00:00:00
foreign
00:00:02
[Music]
00:00:06
systems and today we're going to cover h
00:00:09
a proxy and let's encrypt on PF sense
00:00:11
but before we begin couple prerequisites
00:00:13
here you should own a domain for example
00:00:16
cloudflare is less than ten dollars a
00:00:18
year for a domain we're going to be
00:00:19
using a cloudflare domain as an example
00:00:21
but it will work with a lot more than
00:00:23
just cloudflare because we're going to
00:00:24
be doing this using the API so
00:00:26
cloudflare digital ocean there's many
00:00:28
other choices we'll cover that later
00:00:30
when we talk about how the sub
00:00:31
certificates with Acme and how to
00:00:33
automate them because we're going to be
00:00:35
using wildcard certs so owning a domain
00:00:37
name is going to be a prerequisite for
00:00:39
this next pfSense Plus or Community
00:00:42
Edition this will work on either one of
00:00:44
those we're going to be using the latest
00:00:45
versions available here in August of
00:00:47
2023 and everything's going to be time
00:00:49
index down below so you can jump to the
00:00:51
part that's most relevant but we will be
00:00:53
starting with some diagrams the reason
00:00:55
why is because when I did this video
00:00:57
before there are a lot of Concepts that
00:00:59
I realized people didn't understand for
00:01:00
how reverse proxies work and how
00:01:03
important DNS is and almost all the
00:01:05
Consulting we do
00:01:06
regarding fixing this for people is
00:01:09
pretty much DNS DNS and occasionally
00:01:11
someone getting a couple of things wrong
00:01:13
about where they pointed their DNS that
00:01:15
is probably the number one issue there's
00:01:17
a few others and we will cover basic
00:01:19
troubleshooting and how to set this up
00:01:20
but this is going to be a complete guide
00:01:21
from start to finish from loading the
00:01:24
packages which I've already done so that
00:01:26
part's easy to getting this all
00:01:28
configured and making sure you can
00:01:30
access your servers I'm going to cover
00:01:32
doing this privately as in keeping the
00:01:34
domain inside so you don't have to
00:01:36
public expose your services but I'll
00:01:38
also talk about the method by which you
00:01:40
can expose it they're pretty much the
00:01:41
same it's just a matter of what
00:01:43
interface you attach it to now before we
00:01:45
begin we do need to hear from a sponsor
00:01:47
and today's sponsor is well my company
00:01:49
so let's get into the ad read then we'll
00:01:51
get you to the content are you an
00:01:52
individual or Forward Thinking company
00:01:54
looking for expert assistance with
00:01:56
network engineering storage or
00:01:58
virtualization projects perhaps you're
00:02:00
an internal I.T team seeking help to
00:02:02
proactively manage monitor or secure
00:02:04
your systems we offer comprehensive
00:02:07
Consulting Services tailored to meet
00:02:09
your specific project needs whether you
00:02:12
require fully managed or co-managed I.T
00:02:14
services our experience team is ready to
00:02:17
step in and help we specialize in
00:02:19
supporting businesses that need it
00:02:21
Administration or it teams seeking an
00:02:24
extra layer of support to enhance their
00:02:26
operations to learn more about any of
00:02:28
our services head over to our website
00:02:30
and fill out the higher us form at
00:02:32
lawrencesystems.com let us start
00:02:34
crafting the perfect it solution for you
00:02:37
if you want to show some extra love for
00:02:39
our Channel check out our swag store and
00:02:41
affiliate links down below that will
00:02:42
lead you to discounts and deals for
00:02:44
products and services we discuss on this
00:02:46
channel with the ad read out of the way
00:02:48
let's get you back to the content that
00:02:49
you really came here for
00:02:51
now most of this video is going to focus
00:02:52
on setting this up to use your private
00:02:54
IP internally but I will cover just that
00:02:56
one extra step or technically two that
00:02:59
you need to do to get this working
00:03:00
publicly one is you have to have
00:03:02
publicly available DNS and the rest of
00:03:05
the demo we're going to be using local
00:03:06
DNS instead RPF sense but it goes out of
00:03:08
scope of this to cover how to point a
00:03:11
domain at your public IP address because
00:03:13
that is very dependent on whoever
00:03:15
provides you DNS but in our demo site
00:03:18
here we have ltsdemo.org this is the
00:03:20
domain that I bought that I'm using for
00:03:22
this and we're going to use truenas and
00:03:26
uptimekuma.ltsdemo.org is our fully
00:03:27
qualified domains and if we wanted to
00:03:29
make this public the thing that we would
00:03:32
do differently is we would bind our ha
00:03:34
proxy to by public IP now you can have
00:03:37
more than one IP on APF sense so you can
00:03:39
have multiple public IP addresses and
00:03:41
you would just attach ATA proxy to
00:03:43
whichever one was public and then the
00:03:46
other thing you'd have to do is open up
00:03:47
the firewall Rules by default pfSense
00:03:50
blocks incoming and requests but you can
00:03:52
override that put a firewall rule in to
00:03:54
allow things to locally talk to the ha
00:03:57
proxy or the firewall itself because
00:03:59
they're both on the same device and then
00:04:01
you would publicly expose things and I
00:04:03
didn't want to do that for this
00:04:04
particular demo because if I publicly
00:04:06
expose things and publicly expose my IP
00:04:08
address one that comes with lots of
00:04:09
risks and well someone might even just
00:04:11
DDOS it just to be annoying and that's
00:04:13
another risk that may come with it but
00:04:15
both of these can point at the same IP
00:04:18
if you only have one IP and ha proxy and
00:04:21
this is the part we will be covering is
00:04:22
how it handles ACLS or the access
00:04:24
control list and has a set of rules that
00:04:26
say look at the different domains that
00:04:28
are coming in and serve up the server
00:04:30
from behind there but each of these
00:04:32
would just point to whatever your public
00:04:33
IP address is and that would allow a
00:04:36
client outside the network to go across
00:04:37
the internet and get served up a proper
00:04:39
certificate by ha proxy for these
00:04:42
devices that are behind your PF sense we
00:04:44
are going to focus on doing this
00:04:45
privately so you can have your own and
00:04:47
we're going to be using wildcard DNS for
00:04:49
this and that does apply even with with
00:04:51
it being public but this allows you to
00:04:53
create all of your own DNS we're going
00:04:55
to use in this case PF sends for DNS
00:04:57
because pfSense acts as our DNS server
00:04:59
and it acts as our proxy server so we
00:05:02
don't need to go outside the internet
00:05:03
for this to work in terms of for the
00:05:05
client other than it does have to have
00:05:06
internet access when you get your
00:05:09
certificate so the certificate renewals
00:05:11
do require internet but the actual
00:05:13
functionality and you're not exposing
00:05:14
your servers like your true Nas or your
00:05:16
uptime Kuma server we're going to use
00:05:17
those Demos in here to the public
00:05:19
internet because we're going to take the
00:05:22
DNS for these the
00:05:24
truenast.ltsdemo.org
00:05:25
uptimekuma.lts demo.org and they're both
00:05:28
going to have a DNS entry of 10 13
00:05:31
13.1 which is the interface that we're
00:05:34
going to bind them to on RPF sense so
00:05:37
the DNS will be a private IP address and
00:05:39
this is on the same network so as long
00:05:41
as PF census serving DNS to this
00:05:43
particular client the certificates will
00:05:45
line up match and the domains will match
00:05:47
and will get served a proper certificate
00:05:49
this is the DNS part that a lot of
00:05:51
people doing private have a harder time
00:05:53
with because public it makes sense that
00:05:55
you need your public DNS not to point to
00:05:57
your internal IPS of your servers it
00:05:59
would point to the proxy but when it's
00:06:01
internal the same thing applies it has
00:06:04
to point to the proxy so even though
00:06:06
uptime
00:06:07
kuma.ltsdemo.work is going to be pointed
00:06:10
at 10 13 13 1 it's going to Via the
00:06:13
rules in ha proxy come over here to
00:06:15
uptime Kuma and the back end this is the
00:06:18
big mistake a lot of people make where
00:06:19
they think the internal IP name or
00:06:22
sometimes because they also have their
00:06:23
own DNS entry of how they get to one of
00:06:26
their servers internally they try to
00:06:27
match it and then have a DNS problem
00:06:29
where it doesn't match because it's
00:06:31
trying to go directly to the server and
00:06:33
we need the client to go to the ha proxy
00:06:36
on pfSense to sear up the certificate
00:06:38
and let h a proxy broker that connection
00:06:40
back to the back end now let's get into
00:06:42
the functional of setting this up now
00:06:44
that we've covered the concepts
00:06:46
the first step is making sure you have
00:06:47
the packages installed so we have the
00:06:49
Acme package and ha proxy package
00:06:51
installed here if they're not installed
00:06:53
just head over to available packages and
00:06:55
go ahead and install those then we go to
00:06:57
system and we want to go to Advanced by
00:07:00
default pfSense is on TC Port 443 this
00:07:03
is for the web interface the pfSense
00:07:05
we'd like to move it somewhere else I
00:07:06
chose 10443 then down here we have web
00:07:10
we redirect make sure that's checked
00:07:12
this is a port 80 configuration rule you
00:07:14
don't absolutely have to do this but if
00:07:16
you don't and something hits Port 80
00:07:17
it'll actually redirect to whatever Port
00:07:19
you have chosen here I'm not covering
00:07:21
put in redirect rule for Port 80 because
00:07:23
most browsers choose https by default
00:07:26
now next we're going to set up the Acme
00:07:28
certificates the Acme search array here
00:07:31
on the general settings make sure you
00:07:33
have the cron entry checked this will
00:07:35
enable the automatic renewal of these
00:07:38
certificates I already have certificates
00:07:40
in here but the first step would
00:07:41
actually be creating an account key
00:07:43
creating account Keys is really easy we
00:07:45
can just put in test test make sure you
00:07:48
are choosing if you're ready for
00:07:50
production the production system will
00:07:52
actually do a staging one but please
00:07:54
note if you want it to work properly you
00:07:55
do need production and then you hit
00:07:57
create new account key it will grab the
00:08:00
account key
00:08:02
once that's populated you can then
00:08:04
register the Acme account key
00:08:07
and then you'll click save and now
00:08:09
you'll have a new system but note this
00:08:11
one is in testing so we're going to
00:08:12
delete it these are ones are in
00:08:14
production and they have proper account
00:08:16
Keys once you have a proper account key
00:08:19
you can go over here to certificates and
00:08:21
I have my LTS demo work I can show you
00:08:24
this one because this one will show you
00:08:26
too much it'll actually show you a part
00:08:28
of my cloudflare authorization this one
00:08:31
works the same way but I did it with
00:08:33
digitalocean and you see we're getting a
00:08:35
wild card for
00:08:37
studio.lorentsystems.com and we have my
00:08:39
digitalocean API key which is blurred
00:08:41
out if we look at creating any new
00:08:44
certificate let's go ahead and just walk
00:08:45
through that process when we add one we
00:08:47
would go here to add and we would give
00:08:49
it a name and the name does not have to
00:08:51
match their domain name but we will call
00:08:52
it Wild Card search for domain you can
00:08:54
put the same description error which can
00:08:57
be a little bit more typed out if you
00:08:58
need to and then we can choose all the
00:09:00
different options now you do not need to
00:09:02
open any ports for all these DNS options
00:09:05
that are in here these are all the
00:09:06
different companies that have automated
00:09:08
DNS or API support via pfSense there's
00:09:12
quite a few of them in here so you can
00:09:13
probably find duck DNS or whichever DNS
00:09:16
you might be using to get this to work
00:09:18
of no note I am using digitalocean and
00:09:21
cloudflare I've tested both of these in
00:09:23
this system to make sure they work and
00:09:24
if you use cloudflare it does ask a lot
00:09:27
of these questions and it does not blur
00:09:28
all of them when you go back to edit but
00:09:31
you must fill out all of these questions
00:09:32
if you're doing it for example with
00:09:34
digitalocean it only asks for the
00:09:37
digitalocean API key the important part
00:09:40
though is that you have the domain in
00:09:41
here properly and I will blur out the
00:09:43
bottom but please note the domain
00:09:44
because we want a wild card is
00:09:48
asterix.lts demo.work that gives us a
00:09:50
wildcard domain so it will pull the
00:09:52
wildcard search so we can make up
00:09:54
anything we want dot ltsdemo.work I will
00:09:57
also point out you can do it this way
00:10:00
asterix.studio.lorentsystems.com I'm
00:10:02
using launchsystems.com in more than one
00:10:04
place and I want to distinguish things
00:10:05
on this particular server as located at
00:10:08
my studio so this will allow us to
00:10:10
create any
00:10:12
name.studio.lorentsystems.com within
00:10:14
this server the final thing I will
00:10:15
mention is making sure you have this
00:10:17
right here it's userlocal at
00:10:20
crc.dha proxy.sh restart the reason you
00:10:25
need that is because when the
00:10:26
certificate renews you want ha proxy to
00:10:29
restart so it can use that new
00:10:31
certificate so I do recommend you add
00:10:32
that if not even though the certificate
00:10:34
may be renewed if 18 proxy does not
00:10:36
restart it will not start using that new
00:10:38
certificate when the certificate expires
00:10:39
now we're going to go over the services
00:10:40
and then ha proxy and let's look at the
00:10:43
settings make sure ha proxy is enabled
00:10:45
then we'll go down here and change the
00:10:47
reload Behavior this is my personal
00:10:49
preference especially for
00:10:51
troubleshooting you may not want this on
00:10:53
but it forces the immediate stop of old
00:10:55
processes on reload closes existing
00:10:58
connections I do this that way if I'm
00:11:00
especially adding new servers and
00:11:02
troubleshooting I want every time I
00:11:03
restart ha proxy don't hold on to any
00:11:06
sessions even if I'm just adding
00:11:07
something to the front and your back end
00:11:08
kill all those sessions and start them
00:11:10
over that way I don't have any old
00:11:12
sessions confusing me but please note
00:11:14
checking this option will interrupt
00:11:16
existing connections on a restart which
00:11:18
happens when configuring iteration is
00:11:19
applied scrolling down a little further
00:11:21
I don't have this filled out but in
00:11:23
production systems I usually do remote
00:11:25
syslog host you can put a specific
00:11:27
syslog and send all that data from ha
00:11:30
proxy to its own syslog server this may
00:11:32
help you in collecting all of your logs
00:11:35
not needed for the demo server we have
00:11:36
here then we're going to go all the way
00:11:37
to the bottom and we can just hit save
00:11:39
which brings us to the apply changes and
00:11:41
of note anytime you apply changes it
00:11:43
kills all those connections now we're
00:11:45
going to build a back end and we want to
00:11:48
add a new back end we're going to call
00:11:50
it your Nas I'm going to click on this
00:11:52
little server table and expand it out
00:11:54
and we want to call that true Nas as
00:11:57
well so t-r-u-e-n-a-s
00:12:00
and then we're going to put an address
00:12:01
in here of 172 16165 the address of our
00:12:05
true name server 443 is the port then we
00:12:08
need to scroll over a little bit yes
00:12:10
this is encrypted do not check it it's
00:12:13
important you do not do an SSL check
00:12:15
because there is not a valid certificate
00:12:17
it is a self-signed certificate on my
00:12:19
cheernast server so we don't want the ha
00:12:21
proxy to try to validate that
00:12:23
certificate now let's go ahead and
00:12:25
scroll down further
00:12:26
I'm not going to bother with any type of
00:12:28
help checks but you can do a health
00:12:30
check on these if needed it just will
00:12:32
confirm whether or not the backend
00:12:33
server is up and then we can go down
00:12:35
here to the bottom leaving all other
00:12:36
things at default and click save
00:12:39
and I'll go ahead and apply the changes
00:12:41
but as you notice it's kind of grayed
00:12:43
out compared to these because there is
00:12:45
no front end yet for this particular
00:12:47
entry so let's go ahead and create a
00:12:48
front end for that we're going to click
00:12:50
add and because this pronoun is going to
00:12:52
be for more than one server let's just
00:12:54
call it u tube demo and we'll call this
00:12:57
YouTube demo for
00:13:00
star.ltsdemo.org because it's a wild
00:13:01
card certificate that we have for this
00:13:03
and this is where we bind the proper IP
00:13:06
address
00:13:07
now the IP address for this one is
00:13:10
specifically the lab VLAN 1313 address
00:13:14
then we're going to choose the port of
00:13:16
443
00:13:17
we're going to check the box for SSL
00:13:19
offloading and we'll leave all this the
00:13:22
same
00:13:22
then we're going to scroll down now
00:13:24
here's where we create those ACL lists
00:13:26
these are very important to name them in
00:13:29
a consistent way so we'll call this one
00:13:31
sureness and we'll say
00:13:33
host matches we want to match a hostname
00:13:37
the value we're going to use is
00:13:40
truenas.ltsdemo.work now remember we can
00:13:42
create any domain we want here we'll get
00:13:43
to the DNS settings next now this is
00:13:46
says true Nash right here that means
00:13:48
when we do the action because this is
00:13:50
the access control list to match on so
00:13:52
host matches sureness ltsdemo.org and
00:13:55
then we're going to go what is the
00:13:57
action and we want to use the back end
00:13:59
that we named true Nas
00:14:01
and then conditional ACL name this has
00:14:04
to match exactly that's why I'm copying
00:14:06
and paste it from here to here we'll get
00:14:09
how to create more of them next they're
00:14:10
going to go ahead and scroll down
00:14:12
further until we get down to the
00:14:13
certificate and we want the certificate
00:14:16
to be the LTS demo that we have set up
00:14:18
here this is that wild card for that the
00:14:21
other one is using this one here and you
00:14:22
could create more than one back end
00:14:24
using another one here if we wanted to
00:14:26
use the launch systems one but as I said
00:14:28
we're going to be doing the demo work so
00:14:30
LTS demo work and that is this
00:14:32
particular wildcard certificate then
00:14:34
we'll scroll down here to the bottom and
00:14:36
we'll click save
00:14:38
and then we'll hit apply here comes the
00:14:40
DNS part where we have to make sure DNS
00:14:42
is working so we know what we have for
00:14:44
this domain so we're going to go here to
00:14:46
services and we're going to go to the
00:14:48
DNS resolver
00:14:50
and we're going to scroll down and I
00:14:51
have lots of entries in here but let's
00:14:53
look at the one that's specifically
00:14:54
related to this that's this true NASA
00:14:56
LTS demo work that entry says true Nas
00:14:59
is the host the domain is LTS demo work
00:15:02
it points to 10 13 13.1 and if
00:15:06
everything's working properly let's go
00:15:08
ahead and do a quick domain lookup to
00:15:10
make sure that the system answers with
00:15:12
the domain that we want it to and we're
00:15:14
just going to use dig to do truenas
00:15:16
ltsdemo.org
00:15:18
and we see that it's answering 10 13 13
00:15:20
1. and as you can see here we can go to
00:15:24
truenasltsdummo.org and we can sign in
00:15:26
so we can look at this connection is
00:15:28
secure
00:15:29
certificate is valid and we see that
00:15:32
we're giving it the certificate the
00:15:33
ltsdemo.work so let's go ahead and set
00:15:35
up one more domain at this same address
00:15:38
and since we're here in the DNS world
00:15:40
let's go ahead and add another DNS entry
00:15:42
with this host override so I'll go back
00:15:44
over to general settings
00:15:46
we're just going to click add we'll call
00:15:48
this one Kuma put the domain which is
00:15:51
the ltsdemo.work and it's the same IP
00:15:54
address so
00:15:55
10.13.13.1 which is RPF sense this is
00:15:58
for up time Kuma scroll down
00:16:04
save apply always double check your DNS
00:16:07
make sure
00:16:10
kuma.ltsdummo.works it does it comes up
00:16:12
with the same IP address so let's go
00:16:14
back in and add an ACL so we're going to
00:16:17
go over here to our ha proxy we're going
00:16:20
to edit our existing one we have here
00:16:22
and we want to add another rule
00:16:25
so we're going to click this Access
00:16:26
Control list here we'll call it Kuma
00:16:30
host starts with hosts matches is what
00:16:32
my goal is here and it's going to be
00:16:35
auma.lts demo dot work
00:16:39
scroll down here
00:16:40
we want to use backend and we already
00:16:43
have an uptime Kuma back in so we'll use
00:16:45
that one there and we have to make sure
00:16:47
once again these match so we called it
00:16:48
Kuma here so we will call it Kuma here
00:16:50
so the use back end is this one here so
00:16:54
now if we go down to the bottom all the
00:16:55
other things are the same we're just
00:16:57
going to hit save let's go back and edit
00:16:59
this real quick just to cover that you
00:17:01
can see now that it's saved if the host
00:17:03
matches
00:17:05
truenast.lts demo.work
00:17:07
we're going to be using this ACL which
00:17:09
points to this one here if it matches
00:17:12
the kuma.lts demo.org which is that
00:17:15
right there it says use the back end
00:17:17
Kuma and use the back end uptime Kuma on
00:17:20
the back right here it's all we have to
00:17:23
do and we'll go back over here we'll
00:17:24
apply the changes and let's see if that
00:17:26
works and now we're at my uptime Kuma
00:17:28
login
00:17:30
one more thing I want to note if we go
00:17:32
over here and we look at the back end
00:17:34
and we want to look at the uptime kuma
00:17:36
back end I want to point out that this
00:17:38
uptime Kuma back end we'll click edit
00:17:40
here is not encrypted if you're familiar
00:17:43
with uptime Kuma by default it does not
00:17:45
have a certificate I didn't install one
00:17:47
on purpose and the reason why is because
00:17:48
I wanted it to be handled by the AJ
00:17:51
proxy so the connection from pfSense to
00:17:54
this IP address is not going to be
00:17:56
encrypted so we do not have this checked
00:18:00
the certificate though is valid here
00:18:02
because it's the connection between
00:18:04
pfSense and this browser that is
00:18:07
encrypted providing me with that same
00:18:09
connection is secure with the valid
00:18:12
certificate from the let's encrypt
00:18:14
certificate something else worth noting
00:18:16
is that you notice that this is pointed
00:18:19
at two different places this is a way
00:18:21
you can create a different front end but
00:18:22
still have one backend server that
00:18:25
handles all of your internal and this
00:18:26
could just as easily be if we added
00:18:28
another one
00:18:29
be bound to my Wan IP address and we can
00:18:32
repeat the process for actually any one
00:18:33
of these or if I had multiple Wan IP
00:18:35
addresses and then I could publicly
00:18:37
expose a specific server and use that
00:18:39
same back end and it would have two
00:18:41
different entries that way now one of
00:18:43
the things I want to comment on is a
00:18:45
couple use cases for binding the front
00:18:46
end to different interfaces one of the
00:18:48
big use cases for that is because all of
00:18:50
your normal firewall rules apply let's
00:18:52
say you have a guest Network and you'd
00:18:54
like to have your guests accessing
00:18:55
things over ha proxy such as uptime Kuma
00:18:58
but you do not want them to access your
00:19:00
Nas and this would be a good use case
00:19:02
you could tie Nas to your secure network
00:19:05
that you just have you and people you
00:19:07
trust on and then you could have your
00:19:08
guest network but you know they want to
00:19:10
see what servers are up and you could
00:19:11
then bind it to that address another use
00:19:13
case is binding it to the WAN address
00:19:16
now as I said if you bind it to WAN you
00:19:18
need to open up Port 443 to have it
00:19:20
remotely accessed but internally the
00:19:23
guest network will have access to it
00:19:25
because you don't need to create a rule
00:19:26
internally for Lan because by default p
00:19:29
EF sense that is the default behavior
00:19:31
for services bound to a specific
00:19:33
interface for the network segment and
00:19:36
the devices on that segment will have
00:19:38
access to that so just keep that in mind
00:19:40
when you're setting it up now I made
00:19:42
this video to cover the most common use
00:19:43
cases for HDA proxy but obviously there
00:19:45
are many more use cases check out
00:19:47
netgate's documentation because they
00:19:49
have a lot more covered and check out
00:19:51
their forums the netgate forums there's
00:19:53
a lot of discussion about ha proxy
00:19:55
because there's always different Edge in
00:19:56
different use cases on different
00:19:57
specialized environments and maybe you
00:19:59
have all those environments and there's
00:20:01
something beyond that was covered in
00:20:03
this video that you need to get
00:20:04
configured their forms are a great place
00:20:06
to check that out if you want to see
00:20:08
more content from this channel like And
00:20:09
subscribe also leave your comments down
00:20:11
below I love hearing from all of you if
00:20:13
you want to connect with me I'll be over
00:20:14
in the forums at
00:20:15
forums.lorentsystems.com or just head
00:20:18
over to launchssystems.com and figure
00:20:19
out what socials I'm on when you're
00:20:21
watching this video and you can say hi
00:20:22
to me there alright and thanks
00:20:26
[Music]
00:20:29
thank you
00:20:31
[Music]
00:20:42
foreign
