-
I want to use the Standalone webserver for ACME certificate handeling.
Since i Already got HAproxy installed to forward HTTP/HTTPS trafic to my internal webservers (based on hostnames since i only got one IP) I want to use that for forwarding traffic to the standalone webserver too.
Would the right config be to tell it to forward http that contains .well-known/acme… to the internal IP of the FW and to a non used port like 6080?Could the standalone webserver be bound to a virtual IP instead of using the real internal IP. If not can I please add that as a feature request?
-
I don't have any solutions, but I wanted to add my +1 to this topic. I can't find a definitive guide to this type of configuration, and am pulling what little hair I have out.
I've had PFsense up and running for years, and have just implemented HAProxy to reverse proxy a few subdomains into my network. These are all running HTTPS (443) using SSL offloading on the front end, and are HTTP on the backend. This all works great.
I've just implemented another front end rule that takes inbound HTTP traffic (port 80) and redirects to HTTPS. Again…works great.
The problem comes in with my new implementation of ACME. I'm running it HTTP standalone, and cannot figure out how to allow for the auto-renewal with my existing HTTP/HTTPS redirect front end. That frontend is hijacking the validation response from ACME, and I cannot figure out how to allow the response to pass. I've tried adding an ACL on the HTTP redirect front end to catch the "path contains /.well-known/acme-challenge" and send that to a backend that forwards to the HTTP port and IP of PFsense. I've also made sure that the PFsense HTTP port is open on the firewall. No dice.
If anyone has any experience with this setup, can you please let me know how you got this working? -
Well, that's working for me ;)
And I have done it the (almost) same way.
My HTTP frontend has a path contains rule as the first acl to catch the acme responseI intend to try to fine tune it so that both the hostname and the path should match to trigger the call to my ACME backend
-
Well, that's working for me ;)
And I have done it the (almost) same way.
My HTTP frontend has a path contains rule as the first acl to catch the acme responseI intend to try to fine tune it so that both the hostname and the path should match to trigger the call to my ACME backend
Hmm….any chance you could post some screenshots of your config? I have a feeling I'm close, but I'm fat fingering something. For reference, here's my setup:
HTTP Frontend:
ACME Backend:
My frontend matches the acme path, and defaults to my ssl-redirect (which points back to my HTTPS frontend terminating my subdomains). Also note that localhost (my pfsense box) is configured for HTTP on port 4443. This port is also open on my firewall.
What am I missing?
-
And the point of that webserver is exactly what? If you use HAproxy, just use the HAproxy alone.
https://forum.pfsense.org/index.php?topic=101186.msg690924#msg690924
Trying to reverse proxy a webserver that's perpetually down until you run the ACME script won't have much success.
-
Cgram23:
Since I Nat my external port 80 my HAProxy do listen to that address instead but it should work the same.I have the same frontend config as you do.
I do have a different backend config though. I believe that the webserver in the ACME package listens to the internal (lan) interface - not 127.0.0.1 so you should probably change that IP
I also have Health check method set to noneI have not looked into using the Lua method proposed by the good doctor. It might be better - I don't know. after all I starded the thread asking if it was the right config :)
-
Thanks for the advice, everyone. For sanity's sake, I ended up porting my external DNS from Namecheap to Cloudflare, and configured DNS validation in ACME. This was much less of a headache.
Mats…out of curiosity, do you NAT port 80, and then use the NAT'd port on your HTTP frontend? Trying to figure out how you make that work.
-
Yes, that's exactly what I did.
Port 80 on Wan nated to 5080 on a virtual IP (10.0.0.1). Wan/443 nated to 10.0.0.1/5443
Firewall rules that allows trafic from / to 10.0.0.1/508080 and 10.0.0.1/5443Haproxy has listners on 10.0.0.1/508080 and 10.0.0.1/5443
I think you can do it without the nat too but since I had that part since earlier (once upon a time there was an issue getting Squid to bind to ports below 1024, hence a nat to a high port) I used it