[solved] HAproxy ssl offloading only for internal Lan

PiBa

@noplan
Should not be needed..

johnpoz

huh?? What are you trying to accomplish exactly? Why would you be using HA proxy to access something internally?

noplan

used for
ssl offloading
to get rid of that self signed cert error

i solved the issue (after pointing the hostname to the pfS IP and not the client IP in DNS reslover)

working with LE wildcard / haProxy and a pretty mean pfBlockerN conf on the box ;)

johnpoz

@noplan said in [solved] HAproxy ssl offloading only for internal Lan:

to get rid of that self signed cert error

Just install a non self signed on the actual server..

noplan

@johnpoz

..... Hmmm Yeahhhhhhh..... Hmmmm
No

Tooooo much fun doin it this way
And more money to spend for other fun things ;)

johnpoz

What does money have to do with.. Just create whatever certs you want on pfsense. Can be any domain, any san (rf1918 addresses even) etc..

For that matter its local network - just use http ;)

noplan

@johnpoz

Point taken, wasn't thinking about us in pfS for the certs...

Some stuff usese self signed per default
And Browser warning is annoying
U know there is something called
woman acceptance factor
On the frontend ;)

johnpoz

So example - here my cisco switch.. Can use IP or Name and secure with no warning.

Until these browsers starting complaining about cert lifetime, just set it for 10 years and be done with it...

noplan

Thanks for the hint / tip

I ve never considered this as an option

johnpoz

It was much better before browsers started lowering the life of the cert.. You could set the cert to be good for 10 years or something and never have to worry about it again..

Now they want to have longest life of 398 days - uggghhhh.. Glad all my certs grandfathered in, hehehe And good for the 10 some years ;)