SSL offloading, accepting self-signed certs on LAN
-
No. WTH is "SSL Offloading?"
-
Well maybe not the correct term, but in theory, it should be the firewall handling all the SSL requests, and send forward the requests as itself, acting as a Proxy.
I know some firewall/load balancers has this function, was just wondering if pfsense had this ability.
I also know that some of these firewalls/load balancers doesn't Accept self-signed certificates as they doesn't trust the issuer.
-
I'm not sure if what you want is strictly possible (or desirable) but the base system can't do it. A package like haproxy-devel may be able to.
SSL Offloading is a valid practice for a reverse proxy, but that would be something to ask in the packages board.
It may also be possible with squid3-reverse, apache+mod_security, etc, but haproxy-devel is probably the most stable web server proxy package out there.
-
Ah ok. Thanks for the info and clarification :)
-
HAProxy-Devel did excactly what I wanted. The only problem is that pfsense wont allow using the same cert on the webconfigurator and the HAProxy frontend.
So now I only have to choose which service is approved by a Public certificate, or wether or not i'm going to buy another cert :P
Again, thanks for Your help
-
you could get a free ssl cert for you non-public services (like pfsense webgui) at startssl …. only valid for a year tho
-
Been there, tried that. Managed to botch my certificate, so it won't work With pfsense.
But thanks for the tip tho :)
-
How do you mean? "pfsense wont allow using the same cert on the webconfigurator and the HAProxy frontend"
Seems possible to me? -
When I choose the certificate for the webConfigurator, it wont show in the HA-Proxy FrontEnd config tab.
So I Guess pfsense or HAProxy doesn't allow the same cert to be used on both listeners..
I bought another cert for a subdomain and used that for the pfsense webconfigurator instead.
-
Hmm i see what you mean, indeed haproxy filters out the webgui cert.. i think i only intended to filter out the 'webConfigurator default' cert, as that specific cert is useless for normal use.. I cant think of a good reason to not allow a wildcard cert to get configured on both haproxy and webgui. Ill change that in next version..
