pfsense HA Proxy Troubleshooting

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
tom here from orange systems and we're going to be talking about h a proxy troubleshooting this is a frequent problem people run into is they followed my videos of which i have two of them covering a couple different aspects of h.a proxy with let's encrypt and you know setting it all up and configuring it and because the videos are a little bit longer i think some people maybe skip a few steps and then come over and start asking questions maybe in the forums or elsewhere and i wanted to make a quick troubleshooting guide because it's only a few different things that i frequently see people missing and this is my response for when people say hey it's not working but i followed your video there's always something you missed and it is a complex topic therefore i wanted to show the most common things people miss in aha proxy before we dive into this video if you'd like to learn more about me and my company head over to lawrences.com if you like to hire for a project which includes things like setting up a cha proxy there's a high risk button right at the top if you like to support this channel in other ways there's affiliate links down below and of course the forums where you can connect with us and ask your questions about aj proxy and get this video as reply all right let's dive into this topic we're going to set up two different sites basically they're both internal and one has a ssl cert on its own and the other one does not because that way i covered both common configurations of course with aj proxy it's an extensive tool and can do many more advanced things but i at least want to drive down the most common things i see people kind of missing and the first one is this really common tcp port by default when you set up pfsense is port 443 that's the default and if you have your system responding on port 443 for both ha proxy and for pf sense you can end up with kind of a problem i recommend using something other than 443 unless you're going to put aj proxy on something other than 443 but you can't have two things bound to the same address or you can run into some of these problems and the second one down is this other little check box disable web configuration redirect rule this is a port 80 redirect and if you've moved this to for example in this demo we have 10443 and you have the redirect so you have it listening on port 80 but you've also decided h.a proxy should list on adn443 it'll now redirect h.a proxy instead and end up at the wrong port so just a couple little check boxes pick a different port remember what port you picked someone actually messaged me they forgot after right after they did it and didn't realize what port they had it tied to for their pfsense web ui and then the other ones just turn off the web redirect the next really common one is in the h a proxy back end this is my zen orchestra lab this is the zen orchestra lab the name we've put here address put port this is the ip address of where zen orchestra operates and this is the port it's operating on it does have its own certificate so if we were to go to port 443 of 192.168.3.28 yes it would respond with a self-signed certificate because that's what i have set up on there that means we do check the box for the encrypted ssl because the communications are that also means as i said it is a self-signed at 3.28 we do not check this box so if we check the integrity of that it's going to find it that it's self-signed and failed so we actually don't need it to check we already know it's self-signed we don't need the error to associate with it so we just go ahead and leave that check off unless you want it to validate that certificate generally speaking this is usually why you install aj proxies because you have some internal web servers and you want them to respond with a valid certificate and so you're usually not going to have that box checked now this is the second server i set up and this is the back end for this one it's at 3.144 it has port 80. this is not encrypted this is a standard port 80 so it'll respond there is no certificate so there's no certificate error and i actually don't have port 443 or any ssl setup on this particular demo so this server is going to be port 80. of note we are not checking the encrypted ssl and of course we're not going to check the ssl check because there's no certificate there but one thing that i want to remind people when you're doing this internally the transaction that is going from the pf sense is actually at 3.1 so when we go to 3.144 what that's going to do is create a connection from the pf sense to this but it's all going to be in plain text some people think by checking the encrypted box it'll encrypt but it will not because port 80 is going to be http on this server and it's not doing any encryption so any of the data inside the network so if we're mapping he proxy to somewhere else or outside the network via the wan those connections are going to be encrypted because i'll show you how that works on the front end but on the back end the transaction going between there if someone were to be on the line so to speak it would be just passing in clear text on that network so just something to keep in note but that's another common thing people miss is they'll check encrypted because they go hey i want it to be encrypted when people talk to it but technically it's not encrypted on the inside so when he proxy inside of pfsense talks to it you leave that unchecked because it's not encrypted the next common things are in the front end so this is the lts lab we set up lts lab servers and where did you want to bind this to this is important for the listen address you can choose lan when or anything else that you have including you know different ip addresses you may have if you have a wan with multiple ips but it is very important to understand where you want that bound to i bring that up because sometimes people think that you need to port forward and you do not the associated rule for this if it's on when is simply opening up the rule to land on the wan ip address that you have selected or if you only have one lan ip you just select that so if we were to select one of these addresses wan address or any of these associated addresses i have blurred out here and bind it then i would also have to create an accompanying firewall rule you do not need port forwarding when you're using h a proxy and this is one of those things that we've seen a lot of people do was assuming you need to forward to the server behind it but you don't at proxy is taking the behind connection so to speak from the land to the server and then you need to tie it either to the wan or the lan now if you tie it to an internal lan address like i do here you don't need to create any rules because by default you can talk to your lan side of pfsense if you couldn't talk to it you wouldn't be able to get to pf sense at all but if you're doing it on the lan side you will have to create an associated rule for that the next one down and i've covered this in those ha proxy videos of course but it's not having these set up properly we have two devices set up they're zen orchestra lab and the value is xolab.lawrence and then speed test with the host matching speedtest.launchsystems.com if you do not get these access control lists set up properly and listening properly this is an important aspect both of these servers are going to respond on port 443 so ha proxy is going to be listening on 443 and answering based on which server name it gets so the server name coming in based on the dns is what your browser will send will either be speed test or xo lab and by that it will choose the proper back end so if we edit one of these rules you can see speed test host matches speedtest.orgsystems.com so when a host name matches and comes in it then responds with and the quickest way when creating these rules as i showed the other one is you edit the back end there's not a pull down here so we say use back end speed test that is free form filled in but this has to be matched if i were to put in something else or speed test and not spell you want it to be exact you want to spell the same case the same everything to make sure there's no issues that is another spot where people list so this one matches zen orchestra lab and this one matches then or kishore lab and with both of them matching it should then provide the proper back end now on to dns now i'm doing this in linux but if you're using windows subsystem for linux it should work as well make sure you have dig installed just my preferred tool for doing this but however you want to do your dns lookups dig speedtest.lawrences.com learnsystem.com sorry not no s on this one these are my internal servers if you try to resolve these you'll find that they don't resolve externally but i've set them up for this demo and you'll see that they respond to the right address then this right address is not the server the server is 3.144 the responding address is 3.1 because that's where aj proxy lives this is another thing people mix up they leave the dns entry to point it to their internal server or you know wherever the server may live and it has to resolve to where h a proxy is the same thing for the zen orchestra one it resolves to the same address it's very important that these work properly and this is part of the core function that you want working in h a proxy is each one as the browser sends xo lab or sends speed test.lawrences you want to make sure it's resolving to the right address because being the same address means which server you get on the back end or which certificate is served up is going to completely depend on what that dns matching is this is where your browser has to do it now the final thing i want to show you is how you do the browser test from the command line so you can see the output and we're going to start with this command right here and let's break this down open ssl client server name server name is what your browser will send so we're specifying the server name and then we have to implicitly say the ip address of the host we want to send this information to this is the way openssl can validate and send this information and we're going to get a response back and read it of course you could do this in a browser it could be a little bit trickier i like doing it from the command line because then we can just start grapping things and figuring it out so we'll do this it's going to give me the right response because that's the address for my website and let's actually get the subjects we'll grab it for the subject let's see what it says here cool let's encrypt cert for lawrences.com so we say server name lawrences.com and host is going to be the ip address of my lawrences.com the public ip and filter for just a separate what if we sent something else as a server name like xx laurentsystems.com to this host this is how often shared hosting works you can have more than one domain working on there what will it resolve to and what will it send we actually get an open lightspeed certificate that i left in there when i set up my website so lightspeed is the engine on there and it said you know what i don't have anything that matches this so i'm going to give a default answer of a generic certificate and not serve up the website this is one of the problems you run into is you realize oh it's not responding properly and it's easy to see when we look for the subject like i didn't get the expected let's encrypt lauren system one now let's go ahead and switch to different ip address the ha proxy one and we'll do speed test.lawrences.com host was the ip address of our hd proxy this is all internal done on the lan side and here we go we are seeing it's responding with a wild card let's encrypt cert awesome that's what we wanted and same thing we can test it here with xo and we can see it responds properly and finally of course we can go to speedtest.lawrentsystems.com and see the speed test now of note 192.168.3.144. does bring up this and not secure but here we have the secure and we have the certificate valid and it's responding but it's forwardings to this so this still responds on 144 and this one right here zen orchestra is working we have a signed certificate but if i go to the https at my frequency right here i think this one's at 28. we end up with a certificate error there we go here's website's not private the one does require that there's a you know that checkbox like i showed because that one has a self-signed search so we don't want to validate the cert because we know it's invalid but then it shows up valid on there and then the other one of course is available because it's port 80 there's no certificate but it is encrypted when we view it through aha proxy these are the same set of things i ask everyone when they're going through there it is a lot of people ask this question and i just covered all this in much more depth in my video of how to set up all these and walk you through step by step on these but these are the same troubleshooting steps i go through each time someone runs their problems so hopefully they help you and hopefully it's just one of those little things one of those few little things either dns and it's almost always dns dns is a real popular problem but those other little back end in acls and you don't need to put forward stuff is really important and make sure you have the right boxes checked and if not re-watch my two videos on it which i'll leave link below all right thanks and thank you for making it to the end of this video if you enjoyed this content please give it a thumbs up if you'd like to see more content from this channel hit the subscribe button and the bell icon to hire a shared project head over to lawrences.com and click on the hire us button right at the top to help this channel out in other ways there is a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the descriptions of all of our videos including a link to our shirt store where we have a wide variety of shirts and new designs come out well randomly so check back frequently and finally our forums forums.lawrencesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thank you again and we look forward to hearing from you in the meantime check out some of our other videos you
Info
Channel: Lawrence Systems
Views: 11,011
Rating: undefined out of 5
Keywords: LawrenceSystems
Id: fLV3kF3QIws
Channel Id: undefined
Length: 14min 21sec (861 seconds)
Published: Tue Jun 01 2021
Related Videos
2021 Firewall Review, Feature Comparison and Recommendations
Lawrence Systems
68K
Manage all your SSH servers with teleport
The Digital Life
20K
My TrueNAS Setup - How I Configure TrueNAS in my Home Server (Pools, iSCSI, Nextcloud)
Raid Owl
6.7K
Learn to Configure HAProxy on pfSense 21.x
Andrew Galdes
63
pfsense VS OPNSense
Lawrence Systems
101K
pfsense + HAProxy + Let's Encrypt Howto
SystemaD
12K
HAProxy Crash Course (TLS 1.3, HTTPS, HTTP/2 and more)
Hussein Nasser
56K
SSL Encryption on Your Home Server the SIMPLE WAY - Cloudflare, pfSense, HAProxy, ACME https setup
Raid Owl
6.4K
Home Network Setup - pfSense, VLANs, VPN, HAProxy, 10G, and more
Raid Owl
16K
TP Link Omada and Unifi compared
Lawrence Systems
69K
How to Create a Proxy // Squid (HTTP) and SOCKS
Dev Odyssey
8.3K
Critical Vulnerability In Java log4j Affecting UniFi, Apple, Minecraft, and Many Others!
Lawrence Systems
136K
Put Wildcard Certificates and SSL on EVERYTHING - Traefik Tutorial
Techno Tim
87K
HAProxy-WI: Run Lots Of Public Services On Your Home Server
Level1Linux
41K
OPNSense Firewall Rules Explained
Gateway IT Tutorials
18K
Suricata Network IDS/IPS Installation, Setup, and How To Tune The Rules & Alerts on pfSense 2020
Lawrence Systems
81K
How to Layout 60 Hard Drives in a ZFS Pool & Benchmarking Performance.
Lawrence Systems
23K
Tutorial: pfsense and pfBlockerNG Version 3
Lawrence Systems
82K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.