Post

Using Cloudflare With HAProxy

A while ago I switched to using Cloudflare for my domain names DNS. The main reason I did this was for dynamic DNS since I had a dynamic IP on my home Internet connection. I then looked into what else I could use Cloudflare for and over time have taken advantage of more of their free options.

I was looking at setting up HAProxy anyway because I have a server that I use to play with all kinds of web services. I have a Icinga2 instance for monitoring, a Bookstack setup for taking notes, a Home Assistant install, and more. To make these easily accessible externally I wanted to use HAProxy with SNI. While looking into this I discovered Cloudflare Origin CA and use it in the following instructions.

Requirements

To follow this setup completely you will need:

Cloudflare Setup

After you have followed through the Cloudflare Getting Started guide.

You will then need to configure Cloudflare’s Universal SSL by following the guide https://support.cloudflare.com/hc/en-us/articles/115000479507 to create a Cloudflare Origin Certificate to install onto your router.

Once you have the certificate and key, you can combine them together to create a .pem file. You will then copy this .pem to somewhere on your router. I’ve placed mine under /etc/ssl/cloudflare/domain.com.pem

Also remember to backup this file somewhere secure as in that location it won’t be saved during an upgrade of OpenWrt.

HAProxy Configuration

This is the configuration I have used but I am not sure if it is the best way to go about it. I would love some feedback about whether there is a better way to manage it. You will usually need to install the haproxy package from opkg.

1
opkg install haproxy

The haproxy configuration file is located at /etc/haproxy.cfg

This is a poor configuration that I used when still learning. I have changed a lot of what I do since then. You can see that here.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# Global parameters
defaults
    timeout http-request 5s
    timeout connect 5s
    timeout client 30s
    timeout server 30s
    timeout http-keep-alive 4s
    option http-server-close

global
    log 10.0.0.10 local0
    maxconn 32000
    ulimit-n 65535
    uid 0
    gid 0
    daemon
    nosplice
    tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:EC
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

# Frontend for SNI Passthrough
frontend frontend_snipt
    bind *:443
    mode tcp
    log global
    option forwardfor header X-Forwarded-For
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    # This will decide which backend to pass the traffic to
    # based on the FQDN
    use_backend backend_snipt_1 if { req_ssl_sni -i 1.domain.com }
    use_backend backend_snipt_2 if { req_ssl_sni -i 2.domain.com }
    use_backend backend_snipt_3 if { req_ssl_sni -i 3.domain.com }
    use_backend backend_snipt_4 if { req_ssl_sni -i 4.domain.com }
    use_backend backend_snipt_5 if { req_ssl_sni -i 5.domain.com }
    default_backend backend_1

# Backend for SNI Passthrough
backend backend_snipt_1
    mode tcp
    server localhost 127.0.0.1:7000 check

backend backend_snipt_2
    mode tcp
    server localhost 127.0.0.1:7001 check

backend backend_snipt_3
    mode tcp
    server localhost 127.0.0.1:7002 check

backend backend_snipt_4
    mode tcp
    server localhost 127.0.0.1:7003 check

backend backend_snipt_5
    mode tcp
    server localhost 127.0.0.1:7004 check

# Normal frontend
frontend frontend_1
    bind *:7000 ssl strict-sni crt /etc/ssl/cloudflare/domain.com.pem
    mode http
    use_backend backend_1

frontend frontend_2
    bind *:7001 ssl strict-sni crt /etc/ssl/cloudflare/domain.com.pem
    mode http
    use_backend backend_2

frontend frontend_3
    bind *:7002 ssl strict-sni crt /etc/ssl/cloudflare/domain.com.pem
    mode http
    use_backend backend_3

frontend frontend_4
    bind *:7003 ssl strict-sni crt /etc/ssl/cloudflare/domain.com.pem
    mode http
    use_backend backend_4

frontend frontend_5
    bind *:7004 ssl strict-sni crt /etc/ssl/cloudflare/domain.com.pem
    mode tcp
    option clitcpka
    timeout client 3h
    timeout server 3h
    use_backend backend_5

# Normal backend
backend backend_1
    mode http
    server server01 10.0.0.10:80 check

backend backend_2
    mode http
    server server01 10.0.0.10:8080 check

backend backend_3
    mode http
    server server02 10.0.0.254:80 check

backend backend_4
    mode http
    server server01 10.0.0.10:8081 check

backend backend_5
    mode http
    server server01 10.0.0.10:8082 check

With this you can also make the LuCI interface available externally and know that the traffic will all be encrypted. This setup offloads all the TLS encryption. You will need to also go to System > Startup in LuCI and start the haproxy service.

Firewall Configuration

The last thing you need to make this all work is to open port 443 on the router. Browse to Network > Firewall > Traffic Rules and under the section Open ports on router add a rule for TCP for port 443.

Extra Security

Thanks to Cloudflare having a nice text list of their IP ranges it is trivial to set your firewall to only allow connections to port 443 from CloudFlare.

In the standard OpenWrt install it will not have all the packages required for this step. Install the required packages from command line or in LuCI

opkg install curl opkg install ipset

Scheduled Task

To configure a scheduled task in OpenWrt is really simple. I did it through the Web UI as follows

  1. Open up the Web UI
  2. Go to System > Scheduled Tasks
  3. In the input window paste in the following
    0 0 * * * curl https://www.cloudflare.com/ips-v4 > /etc/cfip.v4
  4. Click Submit
  5. Go to System > Startup
  6. Restart cron

This will create a task that will run at midnight and copy the contents of the text file to a local file name cfip.v4 under /etc For more information about crontab and how it works click here.

To make sure that file is created straight away it is a good idea to run the command on the router.

1
curl https://www.cloudflare.com/ips-v4 > /etc/cfip.v4

ipset Configuration

ipset can be configured like you would on any iptables firewall but I have used OpenWrt config method. It is as simple as modifying the /etc/config/firewall file and adding the following.

1
2
3
4
5
6
7
8
9
10
11
12
13
config ipset
    option name 'cf'
    option match 'src_net'
    option storage 'hash'
    option enabled '1'
    option loadfile '/etc/cfip.v4'
    config rule
    option target 'ACCEPT'
    option src 'wan'
    option proto 'tcp'
    option dest_port '443'
    option name 'Cloudflare Inbound'
    option ipset 'cf'

You will then need to restart the firewall service

1
/etc/init.d/firewall restart

To check whether the ipset has been created you can run the command ipset list cf which should display results that look like the following.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Name: cf
  Type: hash:net
  Revision: 6
  Header: family inet hashsize 1024 maxelem 65536
  Size in memory: 1096
  References: 1
  Number of entries: 14
  Members:
  198.41.128.0/17
  172.64.0.0/13
  197.234.240.0/22
  141.101.64.0/18
  162.158.0.0/15
  190.93.240.0/20
  103.31.4.0/22
  188.114.96.0/20
  104.16.0.0/12
  103.22.200.0/22
  131.0.72.0/22
  173.245.48.0/20
  108.162.192.0/18
  103.21.244.0/22
This post is licensed under CC BY 4.0 by the author.