How To Guide For HAProxy and Let's Encrypt on pfSense: Detailed Steps for Setting Up Reverse Proxy

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

foreign [Music] systems and today we're going to cover h a proxy and let's encrypt on PF sense but before we begin couple prerequisites here you should own a domain for example cloudflare is less than ten dollars a year for a domain we're going to be using a cloudflare domain as an example but it will work with a lot more than just cloudflare because we're going to be doing this using the API so cloudflare digital ocean there's many other choices we'll cover that later when we talk about how the sub certificates with Acme and how to automate them because we're going to be using wildcard certs so owning a domain name is going to be a prerequisite for this next pfSense Plus or Community Edition this will work on either one of those we're going to be using the latest versions available here in August of 2023 and everything's going to be time index down below so you can jump to the part that's most relevant but we will be starting with some diagrams the reason why is because when I did this video before there are a lot of Concepts that I realized people didn't understand for how reverse proxies work and how important DNS is and almost all the Consulting we do regarding fixing this for people is pretty much DNS DNS and occasionally someone getting a couple of things wrong about where they pointed their DNS that is probably the number one issue there's a few others and we will cover basic troubleshooting and how to set this up but this is going to be a complete guide from start to finish from loading the packages which I've already done so that part's easy to getting this all configured and making sure you can access your servers I'm going to cover doing this privately as in keeping the domain inside so you don't have to public expose your services but I'll also talk about the method by which you can expose it they're pretty much the same it's just a matter of what interface you attach it to now before we begin we do need to hear from a sponsor and today's sponsor is well my company so let's get into the ad read then we'll get you to the content are you an individual or Forward Thinking company looking for expert assistance with network engineering storage or virtualization projects perhaps you're an internal I.T team seeking help to proactively manage monitor or secure your systems we offer comprehensive Consulting Services tailored to meet your specific project needs whether you require fully managed or co-managed I.T services our experience team is ready to step in and help we specialize in supporting businesses that need it Administration or it teams seeking an extra layer of support to enhance their operations to learn more about any of our services head over to our website and fill out the higher us form at lawrencesystems.com let us start crafting the perfect it solution for you if you want to show some extra love for our Channel check out our swag store and affiliate links down below that will lead you to discounts and deals for products and services we discuss on this channel with the ad read out of the way let's get you back to the content that you really came here for now most of this video is going to focus on setting this up to use your private IP internally but I will cover just that one extra step or technically two that you need to do to get this working publicly one is you have to have publicly available DNS and the rest of the demo we're going to be using local DNS instead RPF sense but it goes out of scope of this to cover how to point a domain at your public IP address because that is very dependent on whoever provides you DNS but in our demo site here we have ltsdemo.org this is the domain that I bought that I'm using for this and we're going to use truenas and uptimekuma.ltsdemo.org is our fully qualified domains and if we wanted to make this public the thing that we would do differently is we would bind our ha proxy to by public IP now you can have more than one IP on APF sense so you can have multiple public IP addresses and you would just attach ATA proxy to whichever one was public and then the other thing you'd have to do is open up the firewall Rules by default pfSense blocks incoming and requests but you can override that put a firewall rule in to allow things to locally talk to the ha proxy or the firewall itself because they're both on the same device and then you would publicly expose things and I didn't want to do that for this particular demo because if I publicly expose things and publicly expose my IP address one that comes with lots of risks and well someone might even just DDOS it just to be annoying and that's another risk that may come with it but both of these can point at the same IP if you only have one IP and ha proxy and this is the part we will be covering is how it handles ACLS or the access control list and has a set of rules that say look at the different domains that are coming in and serve up the server from behind there but each of these would just point to whatever your public IP address is and that would allow a client outside the network to go across the internet and get served up a proper certificate by ha proxy for these devices that are behind your PF sense we are going to focus on doing this privately so you can have your own and we're going to be using wildcard DNS for this and that does apply even with with it being public but this allows you to create all of your own DNS we're going to use in this case PF sends for DNS because pfSense acts as our DNS server and it acts as our proxy server so we don't need to go outside the internet for this to work in terms of for the client other than it does have to have internet access when you get your certificate so the certificate renewals do require internet but the actual functionality and you're not exposing your servers like your true Nas or your uptime Kuma server we're going to use those Demos in here to the public internet because we're going to take the DNS for these the truenast.ltsdemo.org uptimekuma.lts demo.org and they're both going to have a DNS entry of 10 13 13.1 which is the interface that we're going to bind them to on RPF sense so the DNS will be a private IP address and this is on the same network so as long as PF census serving DNS to this particular client the certificates will line up match and the domains will match and will get served a proper certificate this is the DNS part that a lot of people doing private have a harder time with because public it makes sense that you need your public DNS not to point to your internal IPS of your servers it would point to the proxy but when it's internal the same thing applies it has to point to the proxy so even though uptime kuma.ltsdemo.work is going to be pointed at 10 13 13 1 it's going to Via the rules in ha proxy come over here to uptime Kuma and the back end this is the big mistake a lot of people make where they think the internal IP name or sometimes because they also have their own DNS entry of how they get to one of their servers internally they try to match it and then have a DNS problem where it doesn't match because it's trying to go directly to the server and we need the client to go to the ha proxy on pfSense to sear up the certificate and let h a proxy broker that connection back to the back end now let's get into the functional of setting this up now that we've covered the concepts the first step is making sure you have the packages installed so we have the Acme package and ha proxy package installed here if they're not installed just head over to available packages and go ahead and install those then we go to system and we want to go to Advanced by default pfSense is on TC Port 443 this is for the web interface the pfSense we'd like to move it somewhere else I chose 10443 then down here we have web we redirect make sure that's checked this is a port 80 configuration rule you don't absolutely have to do this but if you don't and something hits Port 80 it'll actually redirect to whatever Port you have chosen here I'm not covering put in redirect rule for Port 80 because most browsers choose https by default now next we're going to set up the Acme certificates the Acme search array here on the general settings make sure you have the cron entry checked this will enable the automatic renewal of these certificates I already have certificates in here but the first step would actually be creating an account key creating account Keys is really easy we can just put in test test make sure you are choosing if you're ready for production the production system will actually do a staging one but please note if you want it to work properly you do need production and then you hit create new account key it will grab the account key once that's populated you can then register the Acme account key and then you'll click save and now you'll have a new system but note this one is in testing so we're going to delete it these are ones are in production and they have proper account Keys once you have a proper account key you can go over here to certificates and I have my LTS demo work I can show you this one because this one will show you too much it'll actually show you a part of my cloudflare authorization this one works the same way but I did it with digitalocean and you see we're getting a wild card for studio.lorentsystems.com and we have my digitalocean API key which is blurred out if we look at creating any new certificate let's go ahead and just walk through that process when we add one we would go here to add and we would give it a name and the name does not have to match their domain name but we will call it Wild Card search for domain you can put the same description error which can be a little bit more typed out if you need to and then we can choose all the different options now you do not need to open any ports for all these DNS options that are in here these are all the different companies that have automated DNS or API support via pfSense there's quite a few of them in here so you can probably find duck DNS or whichever DNS you might be using to get this to work of no note I am using digitalocean and cloudflare I've tested both of these in this system to make sure they work and if you use cloudflare it does ask a lot of these questions and it does not blur all of them when you go back to edit but you must fill out all of these questions if you're doing it for example with digitalocean it only asks for the digitalocean API key the important part though is that you have the domain in here properly and I will blur out the bottom but please note the domain because we want a wild card is asterix.lts demo.work that gives us a wildcard domain so it will pull the wildcard search so we can make up anything we want dot ltsdemo.work I will also point out you can do it this way asterix.studio.lorentsystems.com I'm using launchsystems.com in more than one place and I want to distinguish things on this particular server as located at my studio so this will allow us to create any name.studio.lorentsystems.com within this server the final thing I will mention is making sure you have this right here it's userlocal at crc.dha proxy.sh restart the reason you need that is because when the certificate renews you want ha proxy to restart so it can use that new certificate so I do recommend you add that if not even though the certificate may be renewed if 18 proxy does not restart it will not start using that new certificate when the certificate expires now we're going to go over the services and then ha proxy and let's look at the settings make sure ha proxy is enabled then we'll go down here and change the reload Behavior this is my personal preference especially for troubleshooting you may not want this on but it forces the immediate stop of old processes on reload closes existing connections I do this that way if I'm especially adding new servers and troubleshooting I want every time I restart ha proxy don't hold on to any sessions even if I'm just adding something to the front and your back end kill all those sessions and start them over that way I don't have any old sessions confusing me but please note checking this option will interrupt existing connections on a restart which happens when configuring iteration is applied scrolling down a little further I don't have this filled out but in production systems I usually do remote syslog host you can put a specific syslog and send all that data from ha proxy to its own syslog server this may help you in collecting all of your logs not needed for the demo server we have here then we're going to go all the way to the bottom and we can just hit save which brings us to the apply changes and of note anytime you apply changes it kills all those connections now we're going to build a back end and we want to add a new back end we're going to call it your Nas I'm going to click on this little server table and expand it out and we want to call that true Nas as well so t-r-u-e-n-a-s and then we're going to put an address in here of 172 16165 the address of our true name server 443 is the port then we need to scroll over a little bit yes this is encrypted do not check it it's important you do not do an SSL check because there is not a valid certificate it is a self-signed certificate on my cheernast server so we don't want the ha proxy to try to validate that certificate now let's go ahead and scroll down further I'm not going to bother with any type of help checks but you can do a health check on these if needed it just will confirm whether or not the backend server is up and then we can go down here to the bottom leaving all other things at default and click save and I'll go ahead and apply the changes but as you notice it's kind of grayed out compared to these because there is no front end yet for this particular entry so let's go ahead and create a front end for that we're going to click add and because this pronoun is going to be for more than one server let's just call it u tube demo and we'll call this YouTube demo for star.ltsdemo.org because it's a wild card certificate that we have for this and this is where we bind the proper IP address now the IP address for this one is specifically the lab VLAN 1313 address then we're going to choose the port of 443 we're going to check the box for SSL offloading and we'll leave all this the same then we're going to scroll down now here's where we create those ACL lists these are very important to name them in a consistent way so we'll call this one sureness and we'll say host matches we want to match a hostname the value we're going to use is truenas.ltsdemo.work now remember we can create any domain we want here we'll get to the DNS settings next now this is says true Nash right here that means when we do the action because this is the access control list to match on so host matches sureness ltsdemo.org and then we're going to go what is the action and we want to use the back end that we named true Nas and then conditional ACL name this has to match exactly that's why I'm copying and paste it from here to here we'll get how to create more of them next they're going to go ahead and scroll down further until we get down to the certificate and we want the certificate to be the LTS demo that we have set up here this is that wild card for that the other one is using this one here and you could create more than one back end using another one here if we wanted to use the launch systems one but as I said we're going to be doing the demo work so LTS demo work and that is this particular wildcard certificate then we'll scroll down here to the bottom and we'll click save and then we'll hit apply here comes the DNS part where we have to make sure DNS is working so we know what we have for this domain so we're going to go here to services and we're going to go to the DNS resolver and we're going to scroll down and I have lots of entries in here but let's look at the one that's specifically related to this that's this true NASA LTS demo work that entry says true Nas is the host the domain is LTS demo work it points to 10 13 13.1 and if everything's working properly let's go ahead and do a quick domain lookup to make sure that the system answers with the domain that we want it to and we're just going to use dig to do truenas ltsdemo.org and we see that it's answering 10 13 13 1. and as you can see here we can go to truenasltsdummo.org and we can sign in so we can look at this connection is secure certificate is valid and we see that we're giving it the certificate the ltsdemo.work so let's go ahead and set up one more domain at this same address and since we're here in the DNS world let's go ahead and add another DNS entry with this host override so I'll go back over to general settings we're just going to click add we'll call this one Kuma put the domain which is the ltsdemo.work and it's the same IP address so 10.13.13.1 which is RPF sense this is for up time Kuma scroll down save apply always double check your DNS make sure kuma.ltsdummo.works it does it comes up with the same IP address so let's go back in and add an ACL so we're going to go over here to our ha proxy we're going to edit our existing one we have here and we want to add another rule so we're going to click this Access Control list here we'll call it Kuma host starts with hosts matches is what my goal is here and it's going to be auma.lts demo dot work scroll down here we want to use backend and we already have an uptime Kuma back in so we'll use that one there and we have to make sure once again these match so we called it Kuma here so we will call it Kuma here so the use back end is this one here so now if we go down to the bottom all the other things are the same we're just going to hit save let's go back and edit this real quick just to cover that you can see now that it's saved if the host matches truenast.lts demo.work we're going to be using this ACL which points to this one here if it matches the kuma.lts demo.org which is that right there it says use the back end Kuma and use the back end uptime Kuma on the back right here it's all we have to do and we'll go back over here we'll apply the changes and let's see if that works and now we're at my uptime Kuma login one more thing I want to note if we go over here and we look at the back end and we want to look at the uptime kuma back end I want to point out that this uptime Kuma back end we'll click edit here is not encrypted if you're familiar with uptime Kuma by default it does not have a certificate I didn't install one on purpose and the reason why is because I wanted it to be handled by the AJ proxy so the connection from pfSense to this IP address is not going to be encrypted so we do not have this checked the certificate though is valid here because it's the connection between pfSense and this browser that is encrypted providing me with that same connection is secure with the valid certificate from the let's encrypt certificate something else worth noting is that you notice that this is pointed at two different places this is a way you can create a different front end but still have one backend server that handles all of your internal and this could just as easily be if we added another one be bound to my Wan IP address and we can repeat the process for actually any one of these or if I had multiple Wan IP addresses and then I could publicly expose a specific server and use that same back end and it would have two different entries that way now one of the things I want to comment on is a couple use cases for binding the front end to different interfaces one of the big use cases for that is because all of your normal firewall rules apply let's say you have a guest Network and you'd like to have your guests accessing things over ha proxy such as uptime Kuma but you do not want them to access your Nas and this would be a good use case you could tie Nas to your secure network that you just have you and people you trust on and then you could have your guest network but you know they want to see what servers are up and you could then bind it to that address another use case is binding it to the WAN address now as I said if you bind it to WAN you need to open up Port 443 to have it remotely accessed but internally the guest network will have access to it because you don't need to create a rule internally for Lan because by default p EF sense that is the default behavior for services bound to a specific interface for the network segment and the devices on that segment will have access to that so just keep that in mind when you're setting it up now I made this video to cover the most common use cases for HDA proxy but obviously there are many more use cases check out netgate's documentation because they have a lot more covered and check out their forums the netgate forums there's a lot of discussion about ha proxy because there's always different Edge in different use cases on different specialized environments and maybe you have all those environments and there's something beyond that was covered in this video that you need to get configured their forms are a great place to check that out if you want to see more content from this channel like And subscribe also leave your comments down below I love hearing from all of you if you want to connect with me I'll be over in the forums at forums.lorentsystems.com or just head over to launchssystems.com and figure out what socials I'm on when you're watching this video and you can say hi to me there alright and thanks [Music] thank you [Music] foreign

Info

Channel: Lawrence Systems

Views: 51,783

Rating: undefined out of 5

Keywords: LawrenceSystems, Reverse Proxy, reverse proxy explained, reverse proxy pfsenswe, reverse proxy pfsense, haproxy, haproxy pfsense, haproxy tutorial, haproxy setup, haproxy reverse proxy, haproxy configuration, haproxy logging, lets encrypt, reverse proxy, open source, home lab, pfsense haproxy reverse proxy setup, reverse proxy tutorial, pfsense haproxy, ha proxy, pfsense haproxy letsencrypt reverse proxy

Id: bU85dgHSb2E

Channel Id: undefined

Length: 20min 44sec (1244 seconds)

Published: Wed Aug 16 2023