dude thank you i've been trying to setup my media server like this for months switching from ngix to caddy and still nothing one watch from your guide and i got it working so again thanks and you've more then earned a subscribe from me
Thinking you did a very poor review on discussion for pfsense firewall settings, followed exactly, Cloudflare cannot connect to haproxy on request, it keeps saying host error. Also consider opening the following port under Firewall / Rules / WAN, does not include the opening for firewall under any time i have created a rule in this section. I will try to figure it out, but its been an all night headache because nobody that makes these videos does a more detailed explanation on the firewall settings in pfsense.
i have one question any one can answer it ?? why all this for just ssl certificate i can use let's encrypt or if i purchase a domain name from any platform i can have free basic ssl encryption . if you need waf or ddos capability this is a different thing . but you have to change the title of the video to somthing related to security measure
Not sure if it's a default, but HAproy wasn't enabled when I followed this tutorial. Kinda just jumped straight into the backend without going over connection limits etc.
One small but very important detail missing from these instructions: you need to "Enable HAProxy" in the Services > HAProxy > Settings menu. It is not enabled by default when you install the service.
I appreciate the walkthrough. I'm having some difficulty getting everything to work. I'm currently getting a 'connection timed out error code 522'. I've got multiple vlans, I'm curious if that could somehow be causing issues. Do you have your setup with multiple vlans or do you have a flat network?
For people testing, stick with the staging certs because if it does not work and you try it using production certs, you will not be able to renew/change a cert because you will be rate limited. Once the testing stuf works then push a production cert
Never could get this to work. I get error message "The page isn’t redirecting properly" in Firefox. Chrome says "This page isn’t working [...] redirected you too many times."
Ola Amigo, Otimo video, segui os passo, porem quando tento acessar o meu endereço ele da erro: 503 Service Unavailable No server is available to handle this request. O que estaria ocorrendo ? Pois somente eu acesso a aplicação do Nextcloud.
A quick question, if a want to add a top layer of security, for example using mfa, or a private key installed to get access to a specific service using this configuration, how can I do it? Someone knows any package to help into that? Thanks
Thanks for making this video. Does this method still work? I tried it, and I am getting the 522 error that others saw. I switched to Full (strict) encryption, but that didn't fix things. The only thing I do differently is that I did not use Google for my domain registry. I decided to use Cloudflare since they were giving me the other services. When I set up my domain, I used an A record for the base domain name as well as the sub-domain names. Is that correct? I tried to look on the discord site, but I don't know my way around there, and I couldn't find the discussion on this video.
You don’t need acme for this if you are using cloudflare, you can just generate a cloudflare origin ssl cert, then select “full tls strict” in the ssl tab in cloudflare, upload that cert in your pfsense and have it served by haproxy
Hey man. Great video. question though. The issue I'm having now is my subdomains work and are accessble via HAProxy but my main root domain is not. I can't access my main page only subdomains via HAProxy. Any ideas on where to look to resolve that issue?
Is the reason that you don't use wildcard certs that you have two wans? I'm very new to this stuff but it seems like wildcard certs might not work if you have multiple public IPs for different services?
Running into a error when issuing the cert. Subdomain is resolvable but its failing. Deleted the cert and created it again following your instructions and no joy. Posted in the Cloudflare community and letsencrypt. SSH'd into my pfsense and cat'd the log. Funny it started working hours later without any changes.
Solved my problem, had to change email in Account Key, then 1st generate certificate with staging, and then with production. Anyway good tutorial, thank you
Love the ACME tool for PFS, usually good when running HAP, but since Letsencrypt lost their X3 Root Cert this Fall, it's shown it's ups and downs... Luckily PFS let's you import wherever Certs you got, so opting for paid SSL saves the day... I'm hoping after TLS 1-1.1 sheds away, the updates that follow may provide some legacy patching in older mobiles concerning Letsencrypt, but I won't hold my breath.
This Channel is FANTASTIC! I found your channel a week ago, and after watching a few of your videos I can confidently say that your channel is now my main go to channel for Home-lab related how-to information. I subscribe to many other similar channels and more often than not, the host(s) simply mention a *key step (saying that you need to go x and y and do Z first) while NEVER showing you how*. They assume you already know how, and then spend the rest of the video showing the easy steps (which most of us already know how to do). Thank you for being the source that actually shows the key steps, that most (or at least me) seem to get confused about. Subscribed!!!!
I’m so glad to hear my videos have helped you. I’m still learning myself so I tend to approach videos in way that I’d like the stuff to be presented to me. Hopefully my future videos continue to help or at least entertain you!
This tutorial is major fail. You talk about how to to all this but NEVER show it. This isn't audio podcast. It's youtube video tutorial. You need to show not talk about doing it. FAIL!
Having never done a Cloudflare API token and there's lots of templates I don't know where to start? I'll guess it's the Edit zone DNS template but that's a guess! Let's see if that works.
How do you handle the certificates if you have k8s cluster in network using traefik as reverse proxy? Besides that, my setup is similar using pfsense and cloudflare. Thanks.
Hi, good video, i have all this configuration at my home, my problem is when i try to connect my backend api, This service it is in another machine, another ip, behind the firewall, it is not working. I saw in your video, when you test the page with login and password it is the same my. How you configurate that access to not expolse your backend api?
Nextcloud itself is not exposed to internet correct? Meaning without HAProxy you can only access nextcloud on your private network? Mine is only accessible from inside and I think if you want to make it accessible from outside you have to set it up differently on initial setup but from what I understand that’s not necessary with HAproxy? Great videos!!
Well you set up the host name initially but you need your DNS server to point to it (whether that’s on your LAN or exposed). That’s where Cloudflare and HAProxy comes in. Cloudflare acts as your DNS and points your site to your public IP then HAProxy routes that directly to where it needs to go on your LAN. You can probably do it without HAProxy but I like using it.
@@RaidOwl Thanks for the reply!!! I most definitely would want to do it with HAProxy, I think it’s more secure that way.. just wasn’t sure if I had to do anything extra to my nextcloud which currently is only accessible internally. I have cloudflare set up as well just have not been brave enough to expose nextcloud yet heheh. Have you had any security issues? Bad internet folks knocking on your firewall trying to log into your services? Do you use anything else on your pfsense like snort, surricata, pfblocker??? I’m trying to set up pfsense now to make a switch from ubiquity so that’s why I’m asking. Do you host your own bitwarden and expose it with HAProxy as well?
Cloudflare and pfSense do a solid job of filtering out the crap. You can install some more aggressive stuff via pfSense but you may not need it. I use Bitwarden but not self hosted (yet). That may be a future video haha.
Thank you for the excellent guide on how to get this configured. The only issue I am having is how I am configured like most where my pfSense is inside my network after my ISP enabled router. This is my hardware. When I go to add the Frontend for HAProxy it is showing the Address as the static assignment from my ISP device...not my public IP. I think there is a NAT issue but unsure of the best route. ISP is consumer grade so there is not a static IP possible. Thoughts?
very good. But did you set anything on your ISP device, such as opening a port or a NAT to your pfsense server ? How the traffic arrives in your pfsense machine ? Because the DNS record points to your public IP, not to the reverseproxy/pfsense one. Thks
This post I'm writing now is just shy of a year after you posted this video, which ironically, was about the same time I started to struggle with getting haProxy running on pfSense. Thanks to this video, I got the few missing points to get the installation complete. I was using dyndns to do my DNS hosting, but I think I'll be switching over to Cloudflare. The ONLY thing I'm missing right now is getting DNS to update correctly. pfSense just comes back saying it couldn't do the update, and I can't seem to find the log (yet). Not a huge deal right at the moment. I can edit the IP manually for now, as I don't change IPs frequently, but it'll still need to be done.
great explanation and setup, I wanted to do similar, do anybody have similar setup but on ubiquiti HW without pfSense on additional HW ? pfSense router in my country cost double the price
Great video as usual.. thank you again! I'm going to set this up this week. I've been looking at so many videos on pfsense, ha proxy and acme that I'm a bit unsure. Using this method do we need change the pfsense web configuration port from 443 to something else? And then setup NAT Firewall rules to pass ports 443 and 80 to ha proxy or, is there no need to do that with this method? Tia
Allowing all 443 traffic on your WAN ACL is extremely unsafe! I would recommend changing that, and locking it down to specific sources and destinations.
With cloudflare you set up https to your pfsence, which has your let`s encrypt sert. It is a little bit redundant , as you just have set up proper cert on pfsense. so you have: internet trough cloudflare cert and proxy to cloudflare, then cloudflare to pfsense with let`s encrypt cert. You can disable CF proxy ( in DNS settings ) to realy see your cert on domain, otherwise you will see CF cert. About modes: 'Flexible' encryption mode means that cloudflare doesnt check for https and can proxy to http service full checks for any https cert (even self signed will work) Full ( strict) means to check proper https cert( let`s encrypt one)
Excellent! This is really what I wanted to setup. I have all my services running locally on k8s, it'll be great to expose some of them on the internet.
Well, I wanted to get this set up to test, and maybe start hosting my website, but pfSense won't show any available packages with the error "Unable to retrieve package information.". Google is not much help as most of the posts are old. I'm on version 2.5.0-development, and no matter what I try it just says I'm on the latest version. I came here from your latest video about self hosting. A few years back I ran a site off of server 2003, but put that OS to bed for obvious reasons. I'll try again, after Amazon delivers my 6 WD Red Plus drives for my NAS project. Gee, wonder who put that idea in my head? Lol!
Oh man the dreaded “unable to retrieve package info bug”. I got this a few months ago. Your best bet is to backup pfSense and then do a hard factory reset then restore from your backup. I had to do it twice but that fixed it.
Thanks for the guide! I was able to get most things working from scratch, but could not get my hosted service to respond. After a few hours of troubleshooting, I found that HAProxy was NOT enabled! Went to HAProxy -> Settings -> Enable HAProxy Everything worked after that.
Thks. I have a question: the second part (haproxy setup) is in case we want to access from outside, right ? So if I don’t want , but I still want to access my service (cloudcommander or whatever) from my lan with a valid certificate, I can skip this second part ?
Right, if you don't care about remote access then you can skip that part. You'd have to change HAProxy to listen on your LAN instead of WAN most likely if you still want it to handle the communications.
Awesome! I had pfsense virtualized and pondering what next. This is perfect time to follow your tutorial. By the way, do you run all your server VM, CT etc behind pfsense while the rest of the home on another network? Can you cover such scenario as 1. using pfsense only for your server and services on it while all other devices on home network but able to talk to homeassistant, 2. pfsense as main router and setting up simple vlans etc.
Hi! Glad this offered up some inspiration! For your question about what I personally run: I run pfSense as my main router so everything flows through that. I think I have two videos that might could address your two scenarios. For scenario 1, I’d recommend you check out my “turn your pc into a router” video (th-cam.com/video/9GPtEIi_zeQ/w-d-xo.html). For scenario 2, maybe my home network setup video will help (th-cam.com/video/_cDEdjDGP8w/w-d-xo.html). I know these aren’t EXACTLY what you’re looking for but I’ll keep your questions in mind for future vids. Thanks for stopping by!
How did you assign port 8282 to your nextcloud server? I keep running into issues because my ISP blocks port 80. 443 is open though. Does anyone know how to get around this?
@@natewoehrle5376 I would recommend using Docker, as its more configurable. There is a learning curve but there are TONS of guides and videos to help you along the way. If you don't wanna go that route then you can still modify the ports it uses after installing via Snap by modifying the nginx.conf file. help.nextcloud.com/t/change-port-443-and-80/13742
Hello, Great tutorial! I have a strange issue though... Once complete, I can access nextcloud via the domain just fine. Once I enter a new username and password and hit enter, I start getting 522 errors from the domain. The really peculiar thing is I can still access it via the domain name from my PC. Are there any pfsense settings I should maybe look at? The LAN rule is just all to all, so thought that would be enough for the server. EDIT: Even stranger, from the same PC, incognito chrome can't access the webpage when standard does.
@@RaidOwl Thanks for the reply. I had seen something similar so had made that adjustment already. The thing that doesn't make sense is that I could access it before creating the first user. As soon as I created the first user, it stopped connecting.
At the part where you create haproxy backend and select CA acmecert, I do not see the option you select. The options I see are "none", the internet security research option and the long one you show after the research option. Could this be why I get a 500 error when accessing my page (Error 526 Inalid SSL Certificate and the diagram shows browser and cloudflare working but not host therefore SSL cert did not pass validation?)? Why isn't that option showing up for me? I have tried changing Cloudflare TLS to full and full(strict) and it makes no difference.
When I switch to full in cloudflare I get another error: Potential DNS Rebind attack detected, see en.wikipedia.org/wiki/DNS_rebinding Try accessing the router by IP address instead of by hostname.
I go to SSL checker and receive this info: The certificate is self-signed. Users will receive a warning when accessing this site unless the certificate is manually added as a trusted certificate to their web browser. You can fix this error by buying a trusted SSL certificate None of the common names in the certificate match the name that was entered (unraid.gingaranga.dev). You may receive an error when accessing this site in a web browser. Learn more about name mismatch errors. I should be able to fix the first issue by setting cloudflare tls to "full" but I do not understand the second error
Would you do a video on setting up next cloud? Without haproxy, your next cloud on truenas is only accessible from your internal network correct? Meaning there’s nothing extra that you need to set up on next cloud? Do you use bitwarden as well and expose it to the web? Great video!
Great tutorial, thanks. I followed it and it works in my setup but only if I disable the DNS proxy in my Cloudflare's A record (gray cloud) or if I disable DNSBL in fBlockerNG. If I proxy the DNS in cloudflare dashboard then I get Error 522 when trying to access my device. Do you have any hints on how to solve this?
@@erbmur Do you have anything that is blocking IP address of cloudflare? Like for instance pihole or similar software? If not, if you follow this tutorial it should work, at least it worked for me.
@@misckicirina yes, I have piHole. But I checked the logs and it didn't look like anything was being blocked. What IP address did you whitelist on pfBlockerNG? Edit: maybe I should try enabling HAProxy first. Works a charm!
Does having an open port like this leave you vulnerable, can you access via your public IP to the server? I've tried without HAproxy and it doesn't work :( but with CloudFlare's proxy turned off it works, therefore, I assume HAproxy is need to sortout the certs - I'm not 100% sure how HAproxy works
Opening ports will always be "vulnerable" in that it opens up that service the public. However, many security protocols are in place by either your router/firewall and CloudFlare itself to try to alleviate any attacks. You need HAProxy because that is whats going to be what routes the request to a specific ip/port combination within your network. It basically acts like an old-school switchboard operator between your LAN and the outside internet.
@@RaidOwl ok thanks, Can you connect directly to the open port 443 via your public IP or does HAproxy block that way in. (I guess you could could put Cloudflare's IP's in an alias and put that in the rule for source, in turn blocking any direct connection. I'm sure if an IP comes in via a Cloudflare IP or the originating IP)
Nah you can certainly use 443 and only allow Cloudflare’s IP if you’d like to go that route. Edit: I just tried your suggestion and am now only allowing traffic through port 443 if it comes from Cloudflare's list of IPs - www.cloudflare.com/ips/ Everything is working as expected. I can access my services publicly through my domain but not if I access my public IP directly.
@@RaidOwl Thank you for testing that out and reporting back the results. It's probably safer that way and to stop your public IP running servers from being exposed.
Are there any steps I need to do for a dynamic public IP. Mine seems to change every other week, so how do I incorporate something like DynDNS or NO-IP with pfSense and the rest?
@@RaidOwl And if I wanted just my internal servers to get certificates without being exposed, I assume i change the frontend in HAproxy to my LAN rather than WAN? And also need a wildcard?
@@RaidOwl great. one last question, if i run pi-hole and all my vlans point to my pi hole for dns resolution. Will that cause any problems with this setup? My upstream dns servers are cloudflare anyways. would i need to change the upstream dns servers within pihole as shown in the vid using the cloudflare nameservers?
Excellent video(s). I moved my domains to Cloudflare, got all the necessary codes, keys, etc to obtain a verified Acme account. I have a question regarding Acme and Haproxy as it relates to the appliance I'm using to run pfSense. I have an old self-signed certificate that I created years ago to eliminate the annoying "proceed at your risk" warning I'd get when I entered the static IP address where the pfSense appliance resides. I loaded it in the trusted stores of Chrome and it works as advertised. I watched the Lawrence System video on how to create a certificate using Acme and Haproxy for private servers, etc. I've tried to implement those steps to replace the old self-signed certificate but I just can't get it to work. Would you consider creating a video that addresses this topic? Thank you.
Heya when I access my website it come up with a pfsense window that state "Potential DNS Rebind attack detected, see en.wikipedia.org/wiki/DNS_rebinding Try accessing the router by IP address instead of by hostname." slightly worried that I have exposed the wrong thing if anyone can help that would be amazing!
![[TH] FS vs BME - VCT Ascension Pacific - Lower Bracket Final](http://i.ytimg.com/vi/wnygqsR2Fig/mqdefault.jpg)
If the 'Flexible' encryption mode in Cloudflare isn't working for you, try 'Full (strict)'.
Full (Strict) is the correct setting
Thanks for the tip! Spent a few hours figuring out what i did wrong.. I confirm Full(Strict) works for me while the Flexible setting didn't.
dude thank you i've been trying to setup my media server like this for months switching from ngix to caddy and still nothing one watch from your guide and i got it working so again thanks and you've more then earned a subscribe from me
Thinking you did a very poor review on discussion for pfsense firewall settings, followed exactly, Cloudflare cannot connect to haproxy on request, it keeps saying host error.
Also consider opening the following port under Firewall / Rules / WAN, does not include the opening for firewall under any time i have created a rule in this section.
I will try to figure it out, but its been an all night headache because nobody that makes these videos does a more detailed explanation on the firewall settings in pfsense.
Also with tokens, true, you only see once for security reasons
Good one.
Caddy! ❤️
Hand Banana
i have one question any one can answer it ?? why all this for just ssl certificate i can use let's encrypt or if i purchase a domain name from any platform i can have free basic ssl encryption . if you need waf or ddos capability this is a different thing . but you have to change the title of the video to somthing related to security measure
Not sure if it's a default, but HAproy wasn't enabled when I followed this tutorial. Kinda just jumped straight into the backend without going over connection limits etc.
One small but very important detail missing from these instructions: you need to "Enable HAProxy" in the Services > HAProxy > Settings menu. It is not enabled by default when you install the service.
Very true
Thanks for posting. I had this setup once and never left home since pandemic. Running pfsence for a couple years now trouble free, it's so stable.
Your tutorials have been an incredible resource for me. Thank you so much.
I appreciate the walkthrough. I'm having some difficulty getting everything to work. I'm currently getting a 'connection timed out error code 522'. I've got multiple vlans, I'm curious if that could somehow be causing issues. Do you have your setup with multiple vlans or do you have a flat network?
For people testing, stick with the staging certs because if it does not work and you try it using production certs, you will not be able to renew/change a cert because you will be rate limited. Once the testing stuf works then push a production cert
Never could get this to work. I get error message "The page isn’t redirecting properly" in Firefox. Chrome says "This page isn’t working [...] redirected you too many times."
Ola Amigo,
Otimo video, segui os passo, porem quando tento acessar o meu endereço ele da erro:
503 Service Unavailable
No server is available to handle this request.
O que estaria ocorrendo ? Pois somente eu acesso a aplicação do Nextcloud.
A quick question, if a want to add a top layer of security, for example using mfa, or a private key installed to get access to a specific service using this configuration, how can I do it? Someone knows any package to help into that? Thanks
what if my wan is under CGNAT will this work or big requirement is having accessible public Ip?
Thanks for making this video. Does this method still work? I tried it, and I am getting the 522 error that others saw. I switched to Full (strict) encryption, but that didn't fix things. The only thing I do differently is that I did not use Google for my domain registry. I decided to use Cloudflare since they were giving me the other services. When I set up my domain, I used an A record for the base domain name as well as the sub-domain names. Is that correct? I tried to look on the discord site, but I don't know my way around there, and I couldn't find the discussion on this video.
What about wildcard on pfsense? Certificates for LAN network
You don’t need acme for this if you are using cloudflare, you can just generate a cloudflare origin ssl cert, then select “full tls strict” in the ssl tab in cloudflare, upload that cert in your pfsense and have it served by haproxy
Hey man. Great video. question though. The issue I'm having now is my subdomains work and are accessble via HAProxy but my main root domain is not. I can't access my main page only subdomains via HAProxy. Any ideas on where to look to resolve that issue?
Is the reason that you don't use wildcard certs that you have two wans? I'm very new to this stuff but it seems like wildcard certs might not work if you have multiple public IPs for different services?
lol he did all that and used flexible ssl on cloudflare. you dont need acme and ssl offloading for the FLEXIBLE option. what a muppet
Saving this for later. I'm running OPNsense, but it also has HAProxy plugin, so the steps are pretty similar. Love your channel.
Thanks! 😊
Running into a error when issuing the cert. Subdomain is resolvable but its failing. Deleted the cert and created it again following your instructions and no joy. Posted in the Cloudflare community and letsencrypt. SSH'd into my pfsense and cat'd the log. Funny it started working hours later without any changes.
it would be helpful if you show how you installed pfsense locally
Robinson Donald Anderson George Robinson Nancy
I don‘t understand why you grey out your ip address, because the way you set it up, it is public anyway
Welcome
can you help me
I have a desktop computer with 4 network ports - 4 DSL lines
I want to collect speed on a virtual IP
I hope you can help me
johnny hammersticks ovah here. thinks he's gotta go and bossa nova. captain tiein' knots! not my ip, not my problem, thats what I always say!
Who put that proxy there? Not my proxy not my problem.
Hi, my "ca" list have only "none" in the backend form, and in certificate manager, i just have nothing. can anyone help ?
Solved my problem, had to change email in Account Key, then 1st generate certificate with staging, and then with production.
Anyway good tutorial, thank you
Any idea how to setup this up for local DNS?
Love the ACME tool for PFS, usually good when running HAP, but since Letsencrypt lost their X3 Root Cert this Fall, it's shown it's ups and downs... Luckily PFS let's you import wherever Certs you got, so opting for paid SSL saves the day... I'm hoping after TLS 1-1.1 sheds away, the updates that follow may provide some legacy patching in older mobiles concerning Letsencrypt, but I won't hold my breath.
Anyone know how to do this for services you dont wanna expose to the internet ?
This Channel is FANTASTIC!
I found your channel a week ago, and after watching a few of your videos I can confidently say that your channel is now my main go to channel for Home-lab related how-to information. I subscribe to many other similar channels and more often than not, the host(s) simply mention a *key step (saying that you need to go x and y and do Z first) while NEVER showing you how*. They assume you already know how, and then spend the rest of the video showing the easy steps (which most of us already know how to do). Thank you for being the source that actually shows the key steps, that most (or at least me) seem to get confused about. Subscribed!!!!
I’m so glad to hear my videos have helped you. I’m still learning myself so I tend to approach videos in way that I’d like the stuff to be presented to me. Hopefully my future videos continue to help or at least entertain you!
This tutorial is major fail. You talk about how to to all this but NEVER show it. This isn't audio podcast. It's youtube video tutorial. You need to show not talk about doing it. FAIL!
Damn that’s crazy bro. I’m sorry you’re going through this.
After almost two years on to do list I had finally did it
Not ever. No way. Now he's Johnny Hammersticks.
Who's chair is that?
If i have a Dyn WAN IP, i still use an A Type Record ??? Ur should i use an CNAME With duckdns?`
Went through this process and was able to succesfully setup my HAProxy. Thanks!!!
Having never done a Cloudflare API token and there's lots of templates I don't know where to start? I'll guess it's the Edit zone DNS template but that's a guess! Let's see if that works.
How do you handle the certificates if you have k8s cluster in network using traefik as reverse proxy? Besides that, my setup is similar using pfsense and cloudflare. Thanks.
Thank you for this and the other related videos. Very helpful. Can LetsEncrypt be used instead of Acme? Thanks.
Hi, good video, i have all this configuration at my home, my problem is when i try to connect my backend api, This service it is in another machine, another ip, behind the firewall, it is not working. I saw in your video, when you test the page with login and password it is the same my. How you configurate that access to not expolse your backend api?
Nextcloud itself is not exposed to internet correct? Meaning without HAProxy you can only access nextcloud on your private network? Mine is only accessible from inside and I think if you want to make it accessible from outside you have to set it up differently on initial setup but from what I understand that’s not necessary with HAproxy? Great videos!!
Well you set up the host name initially but you need your DNS server to point to it (whether that’s on your LAN or exposed). That’s where Cloudflare and HAProxy comes in. Cloudflare acts as your DNS and points your site to your public IP then HAProxy routes that directly to where it needs to go on your LAN. You can probably do it without HAProxy but I like using it.
@@RaidOwl Thanks for the reply!!! I most definitely would want to do it with HAProxy, I think it’s more secure that way.. just wasn’t sure if I had to do anything extra to my nextcloud which currently is only accessible internally. I have cloudflare set up as well just have not been brave enough to expose nextcloud yet heheh. Have you had any security issues? Bad internet folks knocking on your firewall trying to log into your services? Do you use anything else on your pfsense like snort, surricata, pfblocker??? I’m trying to set up pfsense now to make a switch from ubiquity so that’s why I’m asking.
Do you host your own bitwarden and expose it with HAProxy as well?
Cloudflare and pfSense do a solid job of filtering out the crap. You can install some more aggressive stuff via pfSense but you may not need it.
I use Bitwarden but not self hosted (yet). That may be a future video haha.
Great video - I tried this myself but could not get it to work though. Keep getting a "This site can’t be reached" .... "Refused to connect" :S
Can't we use 1 certificate for all services i think its possible.
Yep, you can just setup a wildcard cert and configure your Frontend to use that for all traffic on that domain.
@@RaidOwl ya i like wildcard certificate. 1 certificate for all
not my chair not my problem
Thank you for the excellent guide on how to get this configured. The only issue I am having is how I am configured like most where my pfSense is inside my network after my ISP enabled router. This is my hardware. When I go to add the Frontend for HAProxy it is showing the Address as the static assignment from my ISP device...not my public IP. I think there is a NAT issue but unsure of the best route. ISP is consumer grade so there is not a static IP possible. Thoughts?
very good. But did you set anything on your ISP device, such as opening a port or a NAT to your pfsense server ? How the traffic arrives in your pfsense machine ? Because the DNS record points to your public IP, not to the reverseproxy/pfsense one. Thks
This post I'm writing now is just shy of a year after you posted this video, which ironically, was about the same time I started to struggle with getting haProxy running on pfSense. Thanks to this video, I got the few missing points to get the installation complete.
I was using dyndns to do my DNS hosting, but I think I'll be switching over to Cloudflare. The ONLY thing I'm missing right now is getting DNS to update correctly. pfSense just comes back saying it couldn't do the update, and I can't seem to find the log (yet). Not a huge deal right at the moment. I can edit the IP manually for now, as I don't change IPs frequently, but it'll still need to be done.
Keep up the amazing work! Your channel is quickly becoming my go to for how to when it comes to setting up my home lab
Has anyone else got this working? I have got most of it. It will not find my home server.
Feel free to join the discord if you’re having issues. Link in the description
Quick question: does cloudflare intercept you TLS traffic in this setup?
hope the comment in the intro was "not well performed sarcasm"... Otherwise informative and recreatable at home.
great explanation and setup, I wanted to do similar, do anybody have similar setup but on ubiquiti HW without pfSense on additional HW ? pfSense router in my country cost double the price
Great Video thank you I have been wondering about this topic. Excellent job sir!
ehh, done everything as said, i addes my vmware server with port to pfsense but still cant acces it, but i cant do it with my public ip
can you create a video on how to sign TrueNAS scale with pfsense acme?
That comment about perverts.... I was rolling!
everything works fine but i want Bitwarden to have a certificate local as well. is there a way with HAProxy that i can use these certificates as well?
Mr. Balloon hands, isn't that from Billy Madison?
Great video as usual.. thank you again! I'm going to set this up this week. I've been looking at so many videos on pfsense, ha proxy and acme that I'm a bit unsure.
Using this method do we need change the pfsense web configuration port from 443 to something else? And then setup NAT Firewall rules to pass ports 443 and 80 to ha proxy or, is there no need to do that with this method?
Tia
Allowing all 443 traffic on your WAN ACL is extremely unsafe! I would recommend changing that, and locking it down to specific sources and destinations.
I have it locked down to only Cloudflare IPs
With cloudflare you set up https to your pfsence, which has your let`s encrypt sert.
It is a little bit redundant , as you just have set up proper cert on pfsense.
so you have:
internet trough cloudflare cert and proxy to cloudflare, then cloudflare to pfsense with let`s encrypt cert.
You can disable CF proxy ( in DNS settings ) to realy see your cert on domain, otherwise you will see CF cert.
About modes:
'Flexible' encryption mode means that cloudflare doesnt check for https and can proxy to http service
full checks for any https cert (even self signed will work)
Full ( strict) means to check proper https cert( let`s encrypt one)
Awesome! Thanks for the detailed info!
Excellent! This is really what I wanted to setup. I have all my services running locally on k8s, it'll be great to expose some of them on the internet.
nice
Well, I wanted to get this set up to test, and maybe start hosting my website, but pfSense won't show any available packages with the error "Unable to retrieve package information.". Google is not much help as most of the posts are old. I'm on version 2.5.0-development, and no matter what I try it just says I'm on the latest version. I came here from your latest video about self hosting. A few years back I ran a site off of server 2003, but put that OS to bed for obvious reasons. I'll try again, after Amazon delivers my 6 WD Red Plus drives for my NAS project. Gee, wonder who put that idea in my head? Lol!
Oh man the dreaded “unable to retrieve package info bug”. I got this a few months ago. Your best bet is to backup pfSense and then do a hard factory reset then restore from your backup. I had to do it twice but that fixed it.
can I do the same steps to run a Minecraft server?
which is better or easier... Im using Tunnels and I dont have to open port 443... which is better?
For basic website hosting tunnels are better but for bigger stuff like file hosting or media then you’ll have issues with tunnels.
Thank you for the video. The popup is also green on failure renew cert, which is strange.
lol really? I never noticed that. "You have failed...successfully" lol
Thanks for your video. This helped me out.
9:39 how do you know which of the CAs you have to choose?
Exactly what I need. Thank you for the outstanding video.
... Any chance you've done a update that details how to renew certificates for this build.
... might have come right, just click on cert renewal, also now set the auto renewal time to 45 days.
lets see what happens.
That's some of the weirdest ip addressing ive seen @ 3.01 mark....
There is a method to the madness…
Sorry, noob here, I also followed but can't connect, do i need to set up some certs on the server side to be able to connect using https?
Feel free to join the Discord as it’ll be easier to help over there.
Thanks for the guide!
I was able to get most things working from scratch, but could not get my hosted service to respond. After a few hours of troubleshooting, I found that HAProxy was NOT enabled!
Went to HAProxy -> Settings -> Enable HAProxy
Everything worked after that.
How do you setup PFSense?
Thks. I have a question: the second part (haproxy setup) is in case we want to access from outside, right ? So if I don’t want , but I still want to access my service (cloudcommander or whatever) from my lan with a valid certificate, I can skip this second part ?
Right, if you don't care about remote access then you can skip that part. You'd have to change HAProxy to listen on your LAN instead of WAN most likely if you still want it to handle the communications.
@@RaidOwl thank you I gonna give a try tomorrow !
Straight up broke my opnsense interface while trying to set up haproxy. Hopefully someone gets a kick out of my misery.
lol gotta keep updated backups on deck!
@@RaidOwl Resorting to a previous backup didn't seem to work, but disabling firewall via shell and then fixing everything again seems to have worked
Awesome! I had pfsense virtualized and pondering what next. This is perfect time to follow your tutorial. By the way, do you run all your server VM, CT etc behind pfsense while the rest of the home on another network? Can you cover such scenario as 1. using pfsense only for your server and services on it while all other devices on home network but able to talk to homeassistant, 2. pfsense as main router and setting up simple vlans etc.
Hi! Glad this offered up some inspiration! For your question about what I personally run: I run pfSense as my main router so everything flows through that. I think I have two videos that might could address your two scenarios. For scenario 1, I’d recommend you check out my “turn your pc into a router” video (th-cam.com/video/9GPtEIi_zeQ/w-d-xo.html). For scenario 2, maybe my home network setup video will help (th-cam.com/video/_cDEdjDGP8w/w-d-xo.html).
I know these aren’t EXACTLY what you’re looking for but I’ll keep your questions in mind for future vids. Thanks for stopping by!
How did you assign port 8282 to your nextcloud server? I keep running into issues because my ISP blocks port 80. 443 is open though. Does anyone know how to get around this?
When you create the docker image you can choose which port you'd like to map to the Nexcloud container's ports.
@@RaidOwl I installed nextcloud on my ubuntu server using snap. Will I need to go back and use a different installation method?
@@natewoehrle5376 I would recommend using
Docker, as its more configurable. There is a learning curve but there are TONS of guides and videos to help you along the way.
If you don't wanna go that route then you can still modify the ports it uses after installing via Snap by modifying the nginx.conf file. help.nextcloud.com/t/change-port-443-and-80/13742
Hello,
Great tutorial! I have a strange issue though...
Once complete, I can access nextcloud via the domain just fine. Once I enter a new username and password and hit enter, I start getting 522 errors from the domain.
The really peculiar thing is I can still access it via the domain name from my PC.
Are there any pfsense settings I should maybe look at? The LAN rule is just all to all, so thought that would be enough for the server.
EDIT: Even stranger, from the same PC, incognito chrome can't access the webpage when standard does.
Try changing your SSL type to Full in Cloudflare.
@@RaidOwl Thanks for the reply. I had seen something similar so had made that adjustment already.
The thing that doesn't make sense is that I could access it before creating the first user. As soon as I created the first user, it stopped connecting.
Mr ballon hands is from Pink Floyd?
Not quite, good guess though
Followed exactly, can't connect with my domain, not sure why.
Perhaps you are behind a Carrier-grade NAT from your ISP?
@@RaidOwlno
At the part where you create haproxy backend and select CA acmecert, I do not see the option you select. The options I see are "none", the internet security research option and the long one you show after the research option. Could this be why I get a 500 error when accessing my page (Error 526 Inalid SSL Certificate and the diagram shows browser and cloudflare working but not host therefore SSL cert did not pass validation?)? Why isn't that option showing up for me? I have tried changing Cloudflare TLS to full and full(strict) and it makes no difference.
When I switch to full in cloudflare I get another error: Potential DNS Rebind attack detected, see en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname.
I go to SSL checker and receive this info:
The certificate is self-signed. Users will receive a warning when accessing this site unless the certificate is manually added as a trusted certificate to their web browser. You can fix this error by buying a trusted SSL certificate
None of the common names in the certificate match the name that was entered (unraid.gingaranga.dev). You may receive an error when accessing this site in a web browser. Learn more about name mismatch errors.
I should be able to fix the first issue by setting cloudflare tls to "full" but I do not understand the second error
Good video but you have accidentally exposed your public ip... Please go thru and correct the situation.
Uhh oh. Where at? Thanks
@@RaidOwl Watch 2nd half carefully.
Fixed it. Thanks
Would you do a video on setting up next cloud? Without haproxy, your next cloud on truenas is only accessible from your internal network correct? Meaning there’s nothing extra that you need to set up on next cloud? Do you use bitwarden as well and expose it to the web? Great video!
Where did you get the desk mat?
Amazon
Great tutorial, thanks. I followed it and it works in my setup but only if I disable the DNS proxy in my Cloudflare's A record (gray cloud) or if I disable DNSBL in fBlockerNG. If I proxy the DNS in cloudflare dashboard then I get Error 522 when trying to access my device. Do you have any hints on how to solve this?
Change your SSL type to “full” in Cloudflare
@@RaidOwl Thanks. I tried it but wasn't enough. I had to add Cloudflare's IP addresses in the DNSBL white list to make it work
Hello, How did you manage to fix this? I am getting the same issue, with error 522. I do not have fBlockerNG installed.
@@erbmur Do you have anything that is blocking IP address of cloudflare? Like for instance pihole or similar software? If not, if you follow this tutorial it should work, at least it worked for me.
@@misckicirina yes, I have piHole. But I checked the logs and it didn't look like anything was being blocked. What IP address did you whitelist on pfBlockerNG?
Edit: maybe I should try enabling HAProxy first. Works a charm!
Does having an open port like this leave you vulnerable, can you access via your public IP to the server?
I've tried without HAproxy and it doesn't work :( but with CloudFlare's proxy turned off it works, therefore, I assume HAproxy is need to sortout the certs - I'm not 100% sure how HAproxy works
Opening ports will always be "vulnerable" in that it opens up that service the public. However, many security protocols are in place by either your router/firewall and CloudFlare itself to try to alleviate any attacks. You need HAProxy because that is whats going to be what routes the request to a specific ip/port combination within your network. It basically acts like an old-school switchboard operator between your LAN and the outside internet.
@@RaidOwl ok thanks, Can you connect directly to the open port 443 via your public IP or does HAproxy block that way in.
(I guess you could could put Cloudflare's IP's in an alias and put that in the rule for source, in turn blocking any direct connection. I'm sure if an IP comes in via a Cloudflare IP or the originating IP)
Nah you can certainly use 443 and only allow Cloudflare’s IP if you’d like to go that route.
Edit: I just tried your suggestion and am now only allowing traffic through port 443 if it comes from Cloudflare's list of IPs - www.cloudflare.com/ips/
Everything is working as expected. I can access my services publicly through my domain but not if I access my public IP directly.
@@RaidOwl Thank you for testing that out and reporting back the results. It's probably safer that way and to stop your public IP running servers from being exposed.
@@RaidOwl Thank you for finding this out, I feel better now to do this, I added all the networks to an alias and put it in the rule.
Are there any steps I need to do for a dynamic public IP. Mine seems to change every other week, so how do I incorporate something like DynDNS or NO-IP with pfSense and the rest?
15:45 I mention what to do for DDNS. I hope this helps.
@@RaidOwl cant believe i missed that part. thanks
@@RaidOwl And if I wanted just my internal servers to get certificates without being exposed, I assume i change the frontend in HAproxy to my LAN rather than WAN? And also need a wildcard?
Yessir
@@RaidOwl great. one last question, if i run pi-hole and all my vlans point to my pi hole for dns resolution. Will that cause any problems with this setup? My upstream dns servers are cloudflare anyways. would i need to change the upstream dns servers within pihole as shown in the vid using the cloudflare nameservers?
What box do you use for pfsense?
Netgate SG1100
@@RaidOwl sweet thanks
Excellent video(s). I moved my domains to Cloudflare, got all the necessary codes, keys, etc to obtain a verified Acme account.
I have a question regarding Acme and Haproxy as it relates to the appliance I'm using to run pfSense. I have an old self-signed certificate that I created years ago to eliminate the annoying "proceed at your risk" warning I'd get when I entered the static IP address where the pfSense appliance resides. I loaded it in the trusted stores of Chrome and it works as advertised.
I watched the Lawrence System video on how to create a certificate using Acme and Haproxy for private servers, etc. I've tried to implement those steps to replace the old self-signed certificate but I just can't get it to work.
Would you consider creating a video that addresses this topic?
Thank you.
you drinking out of cups?
Mr Walkway...mr walk down me I'm the walkway lead me to the building...
@@RaidOwl "Who paid for that floor, Not Me, No Way. Never paying for a floor again."
@@jonathan.sullivan Little kid in the background going craaaazayyyyyyy
Eh, so far 2 out of 10 of your half explained tuts have worked for me. When I see your head on a thumbnail, I will stear clear.
Woah 2 whole points?!? Let’s go! 😄
@@RaidOwl love the humor though
Heya when I access my website it come up with a pfsense window that state "Potential DNS Rebind attack detected, see en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname." slightly worried that I have exposed the wrong thing if anyone can help that would be amazing!