SSL offloading, accepting self-signed certs on LAN
-
Hello
I've recently gotten a approved cert on the webGUI, to get rid of the Message of unsecure website, and to have a trusted CA create the certificate.
The question now is; is there a way to get pfsense to handle SSL offloading, so I can use self-signed certificates on the inside, while the Public certificate handles the cryptography?
I have a NAS With a web-server on it, and instead of going through the hassle of changing the certificate on that one, I thought I'd use pfsense to do this. That way the Connection seems secure.
Does pfsense Accept self-signing certificate traffic on the LAN side? Between the firewall and NAS that is?
Sorry if this is the wrong part of the forum
-
No. WTH is "SSL Offloading?"
-
Well maybe not the correct term, but in theory, it should be the firewall handling all the SSL requests, and send forward the requests as itself, acting as a Proxy.
I know some firewall/load balancers has this function, was just wondering if pfsense had this ability.
I also know that some of these firewalls/load balancers doesn't Accept self-signed certificates as they doesn't trust the issuer.
-
I'm not sure if what you want is strictly possible (or desirable) but the base system can't do it. A package like haproxy-devel may be able to.
SSL Offloading is a valid practice for a reverse proxy, but that would be something to ask in the packages board.
It may also be possible with squid3-reverse, apache+mod_security, etc, but haproxy-devel is probably the most stable web server proxy package out there.
-
Ah ok. Thanks for the info and clarification :)
-
HAProxy-Devel did excactly what I wanted. The only problem is that pfsense wont allow using the same cert on the webconfigurator and the HAProxy frontend.
So now I only have to choose which service is approved by a Public certificate, or wether or not i'm going to buy another cert :P
Again, thanks for Your help
-
you could get a free ssl cert for you non-public services (like pfsense webgui) at startssl …. only valid for a year tho
-
Been there, tried that. Managed to botch my certificate, so it won't work With pfsense.
But thanks for the tip tho :)
-
How do you mean? "pfsense wont allow using the same cert on the webconfigurator and the HAProxy frontend"
Seems possible to me? -
When I choose the certificate for the webConfigurator, it wont show in the HA-Proxy FrontEnd config tab.
So I Guess pfsense or HAProxy doesn't allow the same cert to be used on both listeners..
I bought another cert for a subdomain and used that for the pfsense webconfigurator instead.
-
Hmm i see what you mean, indeed haproxy filters out the webgui cert.. i think i only intended to filter out the 'webConfigurator default' cert, as that specific cert is useless for normal use.. I cant think of a good reason to not allow a wildcard cert to get configured on both haproxy and webgui. Ill change that in next version..
