Local management of LE haproxy certificates
-
@viragomann Ip 192.168.3.2/24
-
@frankz
I don't need to know which.
But you said, the LAN IP is dynamic? -
@viragomann Ma no . IP of the lan firewall is 192.168.3.2 . Wan 192.168.1.2 . From the router a dmz is configured or all the traffic from the internet and I say everything , it is forwarded to 192.168.1.2 .
-
@frankz
So you can add host overrides for all your hosts to your DNS and point them to the LAN IP.Then in the respective HAproxy frontend listening table click "add another entry"
and select the LAN from the drop-down and state port 443 and check "SSL offloadind".Then requests to your host names go to HAproxy, which manages the SSL certificates.
-
This post is deleted! -
@frankz
You frontends are already listening on any IPs. So you only have to configure the DNS host overrides to point to the LAN address.Before trying to access the server from you local device, remember that you flush the DNS cache on the client.
-
@viragomannYes, but the certificate error occurs if the internet goes down. As I had already written, if I leave overirde as I had done, the certificates are on the pfsense and not on the servers. These servers that you have actually seen as you may have already noticed are virtualhosts , so the pfsense will fix them as 192.168.3.76 which are aliases of the 192.168.3.76 cluster. To make sure that this does not happen I had to delete the overrides so the name fdq goes to haproxy which must solve externally to the indirippo ip wan in production eg. 151.99.44.33 . If you think about it, that's how it is. As I had also written before, this does not only happen on another server, where I declared overirde but the certificate is there he has in the webroot, so the verification remains internal to the server.
A user had a similar configuration like mine and had even managed to upload pfsense certificates to the servers. The only problem remains that every 60 days you have to do the round of forgiveness to remove and update them. I apologize if the translation from Italian>English is poor, so you may have difficulty getting an exact overview.
-
@frankz said in Local management of LE haproxy certificates:
As I had already written, if I leave overirde as I had done, the certificates are on the pfsense and not on the servers.
Yeah, and its provided to clients by the HAproxy frontend in the strict sense.
Then you said, your WAN IP cannot be used, when the internet goes down. Maybe.
That's why I suggested to point the DNS host overrides to the LAN address.
Since the HAproxy frontend is listening on any IP of pfSense, you can also access it though the LAN address.Now the host name is resolved to the LAN IP inside your local network. Hence the client goes to pfSense LAN > HAproxy, get the SSL certificate, is happy, because it matches to the requested name, and HAproxy connects to the backend as it does if the request is coming from outside.
This should work as long as HAproxy is not in transparent mode.So what are your concerns?
-
@viragomann Ok, then I'll try again by putting back the overides that point to 3.76. As a primary dns I use pihole which has as upstream the pfsense . Anyway, I'll try again tomorrow and let you know. Al
Moment I thank you for your patience and for helping me.
-
@frankz said in Local management of LE haproxy certificates:
then I'll try again by putting back the overides that point to 3.76.
Dude, to pfSense LAN IP, not to the backend server / cluster.
-
-
@frankz
I'm feeling, I was speaking to dead walls here.
Give it up. -
@viragomann I'm sorry . Thank you anyway .
-
@viragomann
That's how it works and that's what I wanted to make myself understood. -
@frankz
So read the thread again and find out, how often I wrote, that you have to state the LAN IP of pfSense in the host override. -
@viragomann Grazie , But my great difficulty is the English translation > ita which is often not very precise. I'm sorry if I made you angry it wasn't my intention. Thank you for your very important help for me.
