Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Opinions on where to terminate SSL

    General pfSense Questions
    5
    8
    1678
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      redpine last edited by

      So my system has grown and I find myself wanting SSL (https) at my PFSense box and on my apache servers.  Wondering where most terminate SSL?  It seems that with letsencrypt.  I can terminate at my PFSense box and route to http.

      Thanks

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        letsencrypt has little to do with the actual SSL endpoint.  Sounds like your wanting to run a Reverse proxy with https being at the proxy that just forwards on to a server running http..  Normally you would not offload the ssl to your edge but just let it through to your end server, but sure that can be done - not sure if the reverse proxy you can added to pfsense allows for the hand off.

        But that really has little to do with having the pfsense gui use https - if that is your other question.  And again letsencrypt not a requirement in any of this - just a way to get a cert that is trusted by a browser when using a domain that you own.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        1 Reply Last reply Reply Quote 0
        • JKnott
          JKnott last edited by

          @redpine:

          So my system has grown and I find myself wanting SSL (https) at my PFSense box and on my apache servers.  Wondering where most terminate SSL?  It seems that with letsencrypt.  I can terminate at my PFSense box and route to http.

          Thanks

          Isn't SSL generally provided by the server?  I doubt you'd get it by running SSL on the firewall for anything but itself.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 64 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            ^ Normally yes - but you can offload the SSL on the proxy/load balancer running on the edge device.  We do it all the time on our F5's - normally when the customer too clueless run ssl securely ;)  Offering up all kinds of out dated algorithms/ciphers, etc.

            Or you could offload the SSL to your edge device for load reasons, where box running the site is over taxed and you want to save it from having to do the ssl on it.  But yes generally speaking its better to let it through to the end server.. Offloading it to something else also brings up the possibility of mitm sniffing, etc.

            So while it is possible in general terms, I am not aware of the reverse proxy you can install on pfsense having this feature off the top of my head.  To be honest not something I would suggest.  If you want to leverage letsencrypt to get your cert - prob best to just run it on the server running your site you want to do ssl too.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            1 Reply Last reply Reply Quote 0
            • stephenw10
              stephenw10 Netgate Administrator last edited by

              You can do ssl offloading in HAProxy.
              https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki#https-for-multiple-backend-using-offloading-from-1-frontend

              Squid Reverse Proxy can also do it though I've not run that personally.

              Steve

              1 Reply Last reply Reply Quote 0
              • R
                redpine last edited by

                I currently am running a reverse proxy (apache) on my server, it get's it's certificates from letsencrypt.  I have also started using letsencrypt on my PFSense box.  Things are a little confused (probably me). So the confusion is Route53 points to a subdomain on my PFSense box and the domain name goes to my server inside my local network.  I want SSL to PFSense.  Don't want to expose my PFSense server to the internet.

                Chrome gets confused with this mess and thinks someone is spoofing and won't let me go to the PFSense box internally.

                I assume that maybe what I should be doing is not using a real CA certificate (letsencrypt) to PFSense, but self signed or terminate SSL at PFSense or something else?

                1 Reply Last reply Reply Quote 0
                • H
                  heper last edited by

                  You probably want to move the webgui to a different port…

                  1 Reply Last reply Reply Quote 0
                  • stephenw10
                    stephenw10 Netgate Administrator last edited by

                    Yes the SSL/Proxy should be completely separate from the pfSense webgui. I would expect you could use letsencrypt for both or either. But they would need to be on different ports.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post