getting to apps that require SSL

[Robert Thomspon]

Hey guys, Ive set up a few apps that Id like to expose to the big bad world (nextcloud being the big one for me).
Problem is, I cant seem to get past TrueNAS's front end and into the running application if attempting to access it via HTTPS.

Granted, My setup is a little complex (PfSense router.) but otherwise, its relatively run of the mill (i am using HAProxy in conjunction with Cloudflare to gain access from outside).
HTTP connections work perfectly fine, but HTTPS either lead me to the main interface of TrueNAS, or tell me that there is no server available to handle the request.

Im happy to supply more information if you guys want anything specific. ANY help is appreciated

 

[truecharts]

"Ive set up a few apps"

Much depends on precisely which Apps from which sources you want to expose...
With TrueCharts it's relatively trivial, with Official Apps it depends on the App and how you want to expose them, of launch-docker it mostly depends on the container used.

 

[Robert Thomspon]

"Ive set up a few apps"

Much depends on precisely which Apps from which sources you want to expose...
With TrueCharts it's relatively trivial, with Official Apps it depends on the App and how you want to expose them, of launch-docker it mostly depends on the container used.

Looking specifically to expose Nextcloud (i dont care which version i use, but currently i have the official version from truenas installed, ive also used the charts build version with no success), but, have had 0 luck so far. (I can get any/all apps to expose via http, but the moment i start using https, nothing will connect (i get 503 and 522 errors.). Other Apps that I have installed and can see from outside my network include Ombi, Booksonic, Calibre-Web... but none using SSL. ive built out PfSense to allow the use of multiple backends with 1 frontend (using HAProxy) and using letsencrypt for my certs and cloudflare for my domain. (Again, perfectly fine on HTTP, but as soon as i start with ssl, nothing works). and, im not entirely sure if i need to be looking at TrueNAS or my PfSense (im guessing TrueNAS, as i can do everything else fairly well in PfSense).

Also im fairly new to TrueNAS Scale (was a long time user of Core, but didnt have PfSense when using Core, so, again, theres a small part of me wondering if its the PfSense side possibly causing me issues).

I CAN connect to something like nextcloud locally using https... but it does tell me that my connection isnt secure (i do not have a cert on the nextcloud instance itself other than TrueNAS' cert.)

 

[truecharts]

Looking specifically to expose Nextcloud, but, have had 0 luck so far. (I can get any/all apps to expose via http, but the moment i start using https, nothing will connect (i get 503 and 522 errors.). Other Apps that I have installed and can see from outside my network include Ombi, Booksonic, Calibre-Web... but none using SSL. ive built out PfSense to allow the use of multiple backends with 1 frontend (using HAProxy) and using letsencrypt for my certs and cloudflare for my domain. (Again, perfectly fine on HTTP, but as soon as i start with ssl, nothing works). and, im not entirely sure if i need to be looking at TrueNAS or my PfSense (im guessing TrueNAS, as i can do everything else fairly well in PfSense).

Also im fairly new to TrueNAS Scale (was a long time user of Core, but didnt have PfSense when using Core, so, again, theres a small part of me wondering if its the PfSense side possibly causing me issues).

I CAN connect to something like nextcloud locally using https... but it does tell me that my connection isnt secure (i do not have a cert on the nextcloud instance itself other than TrueNAS' cert.)

Your reply still does not completely explain which version of the Nextcloud App you're using, ours or the official apps.
If it IS ours please follow our guides on the website and/or youtube. If it's the official one, well... we're not the right people to answer ;-)

 

[Robert Thomspon]

Your reply still does not completely explain which version of the Nextcloud App you're using, ours or the official apps.
If it IS ours please follow our guides on the website and/or youtube. If it's the official one, well... we're not the right people to answer ;-)

Sorry, i realized i hadnt answered the question you asked directly. I went back and edited.
I have used both with no success, following your tutorials and videos, with no success.

And, im not asking truecharts directly, as i thought this forum was for all questions truenas scale related. If i should ask this somewhere else, please point me in that direction, or please tell me who "the right people to answer" are?

 

[truecharts]

Sorry, i realized i hadnt answered the question you asked directly. I went back and edited.
I have used both with no success, following your tutorials and videos, with no success.

A shame... they are generally tested quite thoroughly....

And, im not asking truecharts directly, as i thought this forum was for all questions truenas scale related. If i should ask this somewhere else, please point me in that direction, or please tell me who "the right people to answer" are?

Well, our Apps are (for the most part) build by us...
We really are a seperate community and most of our staff isn't even very active on this forum. We have our own support channels (at the moment primarily discord, but some cool changes are being worked on :-D ), with dedicated staff to deal with issues like yours. :)

For the official Apps, we're not the right people to go into that because well... we simply don't deal with them at all ;-)

 

[Robert Thomspon]

A shame... they are generally tested quite thoroughly....



Well, our Apps are (for the most part) build by us...
We really are a seperate community and most of our staff isn't even very active on this forum. We have our own support channels (at the moment primarily discord, but some cool changes are being worked on :-D ), with dedicated staff to deal with issues like yours. :)

For the official Apps, we're not the right people to go into that because well... we simply don't deal with them at all ;-)

so, are you saying that i shouldnt be posting this question here? as in, there is a different forum i should be asking in since you arent the people to ask about this?

And, ill set up a truecharts build of Nextcloud (and, if you wouldnt mind supplying a link to it) hop on the discord channel.

 

[Robert Thomspon]

i should state: i can change this build repeatedly, its not in deployment yet (not til i nail down the SSL stuff)

 

[FrostyCat]

Not sure where you are with your setup right now, but this is a simple but complete and flexible environment for running apps and expose them to the outside world. You'll notice I am telling traefik to use specific hostnames, in theory you can do it with one hostname and multiple paths (one for each app) but it's going to be tricky with some apps, any hardcoded URI will give you a ton of headaches. Much easier with separate hosts. If you only need to expose 1 app then it's simple.

Here's a list of this you need before starting:

1. Have a domain - a proper domain works best, they're cheap nowadays, grab one.
2. Get your domain under Cloudflare or Route53 so you can easily get TLS certificates
3. Configure the domain authenticator in Scale
4. Create a CSR for your domain hostname, e.g. cloud.domain.com (I would get one for *.domain.com, easier later)
5. Request a certificate based off of the CSR above - I think there a bug in the UI where you will not see the certificate details, just check under /etc/certificates and you should have everything there
6. Get Traefik running, you'll use it as an ingress (a reverse proxy if you wish)

You will need a script to update your hostname (I can show you one for CloudFlare or DigitalOcean) to match whatever your ISP is allocating as an IP to you if you don't have a static IP from your ISP. Most ISP will not allocate static IPS. You should check if you are behind CGNAT (e.g. your WAN IP is a non routable one) and probably stop as this setup will not work.

Now, having all the above setup, it's time to deploy your first app. Start with a simple one, one port only, HTTP.
Start the installation process and, at Networking and Services, choose ClusterIP for your service. Since we're using Traefik, no need to create an LoadBalancer or a NodePort (Simple is a type of LoadBalancer).

Next, at the Ingress section, configure it like this while replacing the hostname with yours:

In the TLS section, again, configure it like below while:

• replacing the hostname with yours
• selecting the proper certificate chain from the dropdown

Now, finish with the rest of the steps, wait until the app has launched and open the Traefik web portal and look for the router configure for your hostname, should be green. If you've done everything correctly and the DNS points to your IP address, visiting your domain on HTTPS should work.

You can extend this to many apps, even apps you only want available on the inside of your network, just get a private.domain.com zone, a TLS keypair and create your apps as app1.private.domain.com. You'll have to run your own DNS on the inside but even something like a Pi-Hole will work.

Let me know if you have questions.

 

[Robert Thomspon]

Not sure where you are with your setup right now, but this is a simple but complete and flexible environment for running apps and expose them to the outside world. You'll notice I am telling traefik to use specific hostnames, in theory you can do it with one hostname and multiple paths (one for each app) but it's going to be tricky with some apps, any hardcoded URI will give you a ton of headaches. Much easier with separate hosts. If you only need to expose 1 app then it's simple.

Here's a list of this you need before starting:

1. Have a domain - a proper domain works best, they're cheap nowadays, grab one.
2. Get your domain under Cloudflare or Route53 so you can easily get TLS certificates
3. Configure the domain authenticator in Scale
4. Create a CSR for your domain hostname, e.g. cloud.domain.com (I would get one for *.domain.com, easier later)
5. Request a certificate based off of the CSR above - I think there a bug in the UI where you will not see the certificate details, just check under /etc/certificates and you should have everything there
6. Get Traefik running, you'll use it as an ingress (a reverse proxy if you wish)

You will need a script to update your hostname (I can show you one for CloudFlare or DigitalOcean) to match whatever your ISP is allocating as an IP to you if you don't have a static IP from your ISP. Most ISP will not allocate static IPS. You should check if you are behind CGNAT (e.g. your WAN IP is a non routable one) and probably stop as this setup will not work.

View attachment 52605

Now, having all the above setup, it's time to deploy your first app. Start with a simple one, one port only, HTTP.
Start the installation process and, at Networking and Services, choose ClusterIP for your service. Since we're using Traefik, no need to create an LoadBalancer or a NodePort (Simple is a type of LoadBalancer).

View attachment 52602

Next, at the Ingress section, configure it like this while replacing the hostname with yours:
View attachment 52603

In the TLS section, again, configure it like below while:

• replacing the hostname with yours
• selecting the proper certificate chain from the dropdown

View attachment 52604

Now, finish with the rest of the steps, wait until the app has launched and open the Traefik web portal and look for the router configure for your hostname, should be green. If you've done everything correctly and the DNS points to your IP address, visiting your domain on HTTPS should work.

You can extend this to many apps, even apps you only want available on the inside of your network, just get a private.domain.com zone, a TLS keypair and create your apps as app1.private.domain.com. You'll have to run your own DNS on the inside but even something like a Pi-Hole will work.

Let me know if you have questions.

wow, that's bordering on a tutorial :)

to answer your questions (AND THAN YOU FOR THE POST BTW):
1-2) yes, i have a FQDN, and that is through cloudflare.
3) I created my certs with ACME on PfSense and "imported them" to TrueNAS (so i do have access to the same cert from first hop to last (i had wondered if not having that was causing me issues in the chain of trust, but made no difference)
4) Im already set up that way with cloud.domain.org, home.domain.org, ombi.domain.org, etc..
5) Already have individual certs for each service (but have not yet imported all of them over yet as i need to get 1 working before i do the work of the rest. if one one work with whatever im doing, i have to assume none of the others will either.
6) ive never messed with traefic, but have no issues giving it a shot. traefic is something that runs on TrueNAS and does not replace HAProxt, correct? (Like, its a local proxy service, or can be set up that way, so that im not screwing the rest of my system by deploying it in an already complicated network, right?

Well, cant really break anything not entirely deployed yet, and cant learn without trying...so, ill give this a shot. Thanks for the reply :)

 

[Robert Thomspon]

OK, i think if i do this, to keep it from getting crazy on the PfSense end, i would need to direct all traffic from cloudflare to point to my NAS and let traefic handle the proxy.

Ill need to search a little on the interplay between traefic and PfSense as PfSense already handles the entire network.

 

[stavros-k]

if you wouldnt mind supplying a link to it) hop on the discord channel.

https://truecharts.org, You can find us here :)

 

[FrostyCat]

wow, that's bordering on a tutorial :)


6) ive never messed with traefic, but have no issues giving it a shot. traefic is something that runs on TrueNAS and does not replace HAProxt, correct? (Like, its a local proxy service, or can be set up that way, so that im not screwing the rest of my system by deploying it in an already complicated network, right?

Well, cant really break anything not entirely deployed yet, and cant learn without trying...so, ill give this a shot. Thanks for the reply :)

Thanks, just trying to help :)

This Traefik is a Kubernetes native/aware proxy/reverse proxy. Meaning there's a management layer, a set of Kubernetes CRDs (custom resource definitions) and the proxy itself. The management layer will notice new Kubernetes resources being created or modified and reconfigure the proxy layer.

On Truenas, because Traefik will act as a reverse proxy, PfSense only needs to forward a single port. On mine, I moved the management interface to port 444 and enabled Traefik on 443, this way I can keep the same port on the outside and on the inside. Otherwise, you will have to forward 443 (or your port of choice) on the outside to the Traefik port on Truenas.

(a nice trick is to use the external-service chart and map the management interface in Traefik as well, so there's no non-443 ports involved)

Traefik will look at the Host: header (or :authority: for HTTP2) and will proxy the trafic to the correct app. This is easiest when the app does pure HTTP and we let Traefik do the TLS in front of it. It can work and it usually does with apps that do HTTPS natively but sometimes it can get tricky.

(There are many other solutions similar to Traefik, e.g. Gloo, Emisary/Ambassador with various levels of functionality overlap between them)

 

[answer35]

Looking specifically to expose Nextcloud (i dont care which version i use, but currently i have the official version from truenas installed, ive also used the charts build version with no success), but, have had 0 luck so far. (I can get any/all apps to expose via http, but the moment i start using https, nothing will connect (i get 503 and 522 errors.). Other Apps that I have installed and can see from outside my network include Ombi, Booksonic, Calibre-Web... but none using SSL. ive built out PfSense to allow the use of multiple backends with 1 frontend (using HAProxy) and using letsencrypt for my certs and cloudflare for my domain. (Again, perfectly fine on HTTP, but as soon as i start with ssl, nothing works). and, im not entirely sure if i need to be looking at TrueNAS or my PfSense (im guessing TrueNAS, as i can do everything else fairly well in PfSense).

Also im fairly new to TrueNAS Scale (was a long time user of Core, but didnt have PfSense when using Core, so, again, theres a small part of me wondering if its the PfSense side possibly causing me issues).

I CAN connect to something like nextcloud locally using https... but it does tell me that my connection isnt secure (i do not have a cert on the nextcloud instance itself other than TrueNAS' cert.)

Hi, sorry probably not the right place for this but I can see that you installed booksonic on your TrueNAS ? How did you do that please ? I am fresh new user of TrueNAS and I tried but failed so far.

 

[LarsR]

Boocksonic Air is included in the truecharts community apps catalogue. www.truecharts.org there you can find instructions on how to add the catalogue to your scale installation

 

[answer35]

Boocksonic Air is included in the truecharts community apps catalogue. www.truecharts.org there you can find instructions on how to add the catalogue to your scale installation

I am on TrueNAS Core, is it working too ?

 

[LarsR]

Sadly no Truecharts is Scale exclusive since Core doesnt support kubernetes/docker

 

[answer35]

oh okay it is using docker, now I understand why it is available. I forgot about that. Thanks :)

 

[Robert Thomspon]

I am on TrueNAS Core, is it working too ?

i did have it running on core previously. Let me see if i can dig up my documentation from when i did it... if i recall correctly, it was relatively easy.

The other option (which is what i moved to between core and scale, was running a seperate docker machine. that worked WAY better and was infinitely easier to work with... then ultimately, when i moved to scale, it was crazy easy to get to work. Then i added PfSense and worked with the exposure to the big bad world stuff... it was ALSO incredibly easy (until i got into the SSL side of it all, which is what im working through now. And hopefully can get a firm grasp on traefik in conjunction with PfSense... and do all this stuff through SSL (i dont want anyone knowing the depravity of the books i enjoy... :) ) (thats a joke...)

 

[Robert Thomspon]

@FrostyCat I have hosted my Domain and Webspace at an ISP where I dont want to leave for an other service like Cloudflare or the likes,
I have a nextcloud.domain.com forwarded to my scale box, what would I need to adapt on your HowTo to get it running?

please dont hijack my thread.