Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL certs handling and HAproxy

    Scheduled Pinned Locked Moved General pfSense Questions
    136 Posts 3 Posters 26.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      I'd be surprised if Varnish can't also use https. As long as the front and backend sessions are terminated there it can still see and cache all the content.

      But, yes, if you're running Varnish on some separate server then it might be easier to do it all there.

      1 Reply Last reply Reply Quote 0
      • L
        lewis
        last edited by

        These are some headers I have set in the Apache configuration.
        I'm reading that haproxy also needs to have custom headers for some of these to work.

        
                # Add X-Forwarded-For header to log the original client IP
                RequestHeader set X-Forwarded-For %{REMOTE_ADDR}e
        
                # Add X-Real-IP header
                RequestHeader set X-Real-IP %{REMOTE_ADDR}e
        
                # Add X-Forwarded-Proto header to identify the protocol used by the client
                RequestHeader set X-Forwarded-Proto https
        
                # Use Vary header for content negotiation
                <Location />
                    Header append Vary Accept-Encoding
                </Location>
        
        

        I would need to add custom configs in haproxy, like under the frontend or backend sections, depending on specific requirements.
        The actual syntax for these directives will typically look like http-request set-header X-Forwarded-For %[src] for X-Forwarded-For, as an example.
        But that's the problem, I can't find enough information to even understand what I would need to add to haproxy.

        Maybe I'm closer than I think but lack of knowledge and examples is making it impossible.

        1 Reply Last reply Reply Quote 0
        • L
          lewis
          last edited by

          What's the chances?

          8dd2000d-05d6-4868-b944-e706da125448-image.png

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            You are accessing that via the proxy?

            L 1 Reply Last reply Reply Quote 0
            • L
              lewis @stephenw10
              last edited by

              @stephenw10 said in SSL certs handling and HAproxy:

              You are accessing that via the proxy?

              I was searching Google which gave a link to these forums and this is what I got, repeatedly.
              When we forward a domain, we typically maintain the old domain's cert also, just for this reason.

              kiokomanK 1 Reply Last reply Reply Quote 0
              • kiokomanK
                kiokoman LAYER 8 @lewis
                last edited by kiokoman

                @lewis
                must be an old entry because the forum is forum.netgate.com and not forum.pfsense.com
                or they forgot to add the DNS 😁
                d12da92d-097e-4fb2-b91d-7d61dcb1ef06-image.png

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                1 Reply Last reply Reply Quote 1
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Oh well spotted! Yeah that's just an old link.

                  1 Reply Last reply Reply Quote 0
                  • L
                    lewis
                    last edited by

                    I wish I could figure this thing out. I very badly need a cache server for all of the web sites on the back end.
                    I appreciate the help you've all provided.

                    1 Reply Last reply Reply Quote 0
                    • L
                      lewis
                      last edited by

                      And today, another random thing happens on pfsense which I'm sure no dev will say 'oh ya, we're working on that one' to.

                      When I created my first acme cert and generated it, it should the dates of the cert start/end in Last renewed.
                      Today, I create a new cert, generate it and see nothing, just 'Issued Certificate Dates;' and nothing.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        You have a screenshot?

                        1 Reply Last reply Reply Quote 0
                        • L
                          lewis
                          last edited by

                          fb0405b3-28fd-40f0-ad1e-dd47018e19a7-image.png

                          1 Reply Last reply Reply Quote 0
                          • L
                            lewis
                            last edited by

                            In the end, the point is to have two new things;

                            1: varnish server to handle caching

                            2: fixing the haproxy configuration so that it's actually load balancing those web servers.
                            That was an interesting find. I don't know how pfsense was sending traffic to the web servers without haproxy actually working.
                            Maybe it automatically round robins since the servers are listed in an alias?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.