pfsense + HAProxy + Let's Encrypt Howto

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

As promised, I've created a video tutorial on how to configure HAProxy with Let's Encrypt.

👍︎︎ 11 👤︎︎ u/psybernoid 📅︎︎ Feb 23 2020 🗫︎ replies

Big thanks this help me heaps!

I am currently trying to figure out how to re-direct internal dns names to FQDN so that the certificates work when inside the network.

i.e. My domain DHCP search list gives out FQDN.COM

I then want to be able to just type in nextcloud/ (the / stops the browser from searching for the word).

HAProxy then auto redirects to nextcloud.FQDN.COM so that no certificate error is thrown. I dont have to type out the FQDNs when im inside the network to reach services.

Any ideas would be greatly appreciated. I also posted this question over at netgate
https://forum.netgate.com/topic/150771/haproxy-url-redirect

Many Thanks

👍︎︎ 1 👤︎︎ u/xternaal 📅︎︎ Feb 24 2020 🗫︎ replies

What's the best way to get a look at the haproxy logs?

I have a service sitting at port 8008 and I do get redirected to the cert, but I get "503 Service Unavailable" via HAProxy but not directly. I'm fairly certain that the VIP is set up correctly so I need to see what HAProxy is doing and ultimately redirecting to so I can get an idea where I went wrong.

👍︎︎ 1 👤︎︎ u/NathanFilmore 📅︎︎ Feb 24 2020 🗫︎ replies

Captions

hello so as promised I have decided to record a video on pfSense H a proxy and let's encrypt certificates if somebody's been popping up an awful lot in the subreddit recently so yeah let's have a go at this shall we so this is a VM of pfSense running this is not my production system I will be officiating some of the IPS and things like that obviously and credentials you know Common Sense sort of stuff anyway this is crack on because you don't hear me rambling so this is ID pretty much default PF since install I have two interfaces a wine and a LAN let's go here there's my Wayne interface and my land it's not really a wine its own internal Opie's but whatever this is accessible outside if I really wanted it to be anyway so I'm also going to be using CloudFlare as my DNS provider I do recommend using them because it's just so much simpler I'm not going to go over the cloud for a set up because it's a bit involved and I don't really want to show too much of my own my own settings so if you need some help with setting up pfsense there's plenty of got up sorry CloudFlare there's there's plenty of guides out there to help you out so the first thing I'm going to need is your CloudFlare api key which you can get from your your account page on on CloudFlare and you will also need to set up a a dns entry say for example I'm using the subdomain of test and then my actual top-level domain I'll be using the live top-level domain for this because you need to in order to get a let's encrypt certificate however you don't actually have to have your file will open on ports 80 and 4 for free if you're only using this for internal certificates if you've done one accessible outside you don't have to be if you actually look at my Nats however yeah I've got nothing nothing in there at all at this point in time so this is pretty much blank so the first thing we need to do really is go to our package manager and you'll see there's no packages installed I need to install the Acme & H a proxy packages so I'll just go ahead and install the Acme package there we go there's our Acme package and now we go to active available packages and H a proxy there we are ohö proxy development as well is an option I've never actually used it it is a higher version so it might be a good idea but this is what I'm gonna use today it's a standard base one just get that installed there we go lovely so we will now see in our services will have Acme certificates and H a proxy so that's firstly going to add my certificates you'll notice remember just ran this point home I don't have anything open 480 and 4 for free ok but the rules are very very default ok area so H a proxy no not sighs oh sorry my mistake Acme certificates so what I need to do first is create an account key I'm hoping this works because I've been testing a little bit and I might have overdone my let's encrypt certificate generation but we'll see so we're going to call this demo in the description if you so wish to put one in so you gotta testing purposes one which I might have to go to if I can't generate a natural life certificate so testing purposes is a good idea to start with because there's rate limits when you generate let's encrypt its difficut you can create so many per day I figure out the actual figures look on the let's encrypt site you'll find out but the testing ones because they are certificates but they're not trusted certificates you will find that yes you can you can bring certificate you know it will be signed but your browser will not actually trust it so you'll get that warning okay so we're going to go for a production email just so this is the email address against your CloudFlare account this is basically to send you what it says send you automated certificate exploration though disease so I'm going to put in my actual email address in here hopefully a complaint call you sent in post right account key you generate it okay so now we have generated account key we now register it and we get a tick so that's good news so now we have got this part we need to go to certificates we have nothing to search for so let's go to add the count key should be created ok huh all right I didn't hit save did I right okay demo le cert on their email address once again and account key generate register hopefully was look at attic yes we don't save it there we are certificates right so we've got our demo cert here let's see a particular I'm not be descriptions in whatever so add right I'll call it demo le cert let's call this demo le route description a complete description in here if I like route have you might have guessed on going for the route here so in here then this is where you make a choice where you are having your root certificates or not you can generates difficut service per subdomain so I could put in here test dot my domain name my top-level domain if I wanted to I can put in here Bob dot domain comm if I wanted to but we're going for a full on root certificate so star which is a wild card and then my actual live production top-level domain as a method we need that to be DNS CloudFlare and in here is where you paste your API key now in there and then your email address which your your cloud for their account is registered we don't care about a token or account ID yep yeah be a bit yep save it okay now we hit issue and hopefully this will work because as I said I've been missing about with this so it might error me wish you'll see there it does stop in his video and hopefully we see not big green box in a minute with loads it's excellent it doesn't happen instantly I talk amongst yourselves oh there we go we're fine we're happy so we've got all of that they're done right okay so if we go back to our certificates now general settings right so if it goes certificates we've got back there that's in there general settings now when you actually up on running with this you want to be ticking cron entry at least that basically every day at 316 a.m. we'll check if that's difficult about to expire let's encrypt certificates run for 90 days so basically this goes right how old's our certificate which you can find out here so the last renewed Sunday 23rd of February 20 28 26 a.m. if that is say 61 days away from now this would automatically just renew it you don't have to worry about it the right certificates that puts it somewhere else if you need to use it for some other system or whatever but I'm not going to worry about that now so there we go we have our certificate created in fact if we all should go into our cert manager yeah yeah well we can see our let's encrypt it certificate is there and you can do many you can even sign pfsense itself with this if you wanted to anyway so we've got that part out of way we now need something with which to ask people is difficult on - now I've spun up a basic web server very basic as you'll see in a minute so if I go to our services sorry status and DHCP leases we have two entries here done Eliza's offline because it isn't but this is a web services in 1 month 1 6 8 88 43 so if I go to HTTP 192 168 8843 we get the very default apache - urban to default page notice two things one I typed in HTTP - it is not secure now for completion sake that's typing HTTP s1 92168 8843 that will not work because it's not there just to prove a point if you bring up a command prompt so now if we go to chill net on line 2 1 6 8 88 or 43 on port 80 it will connect ok if we do the same but on 4 for free which is HTTP that one connect that server is not listening on HTTP or port 4 for free ok at all so what we need to do we need to go into and actually what or do this I think first we'll create a virtual IP now the reason I'm creating virtual IP will become fairly clear a bit later so I need to create an IP address in this range that I'm running here so that's say what range of my own so well-well 192.168 88 0 slash 24 24 being the side or whatever so if I bring up a ping on online to 168 80 8.30 and we make our persistent ping ok it is not responding at this point in time as you can see so if we now go to our IP alias and we want to put it on LAN ok and I want 1 1 2 1 6 888 dot what did I put in there because I've forgotten already 130 this needs to be a slash 32 because it is only one IP I'm not putting a range in here ok description I'm going to call this H a proxy lb as in low balance okay save it apply it when I apply that you'll see that that's not spinning there we go so now I have a virtual IP good idea to create these outside of your DHCP scope okay you don't want suddenly be releasing a leasing out an IP that's used by virtual IP it began when the hell's that coming from anyway so we've got that that that is important to know they're important to create the virtual IP you'll see why in a moment so now if we go back to our services H a proxy and we have here so we've got all of these now by default these some of these fields aren't set that is blank so I've set this to 1000 for this it gives you a table here of how much RAM it would use per can per connection so one connection 50k a thousand connections will take full check megabytes 10,000 word 498 megabytes and so on and so forth I've set this to a thousand home users yeah that's more than the other one you will need to set is the reason these are set is because I've set them and then uninstalled the package and reinstalled it but it keeps them in there okay so by default this is HD 1 or 2 4 it will complain at you in fact I'll show you that yeah when you enable hide/show proxy it is not me not enabled by default don't make that mistake you have to go in here and enable it ok save oh it didn't complain at me okay but no way it does anyway I gotta set this is one that's 204 right sorry there we go alright so that's fine that's all you labeled we now need to create a back-end the backend is what is actually going to talk to this chappie here this web server ok so in here we're gonna call this the what shall I call this I'm going to call this web demo the server list so I'm gonna give us a name I'll call this whatever like the actual VM is called web so I'm gonna call it web and the address is 192 168 8843 in this address here and it is on port 80 this can be any port you like for example if you've got I think Synology uses four five thousand to stick that in there do not put encrypted SSL unless you are connecting to something that is already our HTTPS but generally don't bother with that load balancing with multiple services defined or haven't got multiple services servers access control lists you can do some fun stuff in here you can actually create rules that say only certain IPS can connect to this dis server and yeah the a together I'm not gonna worry about any of that right now okay that's way out of scope what I'm doing here so we have here our web demo at a moment nothing's gonna happen but you can see you can create many many web demos in here sorry create many many backends in here and then your reference all the backends in your front-end config which we don't have yet so we need in here a front-end so I'm going to call this HTTP okay and it is active and it's going to listen on that virtual IP we created which I also named H a proxy lb okay on port 80 and in actions we need to use an HTTP request redirect put in scheme HTTP in there okay and we also need to put in use forward for there's anything else no no no now I'll explain what this does the HTTP request redirect then the rules scheme HTTP basically means if someone hits your web server or whatever it is you're putting a proxy on on port 4 port 80 or HTTP it will redirect it to HTTPS okay so I'm gonna save that out now yeah apply that and now we're going to create one more and that is going to be HTTP 4 3 again whatever name you like I'm just giving it that and he's gonna again listen on their on port 3 and we are SSL offloading at this occasion okay so we will then go and find the use forward for option and we have our certificate now if you've got many sniff Achatz you can choose them here but we've only got the one really to use pretty much use default but I'm gonna stick that as well yep okay so apply those changes again at this point in time nothing's really going to happen until we know reference our back-end which we created here so we don't need to edit the port 81 anymore I go we're done with that so we now need an access control list here so we're going to call this the web demo host start suite you can put many things in here but I'm using how starts with because I want it to match the very very front so the value is the DNS entry you've created on your on your cloud free account now as we already said this is test and then your top-level domain so you need to put in the fully qualified domain of that so basically if someone comes and talks to H a proxy requesting this domain and with sub domain then we want to do the following action so we want to use this back-end we've only got one selector that we've only got one available web demo and then we put in here the acts the ACL named access control list name so this has to be exactly what batters okay capitalization everything has to be exactly the same okay once you've done that you're pretty much golden okay right so did dear we're good there again at this point in time nothing's really going to happen because we still don't know how to talk to it so what we're going to do here is let's create a gnat this is if you're gonna access it externally I might as well go for it all now so we're going to create a gnat so interfaces wine wine address yeah if you've got more than one way on address well you can sort that out destination port range is going to be HTTP and the redirect target IP is going to be that virtual IP we created so that's one line to 160 888 130 again on HTTP okay and we're going to create one more just below that destination wine address again an HTTP and again 192.168 88 132 HTTP once more we'll apply those changes so let's have a little breakdown on what's happening here so someone comes externally now because you've already defined the subdomain on your cloud for our account oh by the way don't turn off the little orange cloud thing next to it unless you want rate limits but turn off the orange graphing it make life a lot easier for you so someone comes in hits hits it goes to the web adjusting go types in your your types in your domain test your domain calm they will be cared for we'll tell them to come here you know pfsense firewall will then say right I know what to do with you so I'm going to basically say anything that hits a port 80 or 443 I want to pass to this virtual IP here this virtual IP here then we'll going pop over to H a proxy because it knows what this virtual IP is for it will go right okay so you want 1 9 2 1 6 8 88 130 bubbly okay oh ah and and you're after this domain right okay fine you can have this server then off you go crack on so again nothing here at the moment but internally because you don't want to go out of the internet and just work right now but you know bear with me you don't want to go out of the Internet to come back in known as hair pinning or tromboney or dog legging to hit your home web interface with your web server why would you want to do that you just want to directly talk to it don't you okay so remember again this virtual IP this virtual IP very important for us today so now we just go to our services and we go to DNS resolver okay in fact let's prove a point I'm still popping up on that now I'm not gonna prove a point cause it's gonna make life walk with me to edit if I was to ping this Weber just right now it would resolve it would be an external address but it'd be of a pain so right so we want to create a host override and in this house we're gonna put in test there then the domain which is our domain name our proper domain name not the internal one okay and the IP address well that's that one that's that lovely virtual IP we've really created and we'll apply it so I should now be able to go to http and then the the domain name so HTTP let's wait for it oh come on now and go quicker than that I think it's getting yourself in a bit of a twist cuz it's a VM there we go right so you can see two things have happened here one is contagious ETS okay - its connections secure it's got a valid certificate there we go so just to recap them in fact just to also really prove the point that web address is still HTTPS right so 1 9 2 1 6 8 88 43 that ain't gonna work ok and then HTTP 1 9 2 1 6 8 8833 that does but it's not secure ok so now when we go to our actual HTTP it redirects slaps it in forgotten it job done ok so that's pretty much all you need to do just to recap them what we have done we have created a certificate we have then obviously we've installed Acme and nacho proxy first we're quite a certificate we've go into a choke proxy we've created a back-end which points to that web server as you can see here we've created a front-end that addresses that web server and then we've created a DNS resolver to go to that that web page internally of course that will only work if you use pfsense as your DNS service as well if you use another DNS service you will need to put an overriding from that as well ok just to save you going out and back in you don't want to go out and back in if you can help it you just want to go straight across to the box anyway I hope you anyone's found this useful there we go Cheers

Info

Channel: SystemaD

Views: 11,588

Rating: 4.8851676 out of 5

Keywords: haproxy, lets encrypt, ssl, certificates, cloudflare, pfsense, tutorial

Id: FWodNSZXcXs

Channel Id: undefined

Length: 25min 4sec (1504 seconds)

Published: Sun Feb 23 2020