How To Guide For HAProxy and Let's Encrypt on pfSense: Detailed Steps for Setting Up Reverse Proxy

00:20:44
https://www.youtube.com/watch?v=bU85dgHSb2E

Summary

TLDRThe video provides a step-by-step guide to setting up and configuring HAProxy with Let's Encrypt on a pfSense firewall, emphasizing reverse proxy server setups with SSL/TLS encryption. The prerequisites include owning a domain through a service like Cloudflare or Digital Ocean, and having pfSense Plus or Community Edition installed. The tutorial covers package installation on pfSense, moving the web UI to a different port to free up port 443 for HAProxy, and setting up SSL certificates using the Acme package to manage Let's Encrypt certificates, including wildcard domains for subdomain management. Key points include the importance of correct DNS setup to ensure reverse proxy functionality, binding interfaces for private vs public access, and DNS configuration strategies. The video also highlights potential issues, such as common DNS misconfigurations that can lead to access problems or HTTP-HTTPS conflicts. Lastly, the video suggests resources for further learning and community support for specific unmet needs, providing viewers avenues for troubleshooting and expanding their setup to suit their network environment.

Takeaways

  • ๐Ÿ’ก Importance of owning a domain for setting up HAProxy.
  • ๐Ÿ”ง Configuring DNS correctly to ensure smooth operation.
  • ๐Ÿ— Use of wildcard certificates for subdomain management.
  • ๐Ÿ”„ Automating SSL certificate renewal through Acme package.
  • ๐Ÿ›ก Ensuring network security by not publicy exposing internal servers.
  • ๐Ÿšซ Understanding how to prevent and troubleshoot common DNS issues.
  • ๐ŸŒ Utilizing both private and public DNS configurations efficiently.
  • ๐Ÿ“– Consulting resources like Netgate documentation for complex setups.
  • ๐Ÿ”„ Steps to properly install and configure necessary packages on pfSense.
  • ๐Ÿ” Setting up secure network interfaces within HAProxy on pfSense.

Timeline

  • 00:00:00 - 00:05:00

    The video introduces the topic of setting up HAProxy and Let's Encrypt on pfSense, emphasizing prerequisites like owning a domain, possibly through Cloudflare, and using the API for automation. It stresses the importance of DNS in reverse proxies and DNS configurations to prevent common issues. The speaker promises a comprehensive guide on setup, including package configuration and access strategies, both private and possibly public. The introduction concludes with a message from the sponsor, offering consulting services for IT solutions.

  • 00:05:00 - 00:10:00

    The speaker focuses on setting up private IPs using pfSense as both a DNS server and proxy. They discuss choosing a secure setup without exposing true NAS and Uptime Kuma servers to the internet by utilizing private IP addresses and ensuring DNS entries match correctly internally to the proxy. Details include setting up wildcard DNS and ensuring local DNS entries align for proper certificate matching, addressing common internal setup mistakes. Instructions on configuring the Acme package for certificate renewal and moving pfSense's web interface off the default port are also provided.

  • 00:10:00 - 00:15:00

    Next, the video covers configuring HAProxy to handle backend services and front-end requests. This includes creating and verifying DNS records, such as trueNAS and Uptime Kuma, and ensuring they resolve correctly through pfSense's DNS resolver. The speaker explains how to configure HAProxy to manage requests based on domain names, setting up backend services without checking SSL certificates if they are self-signed, and using ACLs to route requests to the correct internal services based on the incoming domain. Emphasis is given to ensuring configurations assist efficient routing and avoiding direct server exposure.

  • 00:15:00 - 00:20:44

    Finally, practical applications of the setup are discussed, such as applying firewall rules to manage guest access using HAProxy and binding network interfaces to control accessibility based on internal or external networks. The video suggests checking Netgate's documentation and forums for complex use cases beyond the video. Closing notes encourage viewers to interact through forums or other social platforms, highlighting the flexibility and utility of HAProxy with pfSense in managing network traffic securely and effectively.

Show more

Mind Map

Video Q&A

  • What are the prerequisites for setting up HAProxy on pfSense?

    You need to own a domain, preferably using services like Cloudflare or Digital Ocean, and have pfSense Plus or Community Edition installed.

  • Why is DNS crucial in setting up HAProxy with Let's Encrypt?

    Correct DNS configuration prevents common issues such as incorrect server access or certificate mismatch, ensuring smooth operation of reverse proxies with SSL.

  • How do you avoid exposure of your internal servers to the public internet in this setup?

    By configuring DNS to point to private IPs and binding HAProxy to specific interfaces without making them public.

  • What packages are necessary for this setup on pfSense?

    You need to install the Acme package for SSL certificates and the HAProxy package for load balancing.

  • How can you automate SSL certificate renewal in this setup?

    Enable cron jobs in the Acme package settings to automatically renew certificates without manual intervention.

  • Can the services mentioned work on both IPv4 and IPv6 networks?

    Yes, HAProxy and pfSense can be configured to handle both IPv4 and IPv6.

  • What is the purpose of using a wildcard certificate in this setup?

    Wildcard certificates allow you to secure multiple subdomains under a single domain without needing separate certificates for each.

View more video summaries

Get instant access to free YouTube video summaries powered by AI!
Subtitles
en
Auto Scroll:
  • 00:00:00
    foreign
  • 00:00:02
    [Music]
  • 00:00:06
    systems and today we're going to cover h
  • 00:00:09
    a proxy and let's encrypt on PF sense
  • 00:00:11
    but before we begin couple prerequisites
  • 00:00:13
    here you should own a domain for example
  • 00:00:16
    cloudflare is less than ten dollars a
  • 00:00:18
    year for a domain we're going to be
  • 00:00:19
    using a cloudflare domain as an example
  • 00:00:21
    but it will work with a lot more than
  • 00:00:23
    just cloudflare because we're going to
  • 00:00:24
    be doing this using the API so
  • 00:00:26
    cloudflare digital ocean there's many
  • 00:00:28
    other choices we'll cover that later
  • 00:00:30
    when we talk about how the sub
  • 00:00:31
    certificates with Acme and how to
  • 00:00:33
    automate them because we're going to be
  • 00:00:35
    using wildcard certs so owning a domain
  • 00:00:37
    name is going to be a prerequisite for
  • 00:00:39
    this next pfSense Plus or Community
  • 00:00:42
    Edition this will work on either one of
  • 00:00:44
    those we're going to be using the latest
  • 00:00:45
    versions available here in August of
  • 00:00:47
    2023 and everything's going to be time
  • 00:00:49
    index down below so you can jump to the
  • 00:00:51
    part that's most relevant but we will be
  • 00:00:53
    starting with some diagrams the reason
  • 00:00:55
    why is because when I did this video
  • 00:00:57
    before there are a lot of Concepts that
  • 00:00:59
    I realized people didn't understand for
  • 00:01:00
    how reverse proxies work and how
  • 00:01:03
    important DNS is and almost all the
  • 00:01:05
    Consulting we do
  • 00:01:06
    regarding fixing this for people is
  • 00:01:09
    pretty much DNS DNS and occasionally
  • 00:01:11
    someone getting a couple of things wrong
  • 00:01:13
    about where they pointed their DNS that
  • 00:01:15
    is probably the number one issue there's
  • 00:01:17
    a few others and we will cover basic
  • 00:01:19
    troubleshooting and how to set this up
  • 00:01:20
    but this is going to be a complete guide
  • 00:01:21
    from start to finish from loading the
  • 00:01:24
    packages which I've already done so that
  • 00:01:26
    part's easy to getting this all
  • 00:01:28
    configured and making sure you can
  • 00:01:30
    access your servers I'm going to cover
  • 00:01:32
    doing this privately as in keeping the
  • 00:01:34
    domain inside so you don't have to
  • 00:01:36
    public expose your services but I'll
  • 00:01:38
    also talk about the method by which you
  • 00:01:40
    can expose it they're pretty much the
  • 00:01:41
    same it's just a matter of what
  • 00:01:43
    interface you attach it to now before we
  • 00:01:45
    begin we do need to hear from a sponsor
  • 00:01:47
    and today's sponsor is well my company
  • 00:01:49
    so let's get into the ad read then we'll
  • 00:01:51
    get you to the content are you an
  • 00:01:52
    individual or Forward Thinking company
  • 00:01:54
    looking for expert assistance with
  • 00:01:56
    network engineering storage or
  • 00:01:58
    virtualization projects perhaps you're
  • 00:02:00
    an internal I.T team seeking help to
  • 00:02:02
    proactively manage monitor or secure
  • 00:02:04
    your systems we offer comprehensive
  • 00:02:07
    Consulting Services tailored to meet
  • 00:02:09
    your specific project needs whether you
  • 00:02:12
    require fully managed or co-managed I.T
  • 00:02:14
    services our experience team is ready to
  • 00:02:17
    step in and help we specialize in
  • 00:02:19
    supporting businesses that need it
  • 00:02:21
    Administration or it teams seeking an
  • 00:02:24
    extra layer of support to enhance their
  • 00:02:26
    operations to learn more about any of
  • 00:02:28
    our services head over to our website
  • 00:02:30
    and fill out the higher us form at
  • 00:02:32
    lawrencesystems.com let us start
  • 00:02:34
    crafting the perfect it solution for you
  • 00:02:37
    if you want to show some extra love for
  • 00:02:39
    our Channel check out our swag store and
  • 00:02:41
    affiliate links down below that will
  • 00:02:42
    lead you to discounts and deals for
  • 00:02:44
    products and services we discuss on this
  • 00:02:46
    channel with the ad read out of the way
  • 00:02:48
    let's get you back to the content that
  • 00:02:49
    you really came here for
  • 00:02:51
    now most of this video is going to focus
  • 00:02:52
    on setting this up to use your private
  • 00:02:54
    IP internally but I will cover just that
  • 00:02:56
    one extra step or technically two that
  • 00:02:59
    you need to do to get this working
  • 00:03:00
    publicly one is you have to have
  • 00:03:02
    publicly available DNS and the rest of
  • 00:03:05
    the demo we're going to be using local
  • 00:03:06
    DNS instead RPF sense but it goes out of
  • 00:03:08
    scope of this to cover how to point a
  • 00:03:11
    domain at your public IP address because
  • 00:03:13
    that is very dependent on whoever
  • 00:03:15
    provides you DNS but in our demo site
  • 00:03:18
    here we have ltsdemo.org this is the
  • 00:03:20
    domain that I bought that I'm using for
  • 00:03:22
    this and we're going to use truenas and
  • 00:03:26
    uptimekuma.ltsdemo.org is our fully
  • 00:03:27
    qualified domains and if we wanted to
  • 00:03:29
    make this public the thing that we would
  • 00:03:32
    do differently is we would bind our ha
  • 00:03:34
    proxy to by public IP now you can have
  • 00:03:37
    more than one IP on APF sense so you can
  • 00:03:39
    have multiple public IP addresses and
  • 00:03:41
    you would just attach ATA proxy to
  • 00:03:43
    whichever one was public and then the
  • 00:03:46
    other thing you'd have to do is open up
  • 00:03:47
    the firewall Rules by default pfSense
  • 00:03:50
    blocks incoming and requests but you can
  • 00:03:52
    override that put a firewall rule in to
  • 00:03:54
    allow things to locally talk to the ha
  • 00:03:57
    proxy or the firewall itself because
  • 00:03:59
    they're both on the same device and then
  • 00:04:01
    you would publicly expose things and I
  • 00:04:03
    didn't want to do that for this
  • 00:04:04
    particular demo because if I publicly
  • 00:04:06
    expose things and publicly expose my IP
  • 00:04:08
    address one that comes with lots of
  • 00:04:09
    risks and well someone might even just
  • 00:04:11
    DDOS it just to be annoying and that's
  • 00:04:13
    another risk that may come with it but
  • 00:04:15
    both of these can point at the same IP
  • 00:04:18
    if you only have one IP and ha proxy and
  • 00:04:21
    this is the part we will be covering is
  • 00:04:22
    how it handles ACLS or the access
  • 00:04:24
    control list and has a set of rules that
  • 00:04:26
    say look at the different domains that
  • 00:04:28
    are coming in and serve up the server
  • 00:04:30
    from behind there but each of these
  • 00:04:32
    would just point to whatever your public
  • 00:04:33
    IP address is and that would allow a
  • 00:04:36
    client outside the network to go across
  • 00:04:37
    the internet and get served up a proper
  • 00:04:39
    certificate by ha proxy for these
  • 00:04:42
    devices that are behind your PF sense we
  • 00:04:44
    are going to focus on doing this
  • 00:04:45
    privately so you can have your own and
  • 00:04:47
    we're going to be using wildcard DNS for
  • 00:04:49
    this and that does apply even with with
  • 00:04:51
    it being public but this allows you to
  • 00:04:53
    create all of your own DNS we're going
  • 00:04:55
    to use in this case PF sends for DNS
  • 00:04:57
    because pfSense acts as our DNS server
  • 00:04:59
    and it acts as our proxy server so we
  • 00:05:02
    don't need to go outside the internet
  • 00:05:03
    for this to work in terms of for the
  • 00:05:05
    client other than it does have to have
  • 00:05:06
    internet access when you get your
  • 00:05:09
    certificate so the certificate renewals
  • 00:05:11
    do require internet but the actual
  • 00:05:13
    functionality and you're not exposing
  • 00:05:14
    your servers like your true Nas or your
  • 00:05:16
    uptime Kuma server we're going to use
  • 00:05:17
    those Demos in here to the public
  • 00:05:19
    internet because we're going to take the
  • 00:05:22
    DNS for these the
  • 00:05:24
    truenast.ltsdemo.org
  • 00:05:25
    uptimekuma.lts demo.org and they're both
  • 00:05:28
    going to have a DNS entry of 10 13
  • 00:05:31
    13.1 which is the interface that we're
  • 00:05:34
    going to bind them to on RPF sense so
  • 00:05:37
    the DNS will be a private IP address and
  • 00:05:39
    this is on the same network so as long
  • 00:05:41
    as PF census serving DNS to this
  • 00:05:43
    particular client the certificates will
  • 00:05:45
    line up match and the domains will match
  • 00:05:47
    and will get served a proper certificate
  • 00:05:49
    this is the DNS part that a lot of
  • 00:05:51
    people doing private have a harder time
  • 00:05:53
    with because public it makes sense that
  • 00:05:55
    you need your public DNS not to point to
  • 00:05:57
    your internal IPS of your servers it
  • 00:05:59
    would point to the proxy but when it's
  • 00:06:01
    internal the same thing applies it has
  • 00:06:04
    to point to the proxy so even though
  • 00:06:06
    uptime
  • 00:06:07
    kuma.ltsdemo.work is going to be pointed
  • 00:06:10
    at 10 13 13 1 it's going to Via the
  • 00:06:13
    rules in ha proxy come over here to
  • 00:06:15
    uptime Kuma and the back end this is the
  • 00:06:18
    big mistake a lot of people make where
  • 00:06:19
    they think the internal IP name or
  • 00:06:22
    sometimes because they also have their
  • 00:06:23
    own DNS entry of how they get to one of
  • 00:06:26
    their servers internally they try to
  • 00:06:27
    match it and then have a DNS problem
  • 00:06:29
    where it doesn't match because it's
  • 00:06:31
    trying to go directly to the server and
  • 00:06:33
    we need the client to go to the ha proxy
  • 00:06:36
    on pfSense to sear up the certificate
  • 00:06:38
    and let h a proxy broker that connection
  • 00:06:40
    back to the back end now let's get into
  • 00:06:42
    the functional of setting this up now
  • 00:06:44
    that we've covered the concepts
  • 00:06:46
    the first step is making sure you have
  • 00:06:47
    the packages installed so we have the
  • 00:06:49
    Acme package and ha proxy package
  • 00:06:51
    installed here if they're not installed
  • 00:06:53
    just head over to available packages and
  • 00:06:55
    go ahead and install those then we go to
  • 00:06:57
    system and we want to go to Advanced by
  • 00:07:00
    default pfSense is on TC Port 443 this
  • 00:07:03
    is for the web interface the pfSense
  • 00:07:05
    we'd like to move it somewhere else I
  • 00:07:06
    chose 10443 then down here we have web
  • 00:07:10
    we redirect make sure that's checked
  • 00:07:12
    this is a port 80 configuration rule you
  • 00:07:14
    don't absolutely have to do this but if
  • 00:07:16
    you don't and something hits Port 80
  • 00:07:17
    it'll actually redirect to whatever Port
  • 00:07:19
    you have chosen here I'm not covering
  • 00:07:21
    put in redirect rule for Port 80 because
  • 00:07:23
    most browsers choose https by default
  • 00:07:26
    now next we're going to set up the Acme
  • 00:07:28
    certificates the Acme search array here
  • 00:07:31
    on the general settings make sure you
  • 00:07:33
    have the cron entry checked this will
  • 00:07:35
    enable the automatic renewal of these
  • 00:07:38
    certificates I already have certificates
  • 00:07:40
    in here but the first step would
  • 00:07:41
    actually be creating an account key
  • 00:07:43
    creating account Keys is really easy we
  • 00:07:45
    can just put in test test make sure you
  • 00:07:48
    are choosing if you're ready for
  • 00:07:50
    production the production system will
  • 00:07:52
    actually do a staging one but please
  • 00:07:54
    note if you want it to work properly you
  • 00:07:55
    do need production and then you hit
  • 00:07:57
    create new account key it will grab the
  • 00:08:00
    account key
  • 00:08:02
    once that's populated you can then
  • 00:08:04
    register the Acme account key
  • 00:08:07
    and then you'll click save and now
  • 00:08:09
    you'll have a new system but note this
  • 00:08:11
    one is in testing so we're going to
  • 00:08:12
    delete it these are ones are in
  • 00:08:14
    production and they have proper account
  • 00:08:16
    Keys once you have a proper account key
  • 00:08:19
    you can go over here to certificates and
  • 00:08:21
    I have my LTS demo work I can show you
  • 00:08:24
    this one because this one will show you
  • 00:08:26
    too much it'll actually show you a part
  • 00:08:28
    of my cloudflare authorization this one
  • 00:08:31
    works the same way but I did it with
  • 00:08:33
    digitalocean and you see we're getting a
  • 00:08:35
    wild card for
  • 00:08:37
    studio.lorentsystems.com and we have my
  • 00:08:39
    digitalocean API key which is blurred
  • 00:08:41
    out if we look at creating any new
  • 00:08:44
    certificate let's go ahead and just walk
  • 00:08:45
    through that process when we add one we
  • 00:08:47
    would go here to add and we would give
  • 00:08:49
    it a name and the name does not have to
  • 00:08:51
    match their domain name but we will call
  • 00:08:52
    it Wild Card search for domain you can
  • 00:08:54
    put the same description error which can
  • 00:08:57
    be a little bit more typed out if you
  • 00:08:58
    need to and then we can choose all the
  • 00:09:00
    different options now you do not need to
  • 00:09:02
    open any ports for all these DNS options
  • 00:09:05
    that are in here these are all the
  • 00:09:06
    different companies that have automated
  • 00:09:08
    DNS or API support via pfSense there's
  • 00:09:12
    quite a few of them in here so you can
  • 00:09:13
    probably find duck DNS or whichever DNS
  • 00:09:16
    you might be using to get this to work
  • 00:09:18
    of no note I am using digitalocean and
  • 00:09:21
    cloudflare I've tested both of these in
  • 00:09:23
    this system to make sure they work and
  • 00:09:24
    if you use cloudflare it does ask a lot
  • 00:09:27
    of these questions and it does not blur
  • 00:09:28
    all of them when you go back to edit but
  • 00:09:31
    you must fill out all of these questions
  • 00:09:32
    if you're doing it for example with
  • 00:09:34
    digitalocean it only asks for the
  • 00:09:37
    digitalocean API key the important part
  • 00:09:40
    though is that you have the domain in
  • 00:09:41
    here properly and I will blur out the
  • 00:09:43
    bottom but please note the domain
  • 00:09:44
    because we want a wild card is
  • 00:09:48
    asterix.lts demo.work that gives us a
  • 00:09:50
    wildcard domain so it will pull the
  • 00:09:52
    wildcard search so we can make up
  • 00:09:54
    anything we want dot ltsdemo.work I will
  • 00:09:57
    also point out you can do it this way
  • 00:10:00
    asterix.studio.lorentsystems.com I'm
  • 00:10:02
    using launchsystems.com in more than one
  • 00:10:04
    place and I want to distinguish things
  • 00:10:05
    on this particular server as located at
  • 00:10:08
    my studio so this will allow us to
  • 00:10:10
    create any
  • 00:10:12
    name.studio.lorentsystems.com within
  • 00:10:14
    this server the final thing I will
  • 00:10:15
    mention is making sure you have this
  • 00:10:17
    right here it's userlocal at
  • 00:10:20
    crc.dha proxy.sh restart the reason you
  • 00:10:25
    need that is because when the
  • 00:10:26
    certificate renews you want ha proxy to
  • 00:10:29
    restart so it can use that new
  • 00:10:31
    certificate so I do recommend you add
  • 00:10:32
    that if not even though the certificate
  • 00:10:34
    may be renewed if 18 proxy does not
  • 00:10:36
    restart it will not start using that new
  • 00:10:38
    certificate when the certificate expires
  • 00:10:39
    now we're going to go over the services
  • 00:10:40
    and then ha proxy and let's look at the
  • 00:10:43
    settings make sure ha proxy is enabled
  • 00:10:45
    then we'll go down here and change the
  • 00:10:47
    reload Behavior this is my personal
  • 00:10:49
    preference especially for
  • 00:10:51
    troubleshooting you may not want this on
  • 00:10:53
    but it forces the immediate stop of old
  • 00:10:55
    processes on reload closes existing
  • 00:10:58
    connections I do this that way if I'm
  • 00:11:00
    especially adding new servers and
  • 00:11:02
    troubleshooting I want every time I
  • 00:11:03
    restart ha proxy don't hold on to any
  • 00:11:06
    sessions even if I'm just adding
  • 00:11:07
    something to the front and your back end
  • 00:11:08
    kill all those sessions and start them
  • 00:11:10
    over that way I don't have any old
  • 00:11:12
    sessions confusing me but please note
  • 00:11:14
    checking this option will interrupt
  • 00:11:16
    existing connections on a restart which
  • 00:11:18
    happens when configuring iteration is
  • 00:11:19
    applied scrolling down a little further
  • 00:11:21
    I don't have this filled out but in
  • 00:11:23
    production systems I usually do remote
  • 00:11:25
    syslog host you can put a specific
  • 00:11:27
    syslog and send all that data from ha
  • 00:11:30
    proxy to its own syslog server this may
  • 00:11:32
    help you in collecting all of your logs
  • 00:11:35
    not needed for the demo server we have
  • 00:11:36
    here then we're going to go all the way
  • 00:11:37
    to the bottom and we can just hit save
  • 00:11:39
    which brings us to the apply changes and
  • 00:11:41
    of note anytime you apply changes it
  • 00:11:43
    kills all those connections now we're
  • 00:11:45
    going to build a back end and we want to
  • 00:11:48
    add a new back end we're going to call
  • 00:11:50
    it your Nas I'm going to click on this
  • 00:11:52
    little server table and expand it out
  • 00:11:54
    and we want to call that true Nas as
  • 00:11:57
    well so t-r-u-e-n-a-s
  • 00:12:00
    and then we're going to put an address
  • 00:12:01
    in here of 172 16165 the address of our
  • 00:12:05
    true name server 443 is the port then we
  • 00:12:08
    need to scroll over a little bit yes
  • 00:12:10
    this is encrypted do not check it it's
  • 00:12:13
    important you do not do an SSL check
  • 00:12:15
    because there is not a valid certificate
  • 00:12:17
    it is a self-signed certificate on my
  • 00:12:19
    cheernast server so we don't want the ha
  • 00:12:21
    proxy to try to validate that
  • 00:12:23
    certificate now let's go ahead and
  • 00:12:25
    scroll down further
  • 00:12:26
    I'm not going to bother with any type of
  • 00:12:28
    help checks but you can do a health
  • 00:12:30
    check on these if needed it just will
  • 00:12:32
    confirm whether or not the backend
  • 00:12:33
    server is up and then we can go down
  • 00:12:35
    here to the bottom leaving all other
  • 00:12:36
    things at default and click save
  • 00:12:39
    and I'll go ahead and apply the changes
  • 00:12:41
    but as you notice it's kind of grayed
  • 00:12:43
    out compared to these because there is
  • 00:12:45
    no front end yet for this particular
  • 00:12:47
    entry so let's go ahead and create a
  • 00:12:48
    front end for that we're going to click
  • 00:12:50
    add and because this pronoun is going to
  • 00:12:52
    be for more than one server let's just
  • 00:12:54
    call it u tube demo and we'll call this
  • 00:12:57
    YouTube demo for
  • 00:13:00
    star.ltsdemo.org because it's a wild
  • 00:13:01
    card certificate that we have for this
  • 00:13:03
    and this is where we bind the proper IP
  • 00:13:06
    address
  • 00:13:07
    now the IP address for this one is
  • 00:13:10
    specifically the lab VLAN 1313 address
  • 00:13:14
    then we're going to choose the port of
  • 00:13:16
    443
  • 00:13:17
    we're going to check the box for SSL
  • 00:13:19
    offloading and we'll leave all this the
  • 00:13:22
    same
  • 00:13:22
    then we're going to scroll down now
  • 00:13:24
    here's where we create those ACL lists
  • 00:13:26
    these are very important to name them in
  • 00:13:29
    a consistent way so we'll call this one
  • 00:13:31
    sureness and we'll say
  • 00:13:33
    host matches we want to match a hostname
  • 00:13:37
    the value we're going to use is
  • 00:13:40
    truenas.ltsdemo.work now remember we can
  • 00:13:42
    create any domain we want here we'll get
  • 00:13:43
    to the DNS settings next now this is
  • 00:13:46
    says true Nash right here that means
  • 00:13:48
    when we do the action because this is
  • 00:13:50
    the access control list to match on so
  • 00:13:52
    host matches sureness ltsdemo.org and
  • 00:13:55
    then we're going to go what is the
  • 00:13:57
    action and we want to use the back end
  • 00:13:59
    that we named true Nas
  • 00:14:01
    and then conditional ACL name this has
  • 00:14:04
    to match exactly that's why I'm copying
  • 00:14:06
    and paste it from here to here we'll get
  • 00:14:09
    how to create more of them next they're
  • 00:14:10
    going to go ahead and scroll down
  • 00:14:12
    further until we get down to the
  • 00:14:13
    certificate and we want the certificate
  • 00:14:16
    to be the LTS demo that we have set up
  • 00:14:18
    here this is that wild card for that the
  • 00:14:21
    other one is using this one here and you
  • 00:14:22
    could create more than one back end
  • 00:14:24
    using another one here if we wanted to
  • 00:14:26
    use the launch systems one but as I said
  • 00:14:28
    we're going to be doing the demo work so
  • 00:14:30
    LTS demo work and that is this
  • 00:14:32
    particular wildcard certificate then
  • 00:14:34
    we'll scroll down here to the bottom and
  • 00:14:36
    we'll click save
  • 00:14:38
    and then we'll hit apply here comes the
  • 00:14:40
    DNS part where we have to make sure DNS
  • 00:14:42
    is working so we know what we have for
  • 00:14:44
    this domain so we're going to go here to
  • 00:14:46
    services and we're going to go to the
  • 00:14:48
    DNS resolver
  • 00:14:50
    and we're going to scroll down and I
  • 00:14:51
    have lots of entries in here but let's
  • 00:14:53
    look at the one that's specifically
  • 00:14:54
    related to this that's this true NASA
  • 00:14:56
    LTS demo work that entry says true Nas
  • 00:14:59
    is the host the domain is LTS demo work
  • 00:15:02
    it points to 10 13 13.1 and if
  • 00:15:06
    everything's working properly let's go
  • 00:15:08
    ahead and do a quick domain lookup to
  • 00:15:10
    make sure that the system answers with
  • 00:15:12
    the domain that we want it to and we're
  • 00:15:14
    just going to use dig to do truenas
  • 00:15:16
    ltsdemo.org
  • 00:15:18
    and we see that it's answering 10 13 13
  • 00:15:20
    1. and as you can see here we can go to
  • 00:15:24
    truenasltsdummo.org and we can sign in
  • 00:15:26
    so we can look at this connection is
  • 00:15:28
    secure
  • 00:15:29
    certificate is valid and we see that
  • 00:15:32
    we're giving it the certificate the
  • 00:15:33
    ltsdemo.work so let's go ahead and set
  • 00:15:35
    up one more domain at this same address
  • 00:15:38
    and since we're here in the DNS world
  • 00:15:40
    let's go ahead and add another DNS entry
  • 00:15:42
    with this host override so I'll go back
  • 00:15:44
    over to general settings
  • 00:15:46
    we're just going to click add we'll call
  • 00:15:48
    this one Kuma put the domain which is
  • 00:15:51
    the ltsdemo.work and it's the same IP
  • 00:15:54
    address so
  • 00:15:55
    10.13.13.1 which is RPF sense this is
  • 00:15:58
    for up time Kuma scroll down
  • 00:16:04
    save apply always double check your DNS
  • 00:16:07
    make sure
  • 00:16:10
    kuma.ltsdummo.works it does it comes up
  • 00:16:12
    with the same IP address so let's go
  • 00:16:14
    back in and add an ACL so we're going to
  • 00:16:17
    go over here to our ha proxy we're going
  • 00:16:20
    to edit our existing one we have here
  • 00:16:22
    and we want to add another rule
  • 00:16:25
    so we're going to click this Access
  • 00:16:26
    Control list here we'll call it Kuma
  • 00:16:30
    host starts with hosts matches is what
  • 00:16:32
    my goal is here and it's going to be
  • 00:16:35
    auma.lts demo dot work
  • 00:16:39
    scroll down here
  • 00:16:40
    we want to use backend and we already
  • 00:16:43
    have an uptime Kuma back in so we'll use
  • 00:16:45
    that one there and we have to make sure
  • 00:16:47
    once again these match so we called it
  • 00:16:48
    Kuma here so we will call it Kuma here
  • 00:16:50
    so the use back end is this one here so
  • 00:16:54
    now if we go down to the bottom all the
  • 00:16:55
    other things are the same we're just
  • 00:16:57
    going to hit save let's go back and edit
  • 00:16:59
    this real quick just to cover that you
  • 00:17:01
    can see now that it's saved if the host
  • 00:17:03
    matches
  • 00:17:05
    truenast.lts demo.work
  • 00:17:07
    we're going to be using this ACL which
  • 00:17:09
    points to this one here if it matches
  • 00:17:12
    the kuma.lts demo.org which is that
  • 00:17:15
    right there it says use the back end
  • 00:17:17
    Kuma and use the back end uptime Kuma on
  • 00:17:20
    the back right here it's all we have to
  • 00:17:23
    do and we'll go back over here we'll
  • 00:17:24
    apply the changes and let's see if that
  • 00:17:26
    works and now we're at my uptime Kuma
  • 00:17:28
    login
  • 00:17:30
    one more thing I want to note if we go
  • 00:17:32
    over here and we look at the back end
  • 00:17:34
    and we want to look at the uptime kuma
  • 00:17:36
    back end I want to point out that this
  • 00:17:38
    uptime Kuma back end we'll click edit
  • 00:17:40
    here is not encrypted if you're familiar
  • 00:17:43
    with uptime Kuma by default it does not
  • 00:17:45
    have a certificate I didn't install one
  • 00:17:47
    on purpose and the reason why is because
  • 00:17:48
    I wanted it to be handled by the AJ
  • 00:17:51
    proxy so the connection from pfSense to
  • 00:17:54
    this IP address is not going to be
  • 00:17:56
    encrypted so we do not have this checked
  • 00:18:00
    the certificate though is valid here
  • 00:18:02
    because it's the connection between
  • 00:18:04
    pfSense and this browser that is
  • 00:18:07
    encrypted providing me with that same
  • 00:18:09
    connection is secure with the valid
  • 00:18:12
    certificate from the let's encrypt
  • 00:18:14
    certificate something else worth noting
  • 00:18:16
    is that you notice that this is pointed
  • 00:18:19
    at two different places this is a way
  • 00:18:21
    you can create a different front end but
  • 00:18:22
    still have one backend server that
  • 00:18:25
    handles all of your internal and this
  • 00:18:26
    could just as easily be if we added
  • 00:18:28
    another one
  • 00:18:29
    be bound to my Wan IP address and we can
  • 00:18:32
    repeat the process for actually any one
  • 00:18:33
    of these or if I had multiple Wan IP
  • 00:18:35
    addresses and then I could publicly
  • 00:18:37
    expose a specific server and use that
  • 00:18:39
    same back end and it would have two
  • 00:18:41
    different entries that way now one of
  • 00:18:43
    the things I want to comment on is a
  • 00:18:45
    couple use cases for binding the front
  • 00:18:46
    end to different interfaces one of the
  • 00:18:48
    big use cases for that is because all of
  • 00:18:50
    your normal firewall rules apply let's
  • 00:18:52
    say you have a guest Network and you'd
  • 00:18:54
    like to have your guests accessing
  • 00:18:55
    things over ha proxy such as uptime Kuma
  • 00:18:58
    but you do not want them to access your
  • 00:19:00
    Nas and this would be a good use case
  • 00:19:02
    you could tie Nas to your secure network
  • 00:19:05
    that you just have you and people you
  • 00:19:07
    trust on and then you could have your
  • 00:19:08
    guest network but you know they want to
  • 00:19:10
    see what servers are up and you could
  • 00:19:11
    then bind it to that address another use
  • 00:19:13
    case is binding it to the WAN address
  • 00:19:16
    now as I said if you bind it to WAN you
  • 00:19:18
    need to open up Port 443 to have it
  • 00:19:20
    remotely accessed but internally the
  • 00:19:23
    guest network will have access to it
  • 00:19:25
    because you don't need to create a rule
  • 00:19:26
    internally for Lan because by default p
  • 00:19:29
    EF sense that is the default behavior
  • 00:19:31
    for services bound to a specific
  • 00:19:33
    interface for the network segment and
  • 00:19:36
    the devices on that segment will have
  • 00:19:38
    access to that so just keep that in mind
  • 00:19:40
    when you're setting it up now I made
  • 00:19:42
    this video to cover the most common use
  • 00:19:43
    cases for HDA proxy but obviously there
  • 00:19:45
    are many more use cases check out
  • 00:19:47
    netgate's documentation because they
  • 00:19:49
    have a lot more covered and check out
  • 00:19:51
    their forums the netgate forums there's
  • 00:19:53
    a lot of discussion about ha proxy
  • 00:19:55
    because there's always different Edge in
  • 00:19:56
    different use cases on different
  • 00:19:57
    specialized environments and maybe you
  • 00:19:59
    have all those environments and there's
  • 00:20:01
    something beyond that was covered in
  • 00:20:03
    this video that you need to get
  • 00:20:04
    configured their forms are a great place
  • 00:20:06
    to check that out if you want to see
  • 00:20:08
    more content from this channel like And
  • 00:20:09
    subscribe also leave your comments down
  • 00:20:11
    below I love hearing from all of you if
  • 00:20:13
    you want to connect with me I'll be over
  • 00:20:14
    in the forums at
  • 00:20:15
    forums.lorentsystems.com or just head
  • 00:20:18
    over to launchssystems.com and figure
  • 00:20:19
    out what socials I'm on when you're
  • 00:20:21
    watching this video and you can say hi
  • 00:20:22
    to me there alright and thanks
  • 00:20:26
    [Music]
  • 00:20:29
    thank you
  • 00:20:31
    [Music]
  • 00:20:42
    foreign
Tags
  • HAProxy
  • pfSense
  • Let's Encrypt
  • SSL Certificates
  • DNS Configuration
  • Wildcard Certificates
  • Reverse Proxy
  • Network Security
  • Firewall
  • Digital Ocean
  • Cloudflare