- 2
- 24 949
SystemaD
United Kingdom
เข้าร่วมเมื่อ 18 พ.ย. 2017
Hi, I'm Matt and in my spare time I like to mess around in my home lab. On this channel I'll be messing around with a myriad of things. From RAID, to networking, virtualisation & containers.
pfsense + HAProxy + Self-signed root certificates
In a sort of follow up to the pfsense + HAProxy + Let's Encrypt tutorial, I explain what I do things a certain way. I also show how to create a local certificate authority for strictly internal use.
มุมมอง: 3 268
วีดีโอ
pfsense + HAProxy + Let's Encrypt Howto
มุมมอง 22K4 ปีที่แล้ว
A brief-ish tutorial on how to configure HAProxy on pfsense & use Let's Encrypt certificates. This tutorial assumes you're using Cloudflare as your DNS provider
thanks , worked like a charm
Just one thing to add in terms of setting up NAT. Set "filter rule association" either to "Pass" or "Create new associated filter rule" (for additional routing and if you want future edits to apply to routing rules). Not configuring this option prevented my HAProxy configuration from working.
Or could you just create a rule manually allowing traffic in from the WAN to that VIP?
@@BorisJohnsonMayor You can. If you setup the NAT rules correctly it's just going to create the same rules you mention creating manually in your Firewall/Rules/WAN tab.
If anybody gets stuck with an internal server on a different subnet not responding. Consider changing the front end's to listen to any address. Then if you want to scope it down for DMZ or tighter control of cross LAN traffic, work through NAT'ing and VIP. This first step at least shows you that it is working and the issue is with your NAT/VIP. HAppy PROXYing!
well explained, good job.
Great video. You deserve way more subscribers. I have an issue however. If I run the backend on the standard http ports, 80 or 443 everything works great. If I use a non-standard http, haproxy say "No server is available to handle this request.". The server is definitely running because I can access directly from browser, but haproxy thinks it is not available. Are there restrictions on what port haproxy can use? Anyone encountered this error?
Wow. Many thanks. I tried many tutorials. This is the only one that worked. The virtual IP did the trick! Also, I needed to create to individual backends for each app, slightly annoying but I'm happy it's at least serving internal https
Just the video I've been looking for!! Fantastic - finally got it all working - many, many thanks!
@SystemaD, please post more - read the comments here...
Two the best videos about HAproxy on pfsense. You made it easy to follow and understand.
I mean seriously. Ive been pulling my hair out trying to get this to work using the more common traditional way of setting this up on HAproxy and THIS is the only way that worked for me. I literally could die with the amount of sleepless nights I've spent trying to get this thing working. Thank you, I think you save my life. Only issue I have now is potentially setting up multiple internal servers using this method because you only showed one (what if I had more than one internal server, in other words). If you could expand on doing that, that would be be great. Another hurdle I cant get past is setting this up for NextCloud, any videos on that would be cool (maybe giving you some video ideas). Thanks again!
Lovely voice and great explanation:)
How we can add second server with different ports like 8000 and 9443? Do we need another virtual IP or one virtual IP can handle everything? I have first one working with standard ports 80 & 443 but any other server with different ports either can't be reached or trows error 522. Any help wold be appreciated.
I was hoping this video would solve my problems, but when I click the [Issue/Renew] button for the cert, I get that block of green text, but towards the bottom it says "invalid domain" and doesn't create the cert. It suggests I check the log, but for the life of me I can't find any way to access the logs for ACME. Any ideas?
You go through all the effort to hide your domain name, only for the pop up to not be blurred :( Just FYI
Haha! Cheers. I'm not entirely sure why I bothered to hide the domain name at all really. As you say, it was a lot of effort to go through it. And clearly, I missed some....
well done works perfectly gold star
Thanks. Great video, finally got mine working.
Hi.. thank you for a great video. Everything makes sense bu when I tried this, I am getting “503 Service UnavailableNo server is available to handle this request.” Though it’s loading correct certificate. I am not sure what I doing incorrectly. Any help would be greatly appreciated.
A 503 error would indicate that the backend cannot talk to the service you require. Either you're pointing to the wrong port, or the service is using SSL ands the backend needs to be set as such, and to ignore TLS errors.
@@SystemaD thank you for the reply. I followed you other video and changed the monitoring from http to basic and now all ok.
my man thank you for this guide. it worked for me. the virtual ip was the sulution probably. now im just stuck a bit on how to add a 2nd one
this is not working with nextcloud
It does, I've tried it. You probably need to change the site URL in the Nextcloud config. In addition, there's some extra steps to perform that where way out of scope for this video. Nextcloud docs do have a section on HAProxy where it details the extra steps for well-known & HSTS. I no longer use pfsense so I'm not about to do another video using Nextcloud any time soon.
Thanks Matt, been trying to follow your old video to accomodate for my setup. Great stuff as always. Keep it up.
Resolution on 503 error (at 5:35) was extremely helpful! Thanks
This is the best video on this topic :)
Wow, great video, thank you! Gonna test this myself!
Thanks for the video. Please consider scaling down you screen as it would be easier to read on smaller screens.
Thanks for the feedback. Most helpful. I'll see what I can do when I get around to recording the next video.
Thanks! Using a virtual IP solved my problems!
FOR THE LOVE OF SCIENCE!!! THANK YOU! Although, I had to set Health checking to none on my backend for it to work. Do you happen to know why?
It depends a lot on what the backend is. Some of the ones I use will only work with basic or none too. I cover it a bit more in this video th-cam.com/video/KkL3QyYlNUI/w-d-xo.html
There is a lot of great info in this video, thanks. Though I still don't understand what the virtual IP is for. What is the point of a VIP pointing at another address on the same subnet? Why can't you just put the actual server IP(.43) instead of your VIP(.130)? I'm not grasping this part. Just setting the front end to WAN address would eliminate the .130.
I actually explain that in a follow up video I put up last week. But in a nutshell, it gives options. If you wish to learn more on why I did that, please watch the pfsense + HAProxy + Self-signed CA video. Also, you can't point it to the IP of the actual server. The server doesn't have the LE cert on it. HAProxy has the cert and offloads that to .43. Setting the frontend to WAN would work, but only reliably for external connections. You would have to use hairpinning/doglegging/trmboning (whatever you want to call it) and that's clumsy and not for me.
@@Psybernoid Makes sense, thanks!
@@Psybernoid I was thinking the same, why the virtual IP? This is a great explanation!
I am wondering... is there on a globe a single person, who knows how to configure this beast properly? Where are they? Do they hide in caves away from humanity? Too busy to teach others? Every single video i watched about configuring pfsense is incomplete, non-idiomatic and badly presented. Most of them covers only tiny fraction of real-world/real-business requirements. Some gentleman/lady in his/her garage managed to install pfSense and now they think they are able to teach others... which leads us to sh*load of c*p videos in TH-cam. :( Wasting all day long to looking for gems. :) No... don't get me wrong. I am not harsh to you. This is one of the best videos in this topic, but... it definitely can be done better. Thanks to your video i managed to create LE wildcard certs via manual _acme_challenge TXT record. Do you think, that slow page load at the end is normal pfSense behavior?
It's slow because the pfsense install I'm running here has both networks (WAN & LAN) on RFC1918 segments. That caused the machine I was running on to get a little confused. It most certainly is a hell of a lot faster on my production pfsense install. For fairly obvious reasons, I decided not to record a video using that as the amount of censoring I would've needed to do would be ridiculous. I'm going to record a follow up video in the next few days, if you have any suggestions or requests, please feel free to chime in.
@@SystemaD He - he.. :) :) You can do it your way. I just can tell you my story. Friend of mine has a small business. Long time ago there was many "IT Consultants" and "System Administrators" who created a little hell and left. Nobody knows how all that thing works, but hardware pieces started to die. Hard drive there, NIC there, MB there...and some mysterious part of network died as well. Nobody knows, what exactly died, where the access credentials is, etc... :D And so friend of mine urgently asked me, can i take a look and I agreed because ... why not to learn something new. Not a rocket science, right? So.. they have few dozens of PC's, few servers, few homepages, internal ERP system, Voip, etc... I bought additional pretty powerful HP server with plenty of RAM, CPU, etc... just to not f*k with production HW with idea slowly migrate pieces of everything... and for every migration to write a nice Ansible playbook and Docker-compose so that they have clear instructions how to reproduce system setup if i will not be available anymore. Long story short... I decided to dedicate 3 NIC's of that server for pfSense VM (with later idea to move this to separate box when it will free up). They have 2 ranges of public IP's with 2 ISP gateways. So.. 2 WAN cables in and 1 LAN cable out. 4th cable for Host server itself. Nice. Done. pfSense setup was smooth i have 3 interface assignments. pfSense VM takes like.. .1/32 of the total server resources. My belief is - IT SHOULD run well. Plugged out every cable and turned on this new router. Yeeey!!! They got online... at least office now is able to get outside to the web. Basically i wrote few DHCP rules, and enabled DHCP discovery on user machines. Now i can discover all of them remotely by Nmap or other tool. Mail server.... my first pain... everybody wants to receive mails and they have their own dedicated mailserver + WebMail Client. Hmmm... IMAP, POP3, SMTP etc.. File server... somebody created Samba in Docker.. which is good idea in my opinion, but he didn't left Docker compose file or anything... Local/Public ERP systems on dedicated servers with bunch of sub-domains No single TLS certificate in entire company... And finally me... they are located in other side of the city and i am wasting too much time just to travel there.... so i need to have VPN. I followed ~10 similar instruction there in YT... but ... I can connect, i can ping infrastructure, but i can't access pfSense dashboard for example. (thank's God i set up temporal TeamViewer (don't judge me there :D )). I got some websites accessible from WAN, but they can't access them from LAN. Some external programmers want to have dedicated access to some specific hardware. So.. i listed few of real-world tasks i should solve. This is not a "LAB" setup everybody there in YT is clicking through. Behind every IP there are real person with real needs. For now, most challenging part is proper VPN configuration and Emails. Everything else is secondary. While there are bunch of moving parts, it still think there is no need for any additional hardware. They are not an hedge-fond or forex trading company. They requirements are really low. And so this pfSense instance should handle all the DNS requirements, HAproxy, and DHCP... Hope this will help you somehow. :) Have a great day and i am going back to beat that VPN dragon! :D
This is great and it definitely gets asked weekly if not daily in the subreddit. I would like to add two things for the next video, show people how to add a second domain and point it to web server B on a second backend. Also how to use a wildcard instead of having to enter multiple subdomains . Cheers.
That's a fine suggestion. Thanks for that. I'll most certainly get a follow-up video done soon. I've been asked a few questions, so will clear those up. Along with covering what you suggest.
8 subs? you got 9 now.