Cloudflare, ssl and subdomains
-
I have been trying for days to get my subdomains working.
Cloudlfare is ok, generated certs and imported them to pfsense.
HAProxy didnt´t work, either 526 or 522 error.
Squid doesn't work either.
I know you can´t help me with this little info, but can you point me in the direction of a complete guide for using cloudflare ssl with subdomains in pfsense?
-
@iSagen what exactly are you trying to do.
Generated certs where? Are you generating a wildcard cert? Kind of hard to point you to info on doing something, if don't know what your trying to do..
I have a domain that cloudflare does dns for, it points to my pfsense wan IP.. I have a cert for this fqdn that I use in haproxy.. Works without issue.
-
@johnpoz said in Cloudflare, ssl and subdomains:
@iSagen what exactly are you trying to do.
Generated certs where? Are you generating a wildcard cert? Kind of hard to point you to info on doing something, if don't know what your trying to do..
I have a domain that cloudflare does dns for, it points to my pfsense wan IP.. I have a cert for this fqdn that I use in haproxy.. Works without issue.
I generated the certs on cloudflare from a CSR made on the pfsense. Tried to generate them directly at cloudlfare as well. It looks like I am trying the exact same thing as you :)
-
@iSagen I didn't generate any certs on cloudflare - certs are just acme certs.
Where are you generating this cert? Can you post a link.
-
@johnpoz said in Cloudflare, ssl and subdomains:
@iSagen I didn't generate any certs on cloudflare - certs are just acme certs.
Where are you generating this cert? Can you post a link.
I made an origin cert in the Cloudflare dashboard.
https://www.youtube.com/watch?v=LlbTSfc4biw
This guy have made me do things way above my knowledge base, but I am learning (slowly)
-
@iSagen so your wanting to use haproxy on pfsense vs the kemp load balancer he was talking about..
-
@johnpoz said in Cloudflare, ssl and subdomains:
@iSagen so your wanting to use haproxy on pfsense vs the kemp load balancer he was talking about..
Yes, that is my goal. Not needing an additional vm. I have pfsense running directly on a HP DL380 and hoping that it would have the power to run HAProxy better than 20 MBits as my fiber is 500/500.
The main reason I stumbled into networking is thunder. Twice my entire copper LAN have been fried by nearby thunder strike. Nothing but the LAN (long runs of copper acting as an antennae) have died. I did open up all the dead components to confirm what was fried, and some components even continued to work without LAN connectivity. So I no run fibre internally as well as external.
So, I have some services I would like to access from outside. I have been using port forwarding, and that's works. But subdomains would be neater. And I have the chance to learn more about pfsense, subdomains and Cloudflare.
-
@iSagen you can for sure run haproxy, but do you really want all the extra of going through cloudlfare as a proxy, and only allowing cloudflare?
I do recall setting this up before.. But dropped cloudflare out of the picture for performance reasons.
This is much easier setup to just run a acme cert, you can get a wildcard and use your own domain name.. You could use one of those free domains if you want I guess.
Are you using one of those freenom domains? Or do you have your own domain?
-
I got a paid domain.
I have been running a letsencrypt certificate on one of my services, but I am not a fan of the update frequency.
I will look into acme :)
-
@iSagen yeah not really a fan of the update frequency either. But if you use haproxy and the acme package it can be completely automated.
You can set it so when the cert updates, haproxy is restarted so it uses the new cert.
-
@johnpoz so, I now have acme working for both domain and wildcard domain.
HAProxy backend is defined, for two subdomains
Frontend is created with rules to the backend.
And kinda works, except all traffic ends up at the default backend. I believe my fw rule may be off. Routing all traffic to dest 443 any host. This sounds unsafe, and doesn't do what I want.
-