 Tom here for more systems and today we're going to cover HA proxy and let's encrypt on PF sense But before we begin couple prerequisites here You should own a domain for example cloud flare is less than ten dollars a year for a domain We're going to be using a cloud for domain as an example But it will work with a lot more than just cloud flare because we're going to be doing this using the API So cloud flare digital ocean. There's many other choices We'll cover that later when we talk about how stuff certificates with ACME and how to automate them because we're going to be using wild card search So owning a domain name is going to be a prerequisite for this next PF sense plus or community edition This will work on either one of those We're going to be using the latest versions available here in August of 2023 and everything's going to be time indexed down below So you can jump to the part that's most relevant But we will be starting with some diagrams the reason why is because when I did this video before There were a lot of concepts that I realized people didn't understand for how reverse Proxies work and how important DNS is and almost all the consulting we do Regarding fixing this for people is pretty much DNS DNS and occasionally someone getting a couple of the things wrong about where they pointed Their DNS that is probably the number one issue There's a few others and we will cover basic troubleshooting and how to set this up But this is going to be a complete guide from start to finish from loading the packages Which I've already done so that part easy to getting this all configured and making sure you can access your servers I'm going to cover doing this privately as in keeping the domain inside So you don't have to public exposure services, but I'll also talk about the method by which you can't expose it They're pretty much the same as just a matter of what interface you attach it to now before we begin We do need to hear from a sponsor and today's sponsor is well my company So let's get into the ad read then we'll get you to the content Are you an individual or forward-thinking company looking for expert assistance with network engineering storage or virtualization projects? Perhaps you're an internal IT team seeking help to proactively manage monitor or secure your systems We offer comprehensive consulting services tailored to meet your specific project needs Whether you require fully managed or co-managed IT services Our experienced team is ready to step in and help We specialize in supporting businesses that need IT administration or IT team seeking an extra layer of support to enhance their operations To learn more about any of our services head over to our website and fill out the higher us form at loren systems calm Let us start crafting the perfect IT solution for you If you want to show some extra love for our channel check out our swag store and affiliate links down below that will lead you to Discounts and deals for products and services we've discussed on this channel with the ad read out of the way Let's get you back to the content that you really came here for Now most of this video is going to focus on setting this up to use your private IP Internally, but I will cover just that one extra step or technically two that you need to do to get this working publicly One is you have to have publicly available DNS and through the rest of demo We're going to be using local DNS instead our PF sense but it goes out of scope of this to cover how to point a Domain at your public IP address because that is very dependent on whoever provides you DNS But in our demo site here, we have LTS demo that work This is the domain that I bought that I'm using for this and we're going to use true Nass and uptime kuma dot LTS demo that work is our fully qualified domains And if we wanted to make this public the thing that we would do differently is we would bind our HAProxy to my Public IP now you can have more than one IP on a PF sense So you can have multiple public IP addresses and you would just attach HAProxy to whichever one was public And then the other thing you'd have to do is open up the firewall rules by default PF sense blocks incoming WAN requests But you can override that put a firewall rule in to allow things to locally talk to the HAProxy or the firewall itself because they're both on the same device and Then you would publicly expose things and I didn't want to do that for this particular demo because if I publicly exposed things And publicly exposed my IP address one that comes with lots of risks And well someone might even just DDoS it just to be annoying and that's another risk that may come with it but both of these can point at the same IP if you only have one IP and HAProxy and this is the part we will be covering is how it handles ACLs or the access control List and has a set of rules that say look at the different domains that are coming in and serve up the server from behind there But each of these would just point to whatever your public IP address is and that would allow a client outside the network to Go across to the internet and get served up a proper certificate by HAProxy for these devices that are behind your PF sense We are gonna focus on doing this privately so you can have your own and we're gonna be using wildcard DNS for this And that does apply even with it being public, but this allows you to create all of your own DNS We're gonna use in this case PF sense for DNS because PF sense access our DNS server and it acts as our proxy server So we don't need to go outside the internet for this to work in terms of for the client other than it does have to Have internet access when you get your certificate So the certificate renewals do require internet But the actual functionality and you're not exposing your servers like your TrueNAS or your uptime kuma server We're gonna use as demos in here to the public internet because we're going to take the DNS for these the TrueNAS that LTS demo That work uptime kuma that LTS demo that work and they're both gonna have a DNS entry of 10 13 13 Dot one which is the interface that we're gonna bind them to on our PF sense So the DNS will be a private IP address and this is on the same network So as long as PF sense is serving DNS to this particular client These certificates will line up match and the domains will match and we'll get served a proper certificate This is the DNS part that a lot of people doing private have a harder time with because public it makes sense that you Need your public DNS not to point to your internal IPs of your servers It would point to the proxy but when it's Internal the same thing applies it has to point to the proxy So even though uptime kuma dot LTS demo dot work is going to be pointed at 10 13 13 1 It's going to via the rules in H.A. Proxy come over to here to uptime kuma and the back end This is the big mistake a lot of people make where they think the internal IP name or sometimes because they also have their own DNS entry of how they get to one of their servers internally They try to match it and then have a DNS problem where it doesn't match because it's trying to go directly to the server And we need the client to go to the H.A. Proxy on PF sense to serve up the certificate and let H.A. Proxy broker that connection back to the back end now Let's get into the functional of setting this up now that we've covered the concepts The first step is making sure you have the package is installed So we have the ACME package and H.A. Proxy package installed here If they're not installed just head over to available packages and go ahead and install those Then we go to system and we want to go to advanced by default PF sense is on TC port 443 this is for the web interface of PF sense. We'd like to move it somewhere else I chose 104 43 then down here. We have web GUI redirect make sure that's checked This is a port 80 configuration rule You don't absolutely have to do this but if you don't and something hits port 80 It'll actually redirect to whatever port you have chosen here I'm not covering put in a redirect rule for port 80 because most browsers choose H.A.P.S. by default now next we're going to set up the ACME certificates The ACME search are right here on the general settings Make sure you have the cron entry checked This will enable the automatic renewal of the certificates I already have certificates in here But the first step would actually be creating an account key Creating account keys is really easy. We can just put in test test Make sure you are choosing if you're ready for production The production system will actually do a staging one But please note if you want it to work properly you do need production And then you would hit create new account key. It will grab the account key Once that's populated you can then register the ACME account key And then you'll click save and now you'll have a new system But note this one is in testing so we're going to delete it These are ones are in production and they have proper account keys Once you have a proper account key you can go over here to certificates And I have my LTS demo work I can show you this one because this one will show you too much It'll actually show you a part of my cloud player authorization This one works the same way but I did it with digital ocean And you see we're getting a wild card for studio.launchsystems.com And we have my digital ocean API key which is blurred out If we look at creating any new certificate And let's go ahead and just walk through that process When we add one we would go here to add and we would give it a name And the name does not have to match the domain name But we will call it wild card cert for domain You can put the same description error Which can be a little bit more typed out if you need to And then we can choose all the different options Now you do not need to open any ports for all these DNS options that are in here These are all the different companies that have automated DNS or API support via PF sense There's quite a few of them in here so you can probably find Duck DNS or whichever DNS you might be using to get this to work Of note I am using digital ocean and cloud player I've tested both of these in the system to make sure they work And if you use cloud player it does ask a lot of these questions And it does not blur all of them when you go back to edit But you must fill out all of these questions If you're doing it for example with digital ocean It only asks for the digital ocean API key The important part though is that you have the domain in here properly And I will blur out the bottom but please note the domain Because we want a wild card is asterix.ltsdemo.work That gives us a wild card domain So it will pull the wild card cert So we can make up anything we want .ltsdemo.work I will also point out you can do it this way asterix.studio.lornsystems.com I'm using lornsystems.com in more than one place And I want to distinguish things on this particular server As located at my studio So this will allow us to create any name .studio.lornsystems.com Within this server The final thing I will mention is making sure you have this right here It's userlocal.scrc.dhaproxy.sh restart The reason you need that is because when the certificate renews You want haproxy to restart so it can use that new certificate So I do recommend you add that if not Even though the certificate may be renewed if haproxy does not restart It will not start using that new certificate when the certificate expires Now we're going to go over the services and then haproxy And let's look at the settings Make sure haproxy is enabled Then we'll go down here and change the reload behavior This is my personal preference, especially for troubleshooting You may not want this on But it forces the immediate stop of old processes on reload Closes existing connections I do this that way if I'm especially adding new servers and troubleshooting I want every time I restart haproxy Don't hold on to any sessions Even if I'm just adding something to their front and their back end Kill all those sessions and start them over That way I don't have any old sessions confusing me But please note checking this option will interrupt existing connections On a restart which happens when configuration is applied Scrolling down a little further I don't have this filled out But in production systems I usually do Remote syslog host You can put a specific syslog And send all that data from haproxy to its own syslog server This may help you in collecting all of your logs Not needed for the demo server we have here Then we're going to go all the way to the bottom And we can just hit save Which brings us to the apply changes And of note, anytime you apply changes It kills all those connections Now we're going to build a back end And we want to add a new back end And we're going to call it TrueNAS And we're going to click on this little server table And expand it out And we want to call that TrueNAS as well So T-R-U-E-N-A-S And then we're going to put an address in here Of 172.16.16.5 The address of our TrueNAS server 443 is the port Then we need to scroll over a little bit Yes, this is encrypted Do not check it It is important you do not do an SSL check Because there is not a valid certificate It is a self signed certificate on my TrueNAS server So we don't want the HA proxy To try to validate that certificate Now let's go ahead and scroll down further I'm not going to bother with any type of help checks But you can Do a health check on these if needed It just will confirm whether or not the back end server is up And then we can go down here to the bottom Leaving all other things at default and click save And I'll go ahead and apply the changes But as you notice, it's kind of grayed out Compared to these because there is no front end yet For this particular entry So let's go ahead and create a front end For that we're going to click add And because this front end is going to be for more than one server Let's just call it YouTubeDemo And we'll call this YouTubeDemo for Star.LTSDemo.Work Because it's a wild card certificate that we have for this And this is where we bind the proper IP address Now the IP address for this one is specifically The labvlan1313 address Then we're going to choose the port of 443 We're going to check the box for SSL offloading And we'll leave all of this the same Then we're going to scroll down Now here's where we create those ACL lists These are very important to name them in a consistent way So we'll call this one TrueNAS And we'll say Host matches And we want to match a host name And the value we're going to use is TrueNAS.LTSDemo.Work Now remember, we can create any domain we want here We'll get to the DNS settings next Now this says TrueNAS right here That means when we do the action Because this is the access control is to match on So host matches TrueNAS.LTSDemo.Work And then we're going to go what is the action And we want to use the back end that we named TrueNAS And then conditional ACL name This has to match exactly That's why I'm copying and pasting it from here to here We'll get how to create more of them next Then we're going to go ahead and scroll down further Till we get down to the certificate And we want the certificate to be the LTSDemo that we have set up here This is that wild card for that The other one is using this one here And you could create more than one back end Using another one here If we wanted to use the Lawrence Systems one But as I said, we're going to be doing the demo work So LTSDemo.Work And that is this particular wild card certificate Then we'll scroll down here to the bottom And we'll click Save And then we'll hit Apply Here comes the DNS part Where we have to make sure DNS is working So we know what we have for this domain So we're going to go here to services And we're going to go to the DNS resolver And we're going to scroll down And I have lots of entries in here But let's look at the one that's specifically related to this And that's this TrueNAS.LTSDemo.Work That entry says TrueNAS is the host The domain is LTSDemo.Work It points to 10, 13, 13.1 And if everything's working properly Let's go ahead and do a quick domain lookup To make sure that the system answers With the domain that we wanted to And we're just going to use dig to do TrueNAS LTSDemo.Work And we see that it's answering 10, 13, 13.1 And as you can see here We can go to TrueNAS.LTSDemo.Work And we can sign in So we can look at this Connection is secure Certificate is valid And we see that we're giving it the certificate The LTSDemo.Work So let's go ahead and set up one more domain At this same address And since we're here in the DNS world Let's go ahead and add another DNS entry With this host override So we're going to go back over to general settings We're just going to click add We'll call this one kuma Put the domain Which is the LTSDemo.Work And it's the same IP address So 10.13.13.1 Which is our PF sense And this is for Time kuma Scroll down Save Apply Always double check your DNS Make sure kuma.LTSDemo.Work Works It does It comes up with the same IP address So let's go back in and add an ACL So we're going to go over here To our HA proxy We're going to edit Our existing one we have here And we want to add another rule So we're going to click this access control list here We'll call it kuma Host starts with host matches Is what my goal is here And it's going to be Auma.LTSDemo.Work Scroll down here We want to use back end And we already have an uptime kuma back end So we'll use that one there And we have to make sure once again These match So we call it kuma here So we will call it kuma here So the use back end is this one here So now if we go down to the bottom All other things are the same We're just going to hit save Let's go back and edit this real quick Just to cover that You can see now that it's saved If the host matches TrueNAS.LTSDemo.Work We're going to be using this ACL Which points to this one here If it matches the kuma.LTSDemo.Work Which is that right there It says use the back end kuma And use the back end uptime kuma On the back right here It's all we have to do And we'll go back over here Where we'll apply the changes And let's see if that works And now we're at my uptime kuma login One more thing I want to note If we go over here And we look at the back end And we want to look at the uptime kuma back end I want to point out that This uptime kuma back end And we'll click edit here Is not encrypted If you're familiar with uptime kuma By default it does not have a certificate I didn't install one on purpose And the reason why is because I wanted It to be handled by the HA proxy So the connection from PF Sense To this IP address Is not going to be encrypted So we do not have this checked The certificate though is valid here Because it's the connection between PF Sense And this browser that is encrypted Providing me with that same connection Is secure with the valid certificate From the let's encrypt certificate Something else worth noting Is that you notice that this Is pointed at two different places This is a way you can create a different front end But still have one back end server That handles all of your internal And this could just as easily be If we added another one Be bound to my way on IP address And we can repeat the process For actually any one of these Or if I had multiple way on IP addresses And then I could publicly expose a specific server And use that same back end And it would have two different entries that way Now one of the things I want to comment on Is a couple of use cases For binding the front end to different interfaces One of the big use cases for that Is because all of your normal firewall rules apply Let's say you have a guest network And you'd like to have your guests Accessing things over a HA proxy Such as uptime kuma But you do not want them to access your NAS And this would be a good use case You could tie NAS to your secure network That you just have you and people you trust on And then you could have your guest network But you know they want to see what servers are up And you could then bind it to that address Another use case is binding it to the WAN address Now as I said if you bind it to WAN You need to open up port 443 To have it remotely accessed But internally the guest network Will have access to it Because you don't need to create a rule Internally for LAN Because by default PF sense It is the default behavior For services bound to a specific interface For the network segment And the devices on that segment Will have access to that So just keep that in mind when you're setting it up Now I made this video to cover The most common use cases for HA proxy But obviously there are many more use cases Check out net gates documentation Because they have a lot more covered And check out their forums The net gate forums There's a lot of discussion about HA proxy Because there's always different edge And different use cases On different specialized environments And maybe you have one of those environments And there's something beyond That was covered in this video That you need to get configured Their forums are a great place to check that out If you want to see more content from this channel Like and subscribe Also leave your comments down below I love hearing from all of you If you want to connect with me I'll be over in the forums At forums.laurancesystems.com Or just head over to laurancesystems.com And figure out what socials I'm on When you're watching this video And you can say hi to me there All right and thanks