Webgui Access Only by FQDN

vallum

Hi Everyone,

I have configured FQDN of my Pfsense to  firewall.example.com and i'm able to access it using https://firewall.example.com.

But at the same time if i enter IP address like :- https://192.168.1.1  , login page is displayed . is there any way to either disable login WebGui through IP or make a permanent redirect rule from IP to NAME

NogBadTheBad

Nope.

Basically you'd use the ip address regardless, the only difference between the two :-

1. https://192.168.1.1/ < pc connect directly by IP address

2. https://pfsense.example.com/ << pc looks up pfsense.example.com returns 192.168.1.1 web browser then connects to the returned IP address.

At the network level they just use IP addresses to talk to each other.

Gertjan

@RootMd5:

But at the same time if i enter IP address like :- https://192.168.1.1  , login page is displayed …..

Strange.
In my situation, I'm using https acces, using a cert from Letsencrypt, the "192.168.1.1" isn't part of the Certificate name, so my browser yells really hard, and doesn't want me to use this address as a address.
Really friendly of course, because in the future, "192.168.1.1" will be dead anyway, and "2001:470:1f14:5c02:412::1" will rule and no one will type that one …
All is well if I use "pfsense.myplace.locallan" - nice green lock icon, all happy. Behind the curtains, DNS will bring this "pfsense.myplace.locallan" back to 192.168.1.1 (no, not true : "2001:470:1f14:5c02:412::1", browsers llmove IPv6 because network connections don't know shit about URL's, but certainly certs do.

vallum

@NogBadTheBad:

Nope.

Basically you'd use the ip address regardless, the only difference between the two :-

1. https://192.168.1.1/ < pc connect directly by IP address

Yeah , but once it is connected i want page to be redirected or reloaded as https://pfsense.example.com. i have configured this behavior in my Linux web-servers running with Apache

2. https://pfsense.example.com/ << pc looks up pfsense.example.com returns 192.168.1.1 web browser then connects to the returned IP address.

At the network level they just use IP addresses to talk to each other.

Yes Right :)

vallum

@Gertjan:

@RootMd5:

But at the same time if i enter IP address like :- https://192.168.1.1  , login page is displayed …..

Strange.
In my situation, I'm using https acces, using a cert from Letsencrypt, the "192.168.1.1" isn't part of the Certificate name, so my browser yells really hard, and doesn't want me to use this address as a address.
Really friendly of course, because in the future, "192.168.1.1" will be dead anyway, and "2001:470:1f14:5c02:412::1" will rule and no one will type that one …
All is well if I use "pfsense.myplace.locallan" - nice green lock icon, all happy. Behind the curtains, DNS will bring this "pfsense.myplace.locallan" back to 192.168.1.1 (no, not true : "2001:470:1f14:5c02:412::1", browsers llmove IPv6 because network connections don't know shit about URL's, but certainly certs do.

Yes the warning showing security risk is very irritating ..
Can you please share some documentation for using Lets-encrypt  , i only use my WebGui from LAN using self-signed certificate and added as trusted CA on my local machine and on WAN i have blocked everything.

Derelict

Yeah , but once it is connected i want page to be redirected or reloaded as https://pfsense.example.com. i have configured this behavior in my Linux web-servers running with Apache

Doesn't matter if there is a redirect. You will still get the certificate error when you initially connect because the certificate will not match the URL (IP address in this case.)

If you don't like the certificate errors going to https://192.168.1.1/ then don't go to 192.168.1.1, go to the FQDN instead.

Here, do this little experiment:

https://172.217.5.196/

Click through and see where you end up.

johnpoz

If you don't want the error on your rfc1918 address you can also just add it as SAN using your own CA and issue the cert..  Then trust the CA.

Not having the webgui only respond via fqdn how you could do with a virtual domain on a httpd would be a mistake, since what if dns is not working..  It is the web gui of an appliance should always be available via the IP only.. be it http or https..

You can set httpd not to serve up document on the IP, but only on the fqdn but that could cause many issues with being able to access the gui without dns working.

If you don't like the IP then don't use the IP its that simple ;)

vallum

@johnpoz Thanks John, I see Green SSL now. i'm happy to use it with IP and FQDN both. :)

vallum

@derelict said in Webgui Access Only by FQDN:

Yeah , but once it is connected i want page to be redirected or reloaded as https://pfsense.example.com. i have configured this behavior in my Linux web-servers running with Apache

Doesn't matter if there is a redirect. You will still get the certificate error when you initially connect because the certificate will not match the URL (IP address in this case.)

If you don't like the certificate errors going to https://192.168.1.1/ then don't go to 192.168.1.1, go to the FQDN instead.

Here, do this little experiment:

https://172.217.5.196/

Click through and see where you end up.

Thanks Derelict.
I have now added IP address in certificate and able to access Thanks for your Help.