Schema for certificate to use om HAProxy and internal websites



  • hello all..
    mybe this is a general question not related to pfsense, but i need to be clear abaut the order or schema for correct to use my certificate...
    I have a internal CA self signed to generate certificate to my internal servers and user on my net integrated to Windows Policy for distribute the CA to my internal users/servers, this work fine no issues generating certificates with multiples subjects, ip address.. etc.
    Somes websites most be accesible from internet it have a corresponding certificate generated by our CA, and yes external client ares receiving browser alert about the certificate can not be verified. because of this i get a ACEME Certicicate and put it(manually) in pfsense HAproxy.(configuring now )
    in the IIS server hosted my website's under a certificate from my internal CA theses web sites will be vissible by PfSense HAProxy, it have a aceme certificate multidomain .. so my question is abaut how to procedure aver my backend server and frontend..
    I'm really want migrate from squid reverse proxy(working with the alert on browsers of external clients) to HAproxy... i readed a lot here and on the web and they say the HA proxy is better with ACME certificate's integration and automation, but some cuestions not are clear in my mind
    by now i need to make it work and underestand the working, later i will need to make generation of certificates ACME/copy and imports in the other server ares automatic (this is anothers nigths without sleep)
    i'm planing my backend with address 1.2.3.4 port 443 encrypt SSL yes, Check certificate box marked, selected my Internal CA(imported on pfsense before) but i dont know if this is rigth or not, on ACL i can check the SNI but i dont know which acction make later with ACL before.
    On Frontend tab i selected the ip dedicated and registered on dns server and 443 port, selected SSL Offloading option, type http/https(offloading)
    On ACL option made chek hostname containing the hostname of the website.. and Action Option make to use the Backend matches ACL declared before. but i'm not sure abuot this configuration and the correcting use of certificates.
    regards and sorry about my english