Haproxy and Acme standalone certificate validation option- need advice



  • Hi,

    We have web servers behind Pfsense and are considering/looking to use Acme with HAProxy. In the PfSense documentation it says that the web server for the standalone validation option for Acme certificates is only active during the certificate validation process.

    "The Standalone method runs a small web server natively that is active only while the validation process is running."

    Yet later in the documentation it says "We do not recommend using this method as it exposes a service on the firewall to the Internet. "

    My question is is it safer when used with HaProxy since HaProxy insulates it from the Internet or am I incorrect in my interpretation? What risk exist if it is only active for a minute or so and will not respond at other times since it is turned off? Not clear as to what firewall service is being exposed.

    Looking for some advice.

    Thanks


Log in to reply