Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cloudflare, ssl and subdomains

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 2 Posters 1.6k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator @iSagen
      last edited by

      @iSagen what exactly are you trying to do.

      Generated certs where? Are you generating a wildcard cert? Kind of hard to point you to info on doing something, if don't know what your trying to do..

      I have a domain that cloudflare does dns for, it points to my pfsense wan IP.. I have a cert for this fqdn that I use in haproxy.. Works without issue.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07 | Lab VMs 2.8, 25.07

      I 1 Reply Last reply Reply Quote 1
      • I Offline
        iSagen @johnpoz
        last edited by

        @johnpoz said in Cloudflare, ssl and subdomains:

        @iSagen what exactly are you trying to do.

        Generated certs where? Are you generating a wildcard cert? Kind of hard to point you to info on doing something, if don't know what your trying to do..

        I have a domain that cloudflare does dns for, it points to my pfsense wan IP.. I have a cert for this fqdn that I use in haproxy.. Works without issue.

        I generated the certs on cloudflare from a CSR made on the pfsense. Tried to generate them directly at cloudlfare as well. It looks like I am trying the exact same thing as you :)

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @iSagen
          last edited by johnpoz

          @iSagen I didn't generate any certs on cloudflare - certs are just acme certs.

          Where are you generating this cert? Can you post a link.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07 | Lab VMs 2.8, 25.07

          I 1 Reply Last reply Reply Quote 1
          • I Offline
            iSagen @johnpoz
            last edited by

            @johnpoz said in Cloudflare, ssl and subdomains:

            @iSagen I didn't generate any certs on cloudflare - certs are just acme certs.

            Where are you generating this cert? Can you post a link.

            I made an origin cert in the Cloudflare dashboard.

            https://www.youtube.com/watch?v=LlbTSfc4biw

            This guy have made me do things way above my knowledge base, but I am learning (slowly)

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator @iSagen
              last edited by

              @iSagen so your wanting to use haproxy on pfsense vs the kemp load balancer he was talking about..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07 | Lab VMs 2.8, 25.07

              I 1 Reply Last reply Reply Quote 1
              • I Offline
                iSagen @johnpoz
                last edited by

                @johnpoz said in Cloudflare, ssl and subdomains:

                @iSagen so your wanting to use haproxy on pfsense vs the kemp load balancer he was talking about..

                Yes, that is my goal. Not needing an additional vm. I have pfsense running directly on a HP DL380 and hoping that it would have the power to run HAProxy better than 20 MBits as my fiber is 500/500.

                The main reason I stumbled into networking is thunder. Twice my entire copper LAN have been fried by nearby thunder strike. Nothing but the LAN (long runs of copper acting as an antennae) have died. I did open up all the dead components to confirm what was fried, and some components even continued to work without LAN connectivity. So I no run fibre internally as well as external.

                So, I have some services I would like to access from outside. I have been using port forwarding, and that's works. But subdomains would be neater. And I have the chance to learn more about pfsense, subdomains and Cloudflare.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @iSagen
                  last edited by

                  @iSagen you can for sure run haproxy, but do you really want all the extra of going through cloudlfare as a proxy, and only allowing cloudflare?

                  I do recall setting this up before.. But dropped cloudflare out of the picture for performance reasons.

                  This is much easier setup to just run a acme cert, you can get a wildcard and use your own domain name.. You could use one of those free domains if you want I guess.

                  Are you using one of those freenom domains? Or do you have your own domain?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07 | Lab VMs 2.8, 25.07

                  1 Reply Last reply Reply Quote 1
                  • I Offline
                    iSagen
                    last edited by

                    I got a paid domain.

                    I have been running a letsencrypt certificate on one of my services, but I am not a fan of the update frequency.

                    I will look into acme :)

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator @iSagen
                      last edited by johnpoz

                      @iSagen yeah not really a fan of the update frequency either. But if you use haproxy and the acme package it can be completely automated.

                      You can set it so when the cert updates, haproxy is restarted so it uses the new cert.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07 | Lab VMs 2.8, 25.07

                      I 1 Reply Last reply Reply Quote 1
                      • I Offline
                        iSagen @johnpoz
                        last edited by

                        @johnpoz so, I now have acme working for both domain and wildcard domain.

                        HAProxy backend is defined, for two subdomains

                        Frontend is created with rules to the backend.

                        And kinda works, except all traffic ends up at the default backend. I believe my fw rule may be off. Routing all traffic to dest 443 any host. This sounds unsafe, and doesn't do what I want.

                        I 1 Reply Last reply Reply Quote 0
                        • I Offline
                          iSagen @iSagen
                          last edited by

                          @iSagen

                          Now it works! I had some NAT-rules ruining my setup. Deleted them and now it works.

                          :)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.