Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL termination, traffic forwarded to varnish cache

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 668 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lewis
      last edited by

      I've been putting together all the information I would need to configure a cache server in front of a half dozen web servers serving a couple dozen web sites but need some clarification.

      Setup would be to have pfSense handle the SSL/TLS certificates for all domains and then forward the decrypted traffic to the HAProxy instance.
      Teh HAProxy service is already installed and in use to load balance a bunch of web servers.

      pfSense would be responsible for handling all the SSL/TLS certificates for all domains.
      I would configure pfSense to terminate the SSL/TLS connections and decrypt the traffic.
      Each domain's SSL certificate would be uploaded and managed within the pfSense web interface.

      After decrypting the traffic, pfSense would forward the HTTP traffic to HAProxy using plain HTTP.
      HAProxy would then route the HTTP traffic to the varnish server which would then forward to the appropriate backend servers based on the requested domain.

      Setup would require importing and managing SSL certificates within pfSense for each domain.
      System > Certificate Manager to upload and manage certificates.

      Configure the HAProxy frontend to listen on the HTTPS port and use the SSL certificates uploaded for SSL/TLS termination.
      Configure port forwarding or NAT rules in pfSense to direct incoming HTTPS traffic to the HAProxy instance.
      Ensure that HAProxy's backend server configurations are set up to route requests to the varnish cache servers based on the SNI.

      Questions.

      How much load would this add onto pfSense? Is it reasonable? The firewall in question sits around the 1% to 5% range, hitting higher now and then with 33% memory usage.

      How would I manage my LE certificates? Can they be auto renewed by pfSense or would I have to manually copy updates all the time?

      Am I overlooking anything?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @lewis
        last edited by

        @lewis said in SSL termination, traffic forwarded to varnish cache:

        Setup would be to have pfSense handle the SSL/TLS certificates for all domains and then forward the decrypted traffic to the HAProxy instance.

        Decrypting the traffic is the job of HAproxy. pfSense cannot do this on its own.

        Configure port forwarding or NAT rules in pfSense to direct incoming HTTPS traffic to the HAProxy instance.

        Why?
        If HAproxy is running on pfSense it can listen to the external interface address. So there is no need to forward the traffic to anywhere else.

        Ensure that HAProxy's backend server configurations are set up to route requests to the varnish cache servers based on the SNI.

        This is done in the frontend. If you simply want to forward the whole traffic to a single backend server anyway, there is no need to configure any ACL, just set the varnish as default backend. However, you can configure ACLs for all your host names on purpose to reject any other traffic already on the frontend.

        How much load would this add onto pfSense?

        This depends on your workload and on the pfSense hardware. Nobody would be able to tell you this without giving appropriate information.
        Without connections HAproxy only occupies a view resources though.

        But maybe this is the right place to look for further information on this topic: Hardware Recommendations

        How would I manage my LE certificates? Can they be auto renewed by pfSense or would I have to manually copy updates all the time?

        See this docs chapter: ACME package

        1 Reply Last reply Reply Quote 1
        • L
          lewis
          last edited by lewis

          Why? If HAproxy is running on pfSense it can listen to the external interface address.
          So there is no need to forward the traffic to anywhere else.

          Maybe I didn't say it right but yes, I mean HAProxy on pfsense of course. The forwarded traffic would be the http one.

          1 Reply Last reply Reply Quote 0
          • L
            lewis
            last edited by

            So, can anyone concur that this is a sound idea/method?

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              I would expect that work yes. There any many people using HAProxy on pfSense pretty much exactly like that.

              L 1 Reply Last reply Reply Quote 0
              • L
                lewis @stephenw10
                last edited by

                @stephenw10 said in SSL termination, traffic forwarded to varnish cache:

                I would expect that work yes. There any many people using HAProxy on pfSense pretty much exactly like that.

                Just wondered if I was overlooking something or maybe someone had written a nice article on putting this together.

                Thanks for your input folks.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.