Opinions on where to terminate SSL



  • So my system has grown and I find myself wanting SSL (https) at my PFSense box and on my apache servers.  Wondering where most terminate SSL?  It seems that with letsencrypt.  I can terminate at my PFSense box and route to http.

    Thanks


  • LAYER 8 Global Moderator

    letsencrypt has little to do with the actual SSL endpoint.  Sounds like your wanting to run a Reverse proxy with https being at the proxy that just forwards on to a server running http..  Normally you would not offload the ssl to your edge but just let it through to your end server, but sure that can be done - not sure if the reverse proxy you can added to pfsense allows for the hand off.

    But that really has little to do with having the pfsense gui use https - if that is your other question.  And again letsencrypt not a requirement in any of this - just a way to get a cert that is trusted by a browser when using a domain that you own.



  • @redpine:

    So my system has grown and I find myself wanting SSL (https) at my PFSense box and on my apache servers.  Wondering where most terminate SSL?  It seems that with letsencrypt.  I can terminate at my PFSense box and route to http.

    Thanks

    Isn't SSL generally provided by the server?  I doubt you'd get it by running SSL on the firewall for anything but itself.


  • LAYER 8 Global Moderator

    ^ Normally yes - but you can offload the SSL on the proxy/load balancer running on the edge device.  We do it all the time on our F5's - normally when the customer too clueless run ssl securely ;)  Offering up all kinds of out dated algorithms/ciphers, etc.

    Or you could offload the SSL to your edge device for load reasons, where box running the site is over taxed and you want to save it from having to do the ssl on it.  But yes generally speaking its better to let it through to the end server.. Offloading it to something else also brings up the possibility of mitm sniffing, etc.

    So while it is possible in general terms, I am not aware of the reverse proxy you can install on pfsense having this feature off the top of my head.  To be honest not something I would suggest.  If you want to leverage letsencrypt to get your cert - prob best to just run it on the server running your site you want to do ssl too.


  • Netgate Administrator

    You can do ssl offloading in HAProxy.
    https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki#https-for-multiple-backend-using-offloading-from-1-frontend

    Squid Reverse Proxy can also do it though I've not run that personally.

    Steve



  • I currently am running a reverse proxy (apache) on my server, it get's it's certificates from letsencrypt.  I have also started using letsencrypt on my PFSense box.  Things are a little confused (probably me). So the confusion is Route53 points to a subdomain on my PFSense box and the domain name goes to my server inside my local network.  I want SSL to PFSense.  Don't want to expose my PFSense server to the internet.

    Chrome gets confused with this mess and thinks someone is spoofing and won't let me go to the PFSense box internally.

    I assume that maybe what I should be doing is not using a real CA certificate (letsencrypt) to PFSense, but self signed or terminate SSL at PFSense or something else?



  • You probably want to move the webgui to a different port…


  • Netgate Administrator

    Yes the SSL/Proxy should be completely separate from the pfSense webgui. I would expect you could use letsencrypt for both or either. But they would need to be on different ports.

    Steve


Log in to reply