Thank you for amazing videos ! One thing I noticed, you use wrong command in Action list. Should be "/usr/local/etc/rc.d/haproxy.sh restart" you have only "/usr/local/etc/rc.d/haproxy.sh" :)
To fix the issue of all the logs saying the connection is coming from the pfsense box (192.168.1.1) you can turn on the Use "forwardfor" option in the advanced settings part of the front end. It adds a header that contains the client machine's IP address.
Great Video Tom! Things work like a charm. However, I did run into an issue. I have servers that I've assigned with a static IP. When I check the box, "Register DHCP static mappings in the DNS Resolver" ... I loose the host overrides that I've specified... and therefore, no cert when I visit in internal server. When I uncheck the same box...boom, the overrides work and the cert is there. Is this the expected behaviour of PFsense?
The DNS Overriide works great, i can ping the name i want to access and it reolves it to the correct ip. But i cant access the service i want to connect to, in the HaProxy Dashboard the Bachend shows offline, but the backend settings are correct. Do i miss some Firewall rules for Haproxy ?
Anyone knows if this also works with the DNS-alias technique? I have a domain without the ability to add API-access but have a dummy domain with it. I'm able to use the dummy domain for normal certificates. But trying out wildcards doesn't work yet.
Great video. Everything Works now But i want to use the fqdn internal like for instance a bitwarden server needs HTTPS in browser. I setup my Pihole to internal have DNS records set but i cant get it to work that HAproxy gives the SSL to the domain internal.
Hi everyone I think I have broke my connection with my router I can not connect and I get the wildcard cert instead the SSL and one last thing for Tom good video and informative but I can not make it work with Nextcloud . Can you please make one video on how to connect to a jail for instance (Nextcloud) Thanks
Thank you for the video. I just have one question, what if I'm trying to create an internal SSL for my Synology NAS, since I'm routing all traffic to the LAN IP, when I do SMB to mount a folder it doesn't find the NAS
@Lawrence Systems at 16:50, you mentioned you have multiple LAN on your office, any guidance on how to do this with multiple Subnets (LANs), I have a couple of services running on a different LAN and I haven't be able to get it working. (Main LAN is working flawlessly)
I'll do some mumbling myself... any drawbacks jump out at you for a config involving: a virtual IP on LAN side that 80/443 is NAT'd to then HAProxy listens on this LAN virtual IP. Keeps the HAProxy traffic on the LAN side instead of tromboning through the pfsense. Random thought
So for private servers accessed through VPN, it seems like you still need a specific individual domain with a public entry in order to resolve without SSL errors? If I am understanding that right, that's the way to go for VPN clients, and then wildcard for everything else that won't be accessed via VPN?
Not necessarily. You can push your internal dns server for use by anyone over VPN. For openvpn You add push "script-security 2" push "dhcp-option DNS " or add them to each individual config file. You can also push a domain with dhcp-option DOMAIN
Thank you for amazing videos ! One thing I noticed, you use wrong command in Action list. Should be "/usr/local/etc/rc.d/haproxy.sh restart" you have only "/usr/local/etc/rc.d/haproxy.sh" :)
Thanks, I glad someone read the instructions properly.
To fix the issue of all the logs saying the connection is coming from the pfsense box (192.168.1.1) you can turn on the Use "forwardfor" option in the advanced settings part of the front end. It adds a header that contains the client machine's IP address.
Great Video Tom! Things work like a charm. However, I did run into an issue. I have servers that I've assigned with a static IP. When I check the box, "Register DHCP static mappings in the DNS Resolver" ... I loose the host overrides that I've specified... and therefore, no cert when I visit in internal server. When I uncheck the same box...boom, the overrides work and the cert is there. Is this the expected behaviour of PFsense?
18:24 Wouldn't 'Use "forwardfor" option' help with that?
Your are an IT God Tom - Thank you for all you do....
Nice video, got it working thanks. Can you add this cert for accessing your pfsense box too? Do you need the HA reverse proxy in that case?
@18:14 - Can't HAProxy pass the client IP on to the backend server?
I fix it, I forgot to change the 443 port to 10443 port all good on that
Thank You for wonderful technical videos and information
Great video, thx! I assume for SSL on LAN hosts HAProxy package is a must?
I think so.
You sir, are the best. Please employ me lol.
The DNS Overriide works great, i can ping the name i want to access and it reolves it to the correct ip. But i cant access the service i want to connect to, in the HaProxy Dashboard the Bachend shows offline, but the backend settings are correct. Do i miss some Firewall rules for Haproxy ?
Anyone knows if this also works with the DNS-alias technique? I have a domain without the ability to add API-access but have a dummy domain with it. I'm able to use the dummy domain for normal certificates. But trying out wildcards doesn't work yet.
Finally got it to work :D
Great video. Everything Works now
But i want to use the fqdn internal like for instance a bitwarden server needs HTTPS in browser. I setup my Pihole to internal have DNS records set but i cant get it to work that HAproxy gives the SSL to the domain internal.
Hi everyone
I think I have broke my connection with my router I can not connect and I get the wildcard cert instead the SSL and one last thing for Tom good video and informative but I can not make it work with Nextcloud . Can you please make one video on how to connect to a jail for instance (Nextcloud)
Thanks
Great video setup got it working thanks
Thank you for the video. I just have one question, what if I'm trying to create an internal SSL for my Synology NAS, since I'm routing all traffic to the LAN IP, when I do SMB to mount a folder it doesn't find the NAS
SMB does not work via HAProxy
Great video, thanks!
@Lawrence Systems at 16:50, you mentioned you have multiple LAN on your office, any guidance on how to do this with multiple Subnets (LANs), I have a couple of services running on a different LAN and I haven't be able to get it working. (Main LAN is working flawlessly)
You just have to have rules that allow those other subnets to reach the HAProxy ports
awesome, I thought I did, but I'll take a more detailed look to the rules and see if I can figure it out.
Thanks!
Thank you!
This can be really useful! Thanks
Many thanks
I have followed as Tom did and did not work at all i need help if anybody has some spare time!
The guy has noble intentions, but his videos are scatterbrained caveman mumblings... could be much more logical and coherent.
First time I have been described as "scatterbrained caveman mumblings" 😀
@@LAWRENCESYSTEMS sorry, I hoped you could laugh at that... I'm not smart enough to understand the wizardry
I'll do some mumbling myself... any drawbacks jump out at you for a config involving: a virtual IP on LAN side that 80/443 is NAT'd to then HAProxy listens on this LAN virtual IP. Keeps the HAProxy traffic on the LAN side instead of tromboning through the pfsense. Random thought
@@jonathanpitt6126 yeah I am not smart enough to understand how to create an API KEY either.
So for private servers accessed through VPN, it seems like you still need a specific individual domain with a public entry in order to resolve without SSL errors? If I am understanding that right, that's the way to go for VPN clients, and then wildcard for everything else that won't be accessed via VPN?
Not necessarily. You can push your internal dns server for use by anyone over VPN. For openvpn You add push "script-security 2" push "dhcp-option DNS " or add them to each individual config file. You can also push a domain with dhcp-option DOMAIN
First
First, yes, but LAST in advancing the knowledge pool.