 acl www-acl hdr(host) -i www.domain.ca acl cloud-acl hdr(host) -i cloud.domain.ca acl aclcrt_WAN_HTTPS hdr_reg(host) -i ^www\.domain\.ca(:([0-9]){1,5})?$ acl aclcrt_WAN_HTTPS hdr_reg(host) -i ^cloud\.domain\.ca(:([0-9]){1,5})?$ acl aclcrt_WAN_HTTPS hdr_reg(host) -i ^domain\.ca(:([0-9]){1,5})?$ use_backend www_http_ipvANY if www-acl aclcrt_WAN_HTTPS use_backend cloud_http_ipvANY if cloud-acl aclcrt_WAN_HTTPS backend ssl-redirect_http_ipvANY mode http log global timeout connect 30000 timeout server 30000 retries 3 server redirect 127.0.0.1 backend www_http_ipvANY mode http log global timeout connect 30000 timeout server 30000 retries 3 server www-acl 192.168.1.100:8090 ssl verify none crt /var/etc/haproxy/server_clientcert_5a22d36348213.pem backend cloud_http_ipvANY mode http log global timeout connect 30000 timeout server 30000 retries 3 server cloud 192.168.1.100:8082
-
For https does your webserver 'require' sending a client certificate? If not make the ssl related selection boxes there on the backend server empty..
As for the frontend youve got it configured with http/https(offloading) but have not configured the server certificate on the frontend. That is required to be able to read the host-header for the "hdr_reg(host)" acl's youve used.As for the 'redirect' backend it seems your pointing it to the pfSense localhost webgui that is then sending a redirect.. Better configure the redirect in haproxy itself as a 'action' if desired, or point it to the actual webserver:80 for testing.?
Also it might be that the overall webgui redirect in pfSense advanced settings is confusing you.. Or a cached HSTS header that the webgui sends.. To remove that HSTS redirect from browser cache special steps are needed in the browser used..
-
So the certs get set in the frontend or backend?
-
Okay, I'm getting somewhere, I finally got working frontend and backends… I'm just getting an error when I try to use acme cert vs the default cert.
# Automaticaly generated, dont edit manually. # Generated on: 2017-12-08 18:36 global maxconn 10 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 log-send-hostname HAproxy server-state-file /tmp/haproxy_server_state ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend ssl-redirect bind wan_ip:80 name wan_ip:80 mode http log global option http-keep-alive timeout client 30000 default_backend ssl-redirect_http_ipvANY frontend HTTPS_Frontend-merged bind wan_ip:443 name wan_ip:443 ssl no-sslv3 crt /var/etc/haproxy/HTTPS_Frontend.pem mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 7200000 # Remove headers that expose security-sensitive information. rspidel ^Server:.*$ rspidel ^X-Powered-By:.*$ rspidel ^X-AspNet-Version:.*$ acl aclcrt_HTTPS_Frontend hdr_reg(host) -i ^pfSense-5a22d36348213(:([0-9]){1,5})?$ acl sub1 hdr(host) -i sub1.domain.ca use_backend dummy_backend_http_ipvANY if aclcrt_HTTPS_Frontend default_backend dummy_backend_http_ipvANY default_backend sub1_http_ipvANY backend ssl-redirect_http_ipvANY mode http log global timeout connect 30000 timeout server 30000 retries 3 redirect scheme https code 301 backend dummy_backend_http_ipvANY mode http log global timeout connect 30000 timeout server 30000 retries 3 server dummy_backend 127.0.0.1:8888 disabled backend sub1_http_ipvANY mode http log global stats enable stats uri /euc_haproxy?stats stats realm . timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /services/Heartbeat server sub1-svr 192.168.1.100:8090 check inter 1000
-
Getting 'an error' is fixed by performing 'an solution'.
Does haproxy report an error while starting? Does the browser report an error while loading the page? Does the machine catch fire ::) Please specify 'what' error specifically you get and where/when it happens that really helps both you and me..Anyhow..
acl aclcrt_HTTPS_Frontend hdr_reg(host) -i ^pfSense-5a22d36348213(:([0-9]){1,5})?$ acl sub1 hdr(host) -i sub1.domain.ca use_backend dummy_backend_http_ipvANY if aclcrt_HTTPS_Frontend default_backend dummy_backend_http_ipvANY default_backend sub1_http_ipvANYHaving 2 default's and a unused sub1 acl probably creates a few issues.
Use the use-backend action to select a backend when the desired sub1 acl matches instead of specifying a default backend for each frontend without further certificate derived 'automatic' acl's.As for certificates, those that are presented to a client/browser are indeed specified on the frontend. But seeing your config that seems good now.
If the webserver also uses https, and requires a client certificate or you just want to verify its a valid certificate, then haproxy can do that with the certificate options on the server.. But this is usually not needed to get 'things working', but could improve security if the network between haproxy and webserver is not 'trusted'.. For now lets leave this alone and focus on getting the basics working.
Locally http://192.168.1.100:8090/ works without https right.?
-
Ok, the error I get if I move away from the webConfigurator default cert is…
[ALERT] 342/082804 (46521) : parsing [/var/etc/haproxy_test/haproxy.cfg:36] : 'bind WAN_IP:443' : unable to load SSL certificate from PEM fileAlso when I try to add another shared front end with separate backend it will throw a 503 for all https requests
So I don't need seperate backend for each server?
I need plex.domain to go to 1 server
and www.domain to go to a pool of 4 servers
plus a few more domains…and then for the cert(s) I was thinking I could use 1 for all domains but then I'll need a seperate 1 "vpn.domain" for openVPN
Yes http://192.168.1.100:8090/ works
-
# Automaticaly generated, dont edit manually. # Generated on: 2017-12-10 08:09 global maxconn 10 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 log-send-hostname HAproxy server-state-file /tmp/haproxy_server_state ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend Frontend1-http bind WAN_IP:80 name WAN_IP:80 mode http log global option http-keep-alive timeout client 60000 acl httpRedirectAcl hdr(host) -i portal.domain.ca acl httpRedirectAcl hdr_beg(host) -i support. acl httpRedirectAcl hdr(host) -i piwik.domain.ca acl httpRedirectAcl hdr(host) -i clan.domain.ca acl httpRedirectAcl hdr(host) -i plex.domain.ca acl httpRedirectAcl hdr(host) -i mine.domain.ca acl httpRedirectAcl hdr(host) -i cloud.domain.ca http-request redirect scheme https if httpRedirectAcl default_backend backend-www_http_ipvANY frontend Frontend2-SNI bind WAN_IP:443 name WAN_IP:443 mode tcp log global timeout client 60000 tcp-request inspect-delay 5s acl aclSupport req.ssl_sni -i support.domain.ca acl aclForum req.ssl_sni -m beg -i forum. tcp-request content accept if { req.ssl_hello_type 1 } tcp-request content accept if { req.ssl_hello_type 1 } use_backend backend-support_https_ipvANY if aclSupport use_backend backend-forum_https_ipvANY if aclForum default_backend fronend3-offloading_https_ipvANY frontend Frontend3-offloading bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl no-sslv3 crt /var/etc/haproxy/Frontend3-offloading.pem bind /tmp/haproxy_chroot/Frontend3-offloading.socket name unixsocket uid 80 accept-proxy ssl no-sslv3 crt /var/etc/haproxy/Frontend3-offloading.pem mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 60000 acl aclPortal hdr(host) -i portal.domain.ca acl aclClan hdr(host) -i clan.domain.ca acl aclCloud hdr(host) -i cloud.domain.ca acl aclPiwik hdr(host) -i piwik.domain.ca acl aclPlex hdr(host) -i plex.domain.ca acl aclmineOS hdr(host) -i mine.domain.ca use_backend backend-portal_http_ipvANY if aclPortal use_backend backend-clan_http_ipvANY if aclClan use_backend backend-cloud_http_ipvANY if aclCloud use_backend backend-piwik_http_ipvANY if aclPiwik use_backend backend-plex_http_ipvANY if aclPlex use_backend backend-mineOS_http_ipvANY if aclmineOS default_backend backend-www_http_ipvANY backend backend-www_http_ipvANY mode http log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server Default 192.168.1.100:19999 check inter 1000 backend backend-support_https_ipvANY mode tcp log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / backend backend-forum_https_ipvANY mode tcp log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / backend fronend3-offloading_https_ipvANY mode tcp log global timeout connect 30000 timeout server 30000 retries 3 server frontend3-srv /Frontend3-offloading.socket send-proxy-v2-ssl-cn check inter 5000 backend backend-portal_http_ipvANY mode http log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / backend backend-clan_http_ipvANY mode http log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server Clan 192.168.1.100:8090 check inter 1000 backend backend-cloud_http_ipvANY mode http log global rspadd Strict-Transport-Security:\ max-age=15552000; timeout connect 30000 timeout server 30000 retries 3 server Cloud 192.168.1.100:8082 check inter 1000 backend backend-piwik_http_ipvANY mode http log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server Piwik 192.168.1.100:8190 check inter 1000 backend backend-plex_http_ipvANY mode http log global timeout connect 30000 timeout server 30000 retries 3 server Plex 192.168.1.100:32400 check inter 1000 backend backend-mineOS_http_ipvANY mode http log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS /
-
COMPLETED… TY PiBa