SSL Encryption on Your Home Server the SIMPLE WAY - Cloudflare, pfSense, HAProxy, ACME https setup

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so you finally got a home server now you're in services apis and your own custom website that shows the nearest location of mountain dew baja blast so you've got all the essentials and now you want to properly expose them to the outside world but getting ssl certificates set up with a proper security is just a pain trust me i've been there it's not fun luckily today i'm going to show you an easy way to get this all set up without having to be some type of ssl or tls security expert let's check it out [Music] okay to get this all done we're gonna need three things first off you're gonna need a domain name whether that's dot com.net.gov whether you purchase that through google domains like i do or through godaddy or through whoever as long as they provide the ability to change your name servers you're good second you're gonna need a cloudflare account now you don't necessarily need a cloudflare account to do this entire setup it's just what i use and it's free and i found it extremely useful so if you want to follow this guide just set up a cloudflare account and third you must be running pf sense so whether that's on a dedicated netgate box like i'm using or you're using your own hardware either way as long as you're running pfsense you're good to go all right so i mentioned before you have to acquire a domain and that i am using google domains to purchase my domain name so for this demo i am using my domain name mrballoonhands.com if you know what mr balloon hands is from comment below somebody out there's got to know so i've done that it's 12 for a year it's not expensive so i just basically purchased this one for the sole purpose of this demo once you have your domain you can now go to the cloudflare setup so what you're going to do is go to cloudflare.com create an account if you don't already have one and then go to add site all it's going to do is ask for the site that you want to set up in my case it's mrballoonhands.com and once you do that cloudflare is going to give you the name of two name servers that you need to change in your domain register so in my case that's google domains so what you have to do is go back go to dns and this will be different depending on who you purchased your domain through but a lot of them have the same type of layout just go to where it says dns and change your name server so here i would go to manage name servers here are the two that were provided to me by cloudflare i simply changed them here and clicked save then once you do that there will be a button down here for cloudflare to update your name servers click on that it can take somewhere between i've seen it happen in five minutes and it's taken up to about 12 hours for me so while we're waiting on that we can jump into pf sense and do all the setups that we need to do there so in pf sense we are going to be using two packages acme and ha proxy so acme is going to be used to provide these certificates for our services free of charge of course and h a proxy is going to be our reverse proxy that's basically going to be like the bouncer at the club basically checking everybody's id and making sure that they're allowed to come in and leave bouncers don't really check your id to leave but in this scenario the bouncer checks your id to leave so way to set those up is extremely easy just go to system and go to your package manager and in there you will be able to go to available packages and search for both ha proxy download that as well as acme i've already done that so if i go to install packages you'll see that i have both acme and h a proxy already installed once those are installed go to services and we will deal with acme certificates first obviously i have services running already and i have certificates set up but when you go here it will be blank and the first thing you're going to do is go to account keys and set up an acme account within pfsense so do that you just go in here and click on add i'll show you my configuration it's extremely straightforward give it a name a description and the acme server you want to use you can use staging you can use production it doesn't really make that big of a difference i'm using the production server so if you want to use that go ahead put in your email address that you want to use to register with and click create account key and when you do that it will populate a new account key here for you and then click register acme account key it'll send you an email and then you can go through the process of registering once you do that click save and you will see something similar to what i have meaning that you now have an account key for acme step two create a client certificate this is going to be used for essentially each service you want to expose to the web now you can create wildcard certificates but i just create one for each service that i use and depending on your use case you may want to do the same so you can see i have quite a few but we are going to add a brand new one and in this demo i'm just going to be exposing nexcloud i know that's a popular use case because people want to use nexcloud as obviously a cloud-based storage solution and the benefit of cloud-based storage solutions is that you can access them outside of your network so name i already have one set up so we'll call this one next cloud two status active this is where you'll select that acme account key that you just created so i only have one that was easy and go down here in the domain same list this is where you're gonna have to enter your first real information now mode is gonna be enabled domain name that is going to be what you want the address of this service to be followed by the domain that you purchased so in my case i just want this to be nextcloud.misterballoonhands.com and the method you want to validate with now there are a lot of options here this is one of the benefits of using cloudflare it provides you an easy api plug-in to validate against cloudflare and you can see through this list there are many different ways you can do it but for this demo we are using cloudflare so go ahead and select dns cloudflare it's going to ask for a bunch of information here and you're going to want to populate that based on your cloudflare account for email that's straightforward it's the email you used to register account id and zone id those can be easily found over here so i would copy zone id i would copy account id then for token and key those can be found by accessing your api screen within cloudflare so go back to cloudflare and right under here you'll see a link for get your api token click on that now i've already created a couple of api tokens i've created a few just because when you create it i don't think there's a way to go back and see the token so make sure you copy it into a safe place just go ahead and create a token follow the same scheme i have edit zone dns permissions zone dns and for all zones now if you have multiple sites set up in cloudflare you might want to restrict this to certain zones but i don't care it can have access to all zones and api keys is right underneath just use your global api key view that now obviously i'm not going to share that on the screen so i'm going to enter that information here and then scroll down so let me do that okay and we don't touch any of the rest of the settings click save and you will see this created now what you're going to want to do is click issue renew and what this is going to do is actually issue the certificate for you and it takes between 30 seconds and a minute so we are going to let it do its thing all right if you answered everything correctly you will get a nice green pop-up that says everything was successful and if you scroll down and refresh you will see that our next cloud 2 certificate has been renewed all right we are done with the acme portion of this next we have to move on to the h a proxy part so same thing we're going to services scroll down to h a proxy and again you'll notice that i have stuff set up here already but the first thing you're going to do is actually go into back end and this is where you set up the actual back-end connection to your service on your home network so you can see i have quite a few set up already but we are going to do our thing and add a new one we will name this one next cloud two we are going to add an entry to the server list table mode active give it a name so address and port so this is going to be where on your home network does your service or website live so for example my next cloud service lives at ip address 10.0.0.33 at port 8282. and now this encrypt ssl box you will leave that unchecked most of the time but if you are connecting to a service that is already using https and maybe has its own self-signed certificate make sure you have this checked but in our case it is not so we will leave it unchecked ca we will select our acme cert crl non client certificate so this is where you will specify the certificate that you just created now if i do the drop down i should see my next cloud 2 certificate there it is all right everything else is left blank now you'll see there's a lot of options in here i'm not going to go through everything um a lot of it you can just leave default so and to be honest i'm not an expert on all this stuff so a lot of this is over my head but this is the configuration that works for me and i am sure it'll work for you if you are running a very similar setup so leave everything else as is click save apply changes okay i already noticed something that i didn't change so for check this is running an http check we're going to go back in and change this to none if you want health checking you can set this up but i don't so save apply changes all right now you notice this gray out that is because we haven't connected it to any front end yet so that's our next step create a front end so go to front end you'll see i already have one created so it's easier if i just go in and click edit here instead of creating a new one you would click add but in my case we'll just walk through the one i already have created so give it a name i have it called epic spectrum my server is an epic-based machine and it's running on the spectrum when whatever description you want status active um for the table here this is where you would specify which gateway you want to listen on now most of you are just going to set when address here like i have but if you're running a dual win setup like i am maybe you want this to be exposed to a specific wan or specific gateway here's where you would select it but in our case we just set it to wan port 443 for https now if you want to expose a different one go ahead but for most cases just use port 443 enable ssl offloading and make sure type is http https offloading okay now when you scroll down here you are going to see a list of all your access controls so this is where you'll specify what type of domain name you want to listen for coming in so you see i have quite a few listed here with my actual domain we're going to add the one we created so in this case again we'll call it next cloud 2. this should be host matches and we are going to do nextcloud.misterballoonhands.com [Music] scroll down to actions now we are going to add an entry here and this is going to be where you specify the back end that you want to connect to so click use back end select the back end you can see the next cloud 2 we just created and this is where you specify the acl name so make sure this matches exactly what you entered up here so next cloud all lowercase two so next up is go down to ssl offloading and here is where you can choose a certificate now if you only have one service selected here this is my first one that created so next cloud but you have the ability to add additional certificates down here so this can just be your default certificate it can be whatever it doesn't matter as long as you have the other certificates entered down here you're good so we're going to add this to our additional certificates and here we are next cloud two everything else is left as default click save apply changes and now if we go back to back end you will see that next cloud two is no longer grayed out okay so hopefully by the time you've finished all that maybe your cloudflare stuff is done setting up and you will see a screen like mine great news cloudflare is now protecting your site that means you are good to go so what we're going to want to do is go into dns and add a record so it's going to be a type a so an a record the name is going to be just the first part of the name of the domain you want to use so in our example remember we're using nextcloud.mrballoonhands. so we would simply just type next cloud here and you'll see it gives us an example right above the entire domain and the ipv4 address is the public ip address for your wan so you can get this by searching what is my ip on google or you can go back to pf sense and get it from your dashboard now obviously i have this grayed out right now because i don't want you perverts trying to hack into my network so that record should be created and the next step is to scroll up and go to ssl tls and set this to flexible now you can read up on all the other configurations i found that flexible works best for this setup now depending on what you have set up on your home network you may want to use full or full strict but in this case just use flexible it works perfectly fine and we are done with cloudflare now we are nearly done and if we go back to pfsense one of the last steps is to make sure that the firewall rule has been created for your wan so on the land you can see i have 443 open for all sources all ports and this should be created automatically when you create that front end in h a proxy but if it doesn't just make sure this port is exposed on the network you specify as your gateway so we selected wan so make sure it's open on your wan okay so if we did everything correctly if we go to nextcloud.misterballoonhands.com you see this is my next cloud server running on my home server and you can see it's using https and it is secure using the certificates we provide so we're good to go next cloud running securely on our home server exposed to the big bad internet um go to services and dynamic dns and you'll want to set this up so that anytime your public ip changes pfsense will automatically update that on all your a records in cloudflare so you can see i have all mine set up already to do that and it's extremely simple just go to add select the service cloudflare it's just going to ask for your username and password to that account and what host name you want to update and it's just going to run periodically and if your public ip ever changes it'll make sure to update your a records on cloudflare so that you know you're not stuck with broken web pages just because your public ip changed at your house so i recommend doing this uh to save you some headache down the line if you forget to check this that's it i hope this worked for you guys it's definitely worked for me it saved me a lot of headache of going through a lot of other more complicated channels of setting up ssl encryption on a lot of my services so let me know down in the comments how you have ssl set up on your home server and if you use this let me know if it worked out for you but that's it drop a like below thank you so much for watching subscribe if you want to see more content like this and i will see you in the next one [Music] you

Info

Channel: Raid Owl

Views: 6,464

Rating: undefined out of 5

Keywords:

Id: cB6oKJjr4Ls

Channel Id: undefined

Length: 17min 24sec (1044 seconds)

Published: Thu Aug 19 2021