Peque Posted March 13, 2022 Posted March 13, 2022 Hi hak5 and All. I'm Using PFsense as a Firewall and have configured HA-proxy for all Websites etc - so this is only about port 80 & 443 is it possible to use HA.proxy along with C2 cloud, SInce I'm having some issues ( and my Question is - since I'm having a lot of services this is quite easier) Normally for I'm using *.DOMAIN.COM as Certificate through HA-Proxy and ACME as letsencrypt certificates. Everything works with when I just open my ports directly Through - But not with the HA-Proxy The *alias gives a : 2022/03/13 15:23:44 http: TLS handshake error from XX.XXX.XXX.XXX1:43663: acme/autocert: missing server name In the log for the C2 cloud. And my guess is that its becarse I'm using the * alias - THe reason is that I'm only using one certificate for all suibdomains pr domains . And would like to use the HA-Proxy for the http/https access - but I can't make it work through the HA-proxy
dark_pyrro Posted March 13, 2022 Posted March 13, 2022 How are you starting your C2 server behind that reverse proxy (HA or not)? What string (don't reveal any secrets such as domain names)? You know there are options for reverse proxy and alternative certificates when starting the C2 server, right?
Peque Posted March 14, 2022 Author Posted March 14, 2022 Hi I'm starting my cloud with ( the last try) /usr/local/bin/c2-3.1.2_amd64_linux -hostname XXX.XXXXX.XX -https -db /var/cloudc2/c2.db -reverseProxy As Described - it'll work fine with https ( C2 created letsencrypt certificate) as intended. But instead of opening ports - I would like to use the HA-proxy Feature in my PFsense - so it'll handle the http/https request. since I'm having One Public IP and several Server hosting different services - therefor the need for HA-Proxy I have several other sites running HTTPS behind the Proxy( Such as VMware ESXi - Unify etc) which is working ( even if they already have their own Certificate. I know about the options on for starting - But since the HA-proxy and ACME automatickly handles all SSL request ( also renewing etc) But I cannot make this work - SO instead the option of running only http - on the C2 Server - and that will work woth the HA-proxy making it a https site, but then the configuration of devices is not correct ( I guess) Otherwise I need to export the certificate each time its renewed and then import the certificate into C2 cloud.
dark_pyrro Posted March 14, 2022 Posted March 14, 2022 You say that you guess, have you actually put some work into it and tried different options? Such as terminating the encryption in the revproxy and go unencrypted upstream to the C2 server or try to go encrypted all the way using the C2 command line options to use a cert of your own. How are the devices responding to each scenario? (Remember to create new device.config files for each device for each type of scenario).
Peque Posted March 14, 2022 Author Posted March 14, 2022 Yeah - I used several hours this weekend testing it through. and yes I have tried several ways through the weekend. PFSense HA-PROXY --> C2 http --> not working PFSense HA-PROXY --> C2 https --> not working PFSense HA-PROXY --> C2 https +revproxy --> not working PFSense HA-PROXY --> C2 https +revproxy & certificates not working Stopping C2 - and have Apache running clean with the same certificate PFSense HA-PROXY --> Apache2 http working PFSense HA-PROXY --> Apache2 https working As described I have several other sites running through this PFsense HA-Proxy, So my Issue could something like Websocket or other addons OI know I had other site like Qlik.com that runs websocket and therefore are an issue.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.