PfSense HAProxy certificate export import
-
By add the cert to the local device that will enable me to connect locally via https://nas.domain name.net:443. same as when creating cert. I am asking again to be sure as I am unable to connect. Do I need to add to cert to OS or Browser??
Thanks again next I will include screenshots to see where I am going wrong
-
@VMlabman
The browser will complain that the certificate is not issued by a trusted CA out of the box.The idea was, that you go over HAproxy to your local devices. HAproxy will trust the certs, since it is issued by a CA on pfSense itself.
Also you can disable the cert verification in the backend. -
Gotcha back to working on HAProxy I’ve had a few problems with it but now we know we got a good Cert from pfSense and CA from pfSense.
Thank you,
-
-
Now when I am setting up my Front end for the device I get this error also please see screenshots of HAProxy Config are attached.
Errors found while starting haproxy
[NOTICE] (94882) : haproxy version is 2.8.3-86e043a
[NOTICE] (94882) : path to executable is /usr/local/sbin/haproxy
[ALERT] (94882) : config : config: backend 'HPF4AF6E_BE_ipvANY': server 'hpf4af6e' has neither service port nor check port nor tcp_check rule 'connect' with port information.
[ALERT] (94882) : config : Fatal errors found in configuration.
🔒 Log in to view 🔒 Log in to view ![HAProxy Frontend Error Inside Frontend Config.jpg](Image dimensions are too big) 🔒 Log in to view
-
@VMlabman said in PfSense HAProxy certificate export import:
Now when I am setting up my Front end for the device I get this error also please see screenshots of HAProxy Config are attached.
Errors found while starting haproxy
[NOTICE] (94882) : haproxy version is 2.8.3-86e043a
[NOTICE] (94882) : path to executable is /usr/local/sbin/haproxy
[ALERT] (94882) : config : config: backend 'HPF4AF6E_BE_ipvANY': server 'hpf4af6e' has neither service port nor check port nor tcp_check rule 'connect' with port information.
[ALERT] (94882) : config : Fatal errors found in configuration.The GUI complains that you didn't state a port for the backend server. This is required and cannot be left blank.
Also ensure after correcting this that the backend is shown as online on the StatsFS page.
Since you have set HTTP health check and didn't state a specific URL, it is required that the backend responses to it accordingly at the IP:port. -
okay I go HAproxy up with not Health Check i had to force it up from teh Stats page. it's still not working
-
Do I have to point in DNS resolver my printer to my HAProxy Server/Firewall?
-
Do I have to set a rule for anything for this wot work if so what would that look like if my HAProxy Server is on 10.50.50.254 and the device it's self is really sitting on 10.50,50.100:443 yet the Front in HAProxp is pointing to LAN address (IPv4) Port 11443. The Backend is pointing to 10.50.50.100 Port 443.
Screenshots provided for review
-
-
@VMlabman said in PfSense HAProxy certificate export import:
okay I go HAproxy up with not Health Check i had to force it up from teh Stats page
Basis health check should work well for the most cases and gives a proper feedback if the backend is online.
Do I have to point in DNS resolver my printer to my HAProxy Server/Firewall?
Yes, to an IP, which the frontend is listening on, so LAN in this case.
Do I have to set a rule for anything for this wot work if so what would that look like if my HAProxy Server is on 10.50.50.254 and the device it's self is really sitting on 10.50,50.100:443 yet the Front in HAProxp is pointing to LAN address (IPv4) Port 11443. The Backend is pointing to 10.50.50.100 Port 443.
You just need to allow access on the LAN interface to the LAN IP and port 11443. If you didn't remove the allow-any rule it should work from this point.
Why you're using port 11443 for the frontend at all. This is contrary to the sense of a reverse proxy.
-
-
Backend I changed it to Basic Health Check. Works now
-
Frontend I change it to port 443 ( I was confused as to the port to use ) It's all on 443 now.
1st off Thank you for all your help so far. You have been very kind.
Firewall Rule as I don't 100% understand that part yet. So I am stuck Firewall Rule and i thing I should have it working after that.
Fresh Screenshots w/ Highlighted Changes for reference as of this post
FYI.. This is the YouTube Video I am working from:
link text
🔒 Log in to view ![HAProxy Frontend.png](Image dimensions are too big) 🔒 Log in to view 🔒 Log in to view 🔒 Log in to view
-
-
Here is my interpretation of the Firewall rule
Action: Pass
Interface: LAN
Address Family: IPv4
Protocol: TCP
Source:: LAN address
Destination: LAN subnet
Destination Port Range: HTTPS (443)
-
@VMlabman said in PfSense HAProxy certificate export import:
Frontend I change it to port 443 ( I was confused as to the port to use ) It's all on 443 now.
443 is the default port for HTTPS. If you use a different one you would have to state it in the URL, e.g. https://nas.local.lan:11443.
A basic idea of a reverse proxy is to share default ports for multiple backends.
This presumes that the single frontend is configured to determine, which backend you want to use. This is mostly achieved by the host header.When using port 443 for the HAproxy frontend, you have to ensure, that the pfSense web Configurator listens on a different port (443 is default, when enabling HTTPS). It can be changed in System > Advanced > Administration. Doing so you have to state the port in the browser then.
Here is my interpretation of the Firewall rule
What do you want to achieve? I guess, you want your LAN devices to allow access to HAproxy, which is listening on the LAN address.
Hence the source has to be "LAN subnets", the destination "LAN address".However, out of the box there is an allow-any-to-any rule on LAN:
🔒 Log in to view
If you didn't remove or restrict this, it would allow the access to HAproxy already and there would be no need to add an additional rule for it. -
Hello,
I added the Firewall Rule and I get : ( Warning: Potential Security Risk Ahead )
When I have SSL Offloading Checked on External address in the Frontend. i get:
( Warning: Potential Security Risk Ahead )When I have SSL Offloading unchecked on External address in the Frontend. i get:
400 Bad Request The plain HTTP request was sent to HTTPS portI tried to add my NAS device in as a test to see what if might work and I can't get the Backend to start no matter what I set the Health check method to Basic or HTTP. I did come across this digging around on the forums to find there may be an issue with changing the setting in the Backend and having to copy it or re build it. I did both with out a change in the error. I even used a different Frontend to test too. https://forum.netgate.com/topic/182581/may-have-found-a-bug-in-haproxy-using-ssl-backend-ssl-health-check link text
WARNING] (12356) : config : Server Qnap-01_BE_ipvANY/qnap-01 is DOWN, changed from server-state after a reload. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
I am going to try to re install the package from package manager to see it it fixes anything.
Any suggestions ?
Thank you,
-
@VMlabman
In the pfSense GUI or in the browser?
If in the browser, from where?
Something more then this? -
I will include screenshots as well
On pfSense in HAProxy When I have SSL Offloading Checked on External address in the Frontend. i get: ( Warning: Potential Security Risk Ahead )
![HAProxy Frontend SSL Checked.png](Image dimensions are too big)
🔒 Log in to viewWhen I have SSL Offloading unchecked on External address in the Frontend. i get:
400 Bad Request The plain HTTP request was sent to HTTPS port
🔒 Log in to view 🔒 Log in to view -
@VMlabman
I guess, your browser is not accepting the SSL certiificate, if SSL is enabled.
Hit the Advanced button to show error details. Also you can show the certificate.You need to assign a certificate from a trusted CA to the frontend to load the page in the browser without issues.
If you disable SSL, it would be a wrong configuration, so forget this error 400. If the browser tries to connect to https site (port 443) it's expecting to get an SSL certificate.
-
I am using a .wildcard certificate from my pfSense trusted CA to the frontend. I also imported the same Cert into the Printer and NAS. I can create a Cert individually for each of them. I see where in the Edit HAProxy Backend server pool Under Backend I can set a CA: and/or a Client certificate: Shouuld I create the Certs and import them into the devices and list them under the Backend for each host?
Here are some screenshots of the Browser Errors I get in FireFox and Google Chrome. Maybe shis will point at somthing.![Browser info shot on error.png](Image dimensions are too big)
🔒 Log in to view
🔒 Log in to view 🔒 Log in to view 🔒 Log in to view -
@VMlabman
So this is a self-signed certificate and the browsers will not trust it.
You can install the CA certificate in the browser to trust all certs issued by it. However, you have to do this on each unique browser, which you want to access HAproxy.In your initial post you wrote that you enable ACME. So my assumption was, that you got a Lets Encrypt certificate to use in HAproxy.
However, you will need a real public domain name to do this.My suggestion with the local CA was to secure the traffic inside your network. As I wrote above, you can issue (long validity period) certificates from it and install it on your backend devices. So HAproxy can access the backend servers via HTTPS, and will trust the certs, since they issued from a CA on pfSense itself.
-
I am going to go with your suggestion and use HAProxy and pfSence CA's for the few devices. So that is my goal here a Printer and a NAS. I takeing it alittle bit at a time this go at it.
-
Create CA Root in pfSense
-
Create CA Intermediate in PfSense
-
Create / Sign / Export Devise Certs
-
Get Certs onto Devices
-
HAProxy Basic Setup
Thank you,
-
-
Question when I am creation a Certificate Request from the device and filling in the Common Name Field. Is is case sensitive and is it the FQDN or just the HIOSTNAME?
Thank you,
-
@VMlabman
The common name has to be the FQDN. -
thanks
-
@VMlabman
When you enter the FQDN into the browser with "https://" in front of it, the browser expects to get a certificate from the server, in which the common name matches the entered / requested host name (FQDN) in the address line.
If they don't match the browser will not load the website. -
Thank you so much for everything. I actually got it working thanks to a lot of your help. It is now successfully working on my printer. Also, in the Certificates I realized everything was case sensitive.
Once again, thank you for the education and all your time and effort definitely appreciated
-
@VMlabman
Glad that you got it working as desired finally. -
Another question re this same project. Does HAProxy support self signed Certificates? If so anything special I need to keep in mind when creating it? The NAS can’t do a CSR. I am having issues adding the my QNAP NAS to HAProxy. Yet, I know HAProxy is working on my printer so I am just adding a new backend and adding it the the same frontend. Other then the NAS is on port 5553 os easy change on that part in the Backend.
Thanks you,
-
@VMlabman said in PfSense HAProxy certificate export import:
Does HAProxy support self signed Certificates?
Yes, if you have "SSL checks" unchecked.
The NAS can’t do a CSR.
Does it also not support the import of a certificate?
If you generate the certificate from a CA on pfSense, HAproxy should trust it anyway.
-
However, if I uncheck the SSL box and AJ proxy, does that make the connection between AA proxy and the Cell science certificate unencrypted
-
@VMlabman
If you enable the encryption in the backend, HAproxy requires an SSL certificate from the backend server to connect and the traffic is then encrypted based on this cert, whether it's validated or not. -
So for my nails since I’m having problems importing the certificate I’ll just create a self science certificate on the NA itself not checked encrypted SSL certificate in H a proxy back end and proxy will still encrypt the traffic. Am I understanding you correctly because I’m still using AJ proxy
-
@VMlabman
Yes, of course it does, as "encryption" is checked. -
Hello,
Add my NAS in I have it all set up using an alternate DNS entry from my standard of it's own in DNS so I can point it to the firewall / HAProxy as I did with my printer.
Qnap-1.myvmlab.net = 10.50.50.200 to the devices IP
mgmtqnap-01.myvmlab.net = 10.50.50.254 to the firewall / HAProxyWhen I ping them both I get the correct DNS resolution to the correct IP for the Host Name. When I go to https://mgmtqnap-01.myvmlab.net:5553 the browser both Firefox and Chrome timeout with no resolution or additional error. In HAProxy the backend is up. Note the NAS is using a self signed certificate at the moment. Any ideas?
-
@VMlabman said in PfSense HAProxy certificate export import:
When I go to https://mgmtqnap-01.myvmlab.net:5553 the browser both Firefox and Chrome timeout with no resolution or additional error.
You need the frontend port here!
I guess, it's listening on 443. If so, you can omit the port. -
@viragomann said in PfSense HAProxy certificate export import:
https://mgmtqnap-01.myvmlab.net:5553 the browser both Firefox and Chrome timeout with no resolution or additiona
WOW you made it work LOL I forgot about that part. All part of being new. It's working and passing through HAProxy. I can see the traffic pass via the stats page.
Thank you for saving me
-
@VMlabman said in PfSense HAProxy certificate export import:
WOW you made it work LOL I forgot about that part. All part of being new.
I know, HAproxy is a bit hard for beginners.
-
It was working until I removed the Root CA from my Browser. Once I removed it I get the Warning: Potential Security Risk Ahead when going to https://mgmtqnap-01.myvmlab.net/ Do I have to have the Root CA in my browser for it to work? I did see the traffic pass through HAProxy in Stats w/ the Root CA in my Browser.. Any ideas?
Could this be a case of not having a firewall rule right? I am not sure I ever got that right.
Thank you,
-
@VMlabman said in PfSense HAProxy certificate export import:
mgmtqnap-01.myvmlab.net
Do I have to have the Root CA in my browser for it to work?If it's a private CA, you need the certificate in the browser to trust the server certificate issued from it.
For public CAs the browser or the OS has all certificates included.
-
Got ya, I understand better now. On my printer the HAProxy is working but when I go into some of the pages on the device they do not load vs if I go directly to the IP address it's self. Any Ideas on that one?
Now to add another device. If I have a device that will only take a Certificate from say GoDaddy or Digital Ocean. Will HAProxy work with a default out of the box Certificate or would I have to use an ACME Certificate via my public domain name and somehow stop traffic / access from outside my LAN from using it with in HAProxy with an ACL?
Thank you,
-
@VMlabman said in PfSense HAProxy certificate export import:
On my printer the HAProxy is working but when I go into some of the pages on the device they do not load vs if I go directly to the IP address it's self. Any Ideas on that one?
But the pages load if you use the backends host name?
If I have a device that will only take a Certificate from say GoDaddy or Digital Ocean. Will HAProxy work with a default out of the box Certificate
You mean, the backend device pull its certificate directly from a public CA?
And you want to access the device from outside through the revere proxy? -
*On my printer the HAProxy is working but when I go into some of the pages on the device they do not load vs if I go directly to the IP address it's self. Any Ideas on that one?
But the pages load if you use the backends host name?* Yes, sure does.
The other question is using HAProxy for a SSL on a Manages Switch it has few options and I think it's much more complicated for a beginner like myself. This is what I am looking at doing link text More fun
-
@VMlabman said in PfSense HAProxy certificate export import:
On my printer the HAProxy is working but when I go into some of the pages on the device they do not load vs if I go directly to the IP address it's self. Any Ideas on that one?
But the pages load if you use the backends host name?* Yes, sure does.
Possibly the backend is expecting the host name, it is configured for.
You can HAproxy set to send any host name to the backend.
To do so edit the concerned backend and add host-header set action and enter its host name.But this could also have other reasons. If the host header doesn't solve, you will have to investigate the issue with the debugging tools of the browser.
Find out, which pages are concerned. Maybe these are virtual directories?
Compare the paths, which the browser is requesting in both cases, working and not-working. -
@viragomann said in PfSense HAProxy certificate export import:
Possibly the backend is expecting the host name, it is configured for.
You can HAproxy set to send any host name to the backend.
To do so edit the concerned backend and add host-header set action and enter its host name.Where in the backend do I se the host-header. I don't see it and I even looked in the frontend. I know I am missing it as I am 100% sure it's right there in front of me.
Thank you,