Why change webConfigurator admin port when enabling haproxy, acme?
-
Almost all guides to haproxy and acme start with changing the webConfigurator port of pfSense itself to something but the default 443. I fail to understand why this is needed. The pfSense web interface is normally exposed only on LAN but haproxy etc. uses 443 on WAN. So, I don't see the need to change the default port on LAN. Can anyone explain what I am missing? I understand it would be need if someone manages pfSense from WAN.
-
@pfpv That service is listening on this port and you shouldn't or can't have two services listening on the same port. Your firewall rules are a different thing.
-
@Bob-Dig But they will be on different interfaces.
-
@pfpv Its because web gui listens on all interfaces and you can't change that.
You only limit access with firewall rules.
-
@pfpv exactly what @netblues states.
Gui listens on all IPs, not just the lan interface..
Take a look yourself
[23.09.1-RELEASE][admin@sg4860.home.arpa]/: netstat -anl | grep .8443 tcp6 0 0 *.8443 *.* LISTEN tcp4 0 0 *.8443 *.* LISTEN [23.09.1-RELEASE][admin@sg4860.home.arpa]/:I run the gui on 8443, notices its listening on all..
Only reason your gui is not available via the wan, is because there is no firewall rule that allows it, at least not out of the box.
If your lan is default any any, do another test, hit your wan IP from your lan and you will notice the gui is available, because your firewall rules allow it, or at least the the default lan any any rule would.
So if you want to have haproxy listen on your wan on 443, you need to make sure your gui isn't listening on it. And since there is not anyway to select what interface(s) the gui listens on.. At least not in the gui, never looked into there is some way to make some sort of manual change to not have it listen on wan..
-
@johnpoz, @netblues, thank you for the revelation. I never thought that the GUI was exposed on all interfaces by default because
- I thought it would have been an obvious security issue,
- I always forwarded WAN ports 80 and 443 to my webserver and never hit the web GUI. I guess port forwarding took precedence.
As for 1) I thought if I wanted to expose web GUI to WAN I needed to forward the port to LAN and somehow care was taken not to expose it on WAN. But now it all makes sense. Thanks!
-
@pfpv said in Why change webConfigurator admin port when enabling haproxy, acme?:
I thought it would have been an obvious security issue,
This could be debated.. But since the wan default is deny.. Nobody from the wan side can reach the gui unless the admin of the firewall makes a mistake or allows it.
This might have been a design choice??? Because if fire up pfsense with only 1 interface, that interface is the wan, and it allows access to the web gui, which wouldn't work if gui didn't listen on wan.. because when wan is the only interface the antilock out rule is there.
I would be in favor of an easy option to select which interface the gui listens on after pfsense is setup, kind of how you can select what interfaces unbound listens on, or ntp, etc.
-
@johnpoz, you are correct. I should have added that in my head it seemed like a security issue but it obviously wasn't because of the default rules.
