 Tom here from Lauren Systems. We're going to talk about PF Sense, Let's Encrypt, HAProxy, and Wildcard certificates. And the goal of this video is to be able to show you how you can take private servers that you do not want publicly exposed, but servers that you have, like we're going to use Freenast as an example in this particular demo, but you don't want to deal with the self-signed certificate error. And I'm going to walk you through how to do that with PF Sense, HAProxy, and Wildcard certificates. So if you want to learn more about me or my company, head over to LaurenSystems.com. If you like to hire for a project or see Hires button up at the top. If you want to support the channel out in other ways, there are discount links below, affiliate links to get you discounts and deals on products and services that we talk about on this channel. So Wildcard certificates. You came here just wondering how to do them versus a normal certificate. This is really, really easy. You just put instead of the domain, you put star.example.com. Now I'll leave a link below because I did in my first video on HAProxy with PF Sense and certificates. I showed how you can create specific domains with public entries. For example, we did in a demo Ask-A-Band and Nova Prospect points to a public IP address and we tied HAProxy to the WAN and then created rules to make it public exposed. I'll link to that video. But a lot of times, and this is something we do inside of our network, we have private servers. We do not want publicly exposed, but we also don't want SSL errors. So if you don't want to deal with the certificate error and you don't want to publicly expose them, that's what this video is for. So let's start here. And one of the prerequisites is, as it actually says here, there's a couple of prerequisites. Let's run through them. You have to be able to do DNS based method for let's encrypt to hand you a Wildcard certificate. So there's a long list of providers that can host DNS, I'm particularly using DigitalOcean because they offer this. If you have your domains DNS hosted with DigitalOcean, you can use the API key and the API key allows you to do the challenge response. The other methods are not available besides DNS to get a Wildcard cert. You can only do individual search for individual domains. So that's an important prerequisite that you have a company that supports it or have to be able to do it manually outside about doing it manually. And this is what a manual challenge looks like, where you do ACME challenge and then the domain. You can do it that way, but you have to manually keep changing the value in the TXT record. So not the ideal way to do it in case you're wondering. Ideally, you really want to find a provider that has an API key available. And there's a very long list inside of PF Sense that are supported. Also, it only works for the first domain. So star.example.com as they talk about here, if you have subzones star.somesubzone.yourdomain.com, you have to do it for each one of the subzones. So you can do Wildcard, but it won't work for subzones that each subzone needs to have its own Wildcard. So not too difficult. Let's talk about what that looks like in practice. Another prerequisite before we get to the actual part inside the system in ACME and HA Proxy is that you have changed the defaults in PF Sense to not be port 443. The web control of PF Sense out of the box default config is to attach to port 443. We want the LAN IP of PF Sense because we want to keep this private, not on the LAN, but on the LAN. We need that to not have the same as the web control. So what we did was we moved this for the web configuration to 10443. Then web GUI redirect and what this does is takes port 80 if you hit it on the local IP of the system and redirects it out to port whatever the TCP port is set default being 443. But by moving these and disabling the web GUI, this will solve some troubleshooting that you may have when you're setting this up because we want it to tie to port 443. So we can simply type in HTTPS, the domain we're trying to get to and have it land on the server that we want. You can of course modify this that will and change all the ports and not use port 443 and solve the problem that way too. But for simplistic sake and for the sake of this pick and view, this is how we're doing it. Now let's give you a quick lay of the land on how things are set up. The goal is purple nastra here goes to HTTPS 192.168.1.8, but it's a self-signed search. So we get the error at home. I have this neck gate SG 1100 and it goes out to the internet and that gate SG 1100 is 192.168.1.1. So pretty straightforward that I have a 1.8 and a 1.1, but I don't want the world and I don't think it's a good day to do this who just exposed the web interface to my free NAS, but I also don't want, you know, to click through the self-signed certificate error each time. So let's talk about how that works. Now I am remoteed in currently to a computer at my off at my house where I have this set up where we're doing the demo. I'm doing recording at my office and doing it there. And of course, if I just go to 192.168.1.1, I get not secure, stupid and valid. So obviously that is the first problem. I've got to click, you know, proceed to safety, et cetera, et cetera. And it'll bring me to the login for my free NAS. All right, so let's work out how we're going to fix that. And I would say the first step is getting your cert set up. So pretty easy set up an account key. I have one set up that's part really straightforward when you set up an account key with the ACME. So I load the ACME plugin, I have HE proxy plugin loaded, obviously both two prerequisites that you need and having PF sets configured. Then we go over here and this is just a free account key. I'm not going to expose it because it shows your private key when I click on this, but you set up a account key that's free. Then we're going to go over here to certificates. And these are all the ones from the last demo, which I'll refer back to that video as well. But the wildcard one is really easy to do. Go over here to the wildcard. I use the ACME account home cert, private key 128. I just called it wildcarddetroitutorialincompany.com, wildcard cert for Detroit Udall & Company. And instead of putting the domain like I did in other ones like purpleNAS.detroitutorialincompany.com, we put in just an asterisk.detroitutorialincompany.com and I'm not going to expose it, but this is the API key for digital ocean. And like I said, there's a ton of places that support DNS. So whoever your DNS provider is, whatever the API key you need from them is, but you can do this. Lino to support a digital ocean. By the way, I do have an offer code for digital ocean if you'd like to use them as well, get you some credits and hooks us up with, you know, some credits as well. All right. Now, just like the other ones, I have it set up here because we're going to be using HA proxy and what this does is an action list because these search expire every 90 days and they renew before they expire. But when they renew, you have to make sure you restart the services that depend on them. So that still applies here. We're going to be using HA proxy for this demo. So I just threw in the script that says, hey, whenever this cert renews, go ahead and restart the HA proxy service. So it grabs the latest cert. And of course, in a general settings, we have the front entry. Then we go over here to HA proxy. I'm going to leave this one here. This is the one where we were tying it to the public side of it. So this time we're going to create another entry in HA proxy for the private side. So first, we start with the back end, type add, this will be called free NAS and for reference 192 168.1.8 22.168.1.8. Oops, I typed that wrong spot. We'll call this free. That was called free NAS lowercase. Free NAS. We can ignore everything down here, port 443, because we wanted to connect to the encrypted port on there. It doesn't have to can get to an uncrypted port. It will be encrypted on the front end, but the back end, depending on how it's going, I covered that in the last video, we are going to check it, say yes, it's a sound encrypted, but we already know it's a self-signed search. We're just not going to bother with any check right there. So that's it. That's all we have to do free NAS address, port. All right, don't worry about any of these. I don't care about a health check on there. I'll leave that out to you. I need to turn it off. So I don't need any messages from it. I'm not worried about agent checking. Everything else is just default. So save. I don't really need to click apply right now because I need to go create a front end for this and then we'll click apply. So on the front end, remember, I want these to be private. So I want them tied to the LAN address at 443 SSL offloading because you want this to take the SSL and handle it for us. And we're going to go here and we'll call it private servers because we're going to do more than one. I mean, I could do one and call it free NAS, but I plan to attach more than one for part of this demo. So private, home private servers. How's that? Home private servers. All right. So now we have LAN there. Advanced, great. HTTPS offloading, no problem there. Now we're going to do this with ACLs because we're going to add more than one to this. So we'll go here and we'll say name. What are we going to call this? Well, free NAS seems like a good name. Go here, post matches. Free NAS. Detroit Yodeling Company.com. So free NAS. Detroit Yodeling Company.com. So when the host matches that, we're going to create an action here and I'll copy this now. Go here, use backend, free NAS. And this is the ACL name. So we create an ACL rule here that says free NAS. And if it matches free NAS. Detroit Yodeling Company.com, that's the server SNI, that's the browser sends use this ACL and use this backend, scroll down here. This is a pretty simple part. We got to make sure we don't skip over that I skipped over. I think in the last video was making sure you choose the right certificates. It's really easy. We're just going to choose wildcard as a certificate. So wildcard. Detroit Yodeling Company.com. And it has a default checked here, but you don't really have to do anything with it. And you make sure that it's going to use the wildcard search. So everything that goes under this particular rule will always be pulling the same cert. In my last video, I talked about having to match the cert and match the SNI. Well, because we're using a wildcard, you don't really need to anymore. Hit save. Now we can apply. But we've tied 192.168.1443 to here, but that domain name doesn't exist free NAS. Detroit Yodeling Company.com. It's not in our list here. And we don't need to because we want this to be private. So we don't really need to create a public IP entry for this. We're going to go over here to services. And we're going to go to DNS resolver. And what we do here now is create it. So inside the network provided, the system is using DF Sense as its DNS. So whatever your DNS server is, if you have a Windows domain network, it's usually your Windows domain server, you'll have to add a host entry. But if you're just doing this at home and you don't have a Windows domain, easy enough to just do this. So it's free NAS here. Detroit Yodeling Company.com here and IP address is 192.161.1 free NAS server. Save. Now what this is going to do is create a DNS entry that only exists inside the network that is going to be using PF Sense as its DNS. So we're using PF Sense as a DNS free NAS. Detroit Yodeling Company.com equals 192.168.1.1. And it's going to hand over the wild card SSL and then make a connection to free NAS. So we get rid of the certificate error. So let's go back over to the computer at my house. We see this one has the error. We're going to go here. HTTPS colon slash slash free NAS. Detroit Yodeling Company.com. And now we have a self signed cert. And away we go. Certificates valid. But let me just show you if we're here at my office. So this is on my computer. And if we do a dig, and we'll do a public dig, so we'll dig at Google's IP address because I'm at office. So they go up 288.8.8.8. It just doesn't exist. But if you do that same command, I'm VPNed to my house, but my house is not my DNS server. But we ask one one, which is the DNS server for my house where this demo is happening. It answers the free NAS. Detroit Yodeling Company.com equals 192.168.11, which makes it work inside the network, but not outside. Now someone were to VPN in, you would also have to make sure that they had those DNS records. So if I wanted this to work here at my office, I'd have to either create matching records or another option. And this is what I wanted to talk about as well. So if you want another server, but you let's say you have remote workers and those remote workers, you want to be able to VPN them in so they have access to resources, but not have to, you know, add a bunch of host entries to each individual worker. That's actually pretty easy to do. So we're going to go over here and look at the digital ocean setup. And I have gibberish.detroityodelingcompany.com. And it points to 192.168.11. So we're going to take this DNS gibberish. We'll just dig right here at my office. If we dig and we'll do it just choosing a different DNS server. So 111 cloud players DNS server instead of even my own. But we see there's an entry. So there's a public entry and you can even do this in your computer. If you look up gibberish.detroityodelingcompany.com, it doesn't go anywhere for you unless you have access. Well, interestingly, if you have something at 192.168.11, it'll respond. So you can do this. So what I've done is I've created a public DNS entry to redirect to a local IP address. So if I have a remote user, that user now can use this, even if it doesn't matter if they're using PFSense or not, because the DNS records are public, but they point to local IP. So any VPN in, they can get to different resources. So let's go over here to HAProxy again and create another ACL rule. So these are our home private servers. We'll edit it. Gibberish host starts with host matches gibberish.detroityodelingcompany.com. Now I'm going to use an existing backend that I have set up. So I think you kind of get the idea of how to set a backend up. I have this other one called nova prospect. That's what we're used to my last demo, use backend gibberish, gibberish, as long as they match. And I don't have to do anything with certificate because it's going to hand out the same wild card cert no matter what. So that certificate that we chose down here, one and the same. So we take the same one, point it at here, save, fly, go back over to the computer here. HTTPS gibberish.detroityodelingcompany.com and it lands on a nova prospect server. All right. Now because I am VPNed in, let me open up a tab on my browser, not the remote one here. So if we go to gibberish.detroityodelingcompany.com, it is 1.1 because I'm VPNed in. I can get to it, works perfectly fine. So it's really that simple for taking and putting your resources so you don't have to deal with self-signed cert errors. And you look at the certificate I get, it is Detroityodelingcompany.com is the CN name for this, and it's asterisk, which means whatever it is.detroityodelingcompany.com, it's valid. This is how you do wild card search. This is a really simple way. So even if you have remote people, as long as you have entries. Now, like I said, the important part is that you're tying all this to the land, and then there's no rules needed for this, except that they have to be able to, and I chose land, they have to be able to get to that resource. In the instance, and an example might be how we have our office set up, we have multiple LAN IP addresses because we've segmented out our network. You still have to choose whichever segment of the network that you want. So in this case, like I said, is 192.168.11. But if it was 3.1, or 10.1, or whatever it is in your particular network, you do base your rules on who can access that. If you wanted to control who can access the servers, you would want to make sure you create rules around that. Now, HAProxy also has specific rules that can be created within here. So you can either create some of the rules in here for like how host matches. And by saying that, I mean, you can actually break down certain custom APL, REGAX, et cetera, on this side, but you can also when you're creating a firewall rules, what you don't need to do is have any type of firewall rules on the WAN side, because all of this is 100% behind your firewall and kept private. And the final little note is these servers themselves, the private servers that you're attaching to each one of these servers listed in the back end, for example, free NAS and over prospect. If you go through the logs of any of these particular servers, they see the connection not coming from my IP address of my computer, but they always see the connection coming from PF Sense, because PF Sense is basically offloading the connections. So your computer connects to PF Sense and then PF Sense redirects to the servers. We bring up the map here, for example. And even though we're on the land, we can just duplicate this real quick. So even though my computer, which actually has an IP address, if we said, you know, Tom's computer, and even though I'm remote because I'm VPN in, which my computer is 3.9, whenever I attach to these, I'm attaching from here to here, but they don't see my 3.9. They see the IP address of the PF Sense and then connects over to here. So when you're doing some troubleshooting, I bring this up because sometimes it can create some confusion because all of your systems that are handled through that back end will all show logs as PF Sense logging in, not necessarily the IP address either private or public, whether they came from the internet or here and how they land on the servers. But it's a pretty straightforward setup on here. And obviously, as I shown, you can even mix and match here, you can have the parts of your servers you want public and then all of your private servers attached to whichever land or, you know, specifically however you want to attach them. But this saves you all the trouble that you can have of dealing with all those self-signed certificates or in some cases and some tools, and I'll bring up one of them that we use that we have, we don't want publicly exposed, but we have to have a valid SSL for is bitwarden. So I'm able to using the same process. This is how we're able to have bitwarden self-hosted, not publicly exposed anywhere, only access via VPN or via physically being in my office. But at the same time have a valid cert that we don't have to have any errors with or do any click-throughs, which breaks a lot of other things when you have a self-signed cert. And it's, you know, gets annoying having to click continue every time you try to log into something because going to, you know, each server and going like this, well, it can be a problem. It says not secure as I've already clicked it, but obviously certificate and valid eventually it times out and Chrome gives the error. So hopefully this was a pretty simple to follow and make sense. It's pretty straightforward for getting it set up. If you want a little bit more and I go a little bit more in depth in HG aproxy follow my other video, but for the basics of getting your servers, so they all wrap through HG aproxy and don't have the cert error, this video was kind of gets to it pretty simple. The last thing I will comment this is an SG 1100 and someone had asked me how much it can handle. It's handling this perfectly fine. So it's doing pretty well with this in terms of power, but I will admit if you do this at scale, if you wanted to do this at a business and have a lot of people connecting, not just a handful of your private servers that you manage, you're probably going to want something more than an SG 1100 to do this, but it will handle at least for home users quite a bit. This HG aproxy and everything else, it works quite well on this. So here's the memory usage on my SG 1100 and you can see it's not using much. So it is a little two core system, no problem handling HG aproxy. Because I'm on this page, it actually the CPU usage is showing a little bit higher, but memory usage is about 32% right now. Discuses is pretty low. And just so you know what else I'm running on here. I am also running PF blocker and SSH open VPN, the Zavix agent, and of course, HA proxy. So with all of these running, we still are only using a little more than a quarter of the one gig of RAM available on here. So it does not take a ton to keep this up and running and working. But nonetheless, if you want to do this at scale, you will need something a little bit faster, either one of the higher on neck gate devices or you know, a DIY solution, whatever it is, you'll have to scale that up and figure that out as you scale up the project. All right, and thanks. And thank you for making it to the end of the video. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon if you'd like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com, fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion, head over to forums.laurance systems.com where we can carry on the discussion about this video, other videos or other tech topics in general, even suggestions for new videos that are accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you. And once again, thanks for watching and see you next time.