• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[solved] HAproxy ssl offloading only for internal Lan

Scheduled Pinned Locked Moved HA/CARP/VIPs
11 Posts 3 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    noplan
    last edited by noplan Apr 15, 2020, 10:18 PM Apr 15, 2020, 7:09 PM

    EDIT: no you do not need it !
    after fixed your DNS Resolver pointin to the client and not to the pfS box


    Do I really have to set up a virtual ip with
    My Lan IP from pfS and tell HAproxy to listen on that ip. With a specified port eg 80 or 443

    Webgui redirect and port of pfS gui allready changed

    BrNp

    P 1 Reply Last reply Apr 15, 2020, 9:06 PM Reply Quote 0
    • P
      PiBa @noplan
      last edited by Apr 15, 2020, 9:06 PM

      @noplan
      Should not be needed..

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by Apr 15, 2020, 10:09 PM

        huh?? What are you trying to accomplish exactly? Why would you be using HA proxy to access something internally?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • N
          noplan
          last edited by noplan Apr 15, 2020, 10:17 PM Apr 15, 2020, 10:14 PM

          used for
          ssl offloading
          to get rid of that self signed cert error

          fd869ca9-a039-4826-94d0-dca631dec262-grafik.png

          i solved the issue (after pointing the hostname to the pfS IP and not the client IP in DNS reslover)

          working with LE wildcard / haProxy and a pretty mean pfBlockerN conf on the box ;)

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Apr 16, 2020, 5:27 AM

            @noplan said in [solved] HAproxy ssl offloading only for internal Lan:

            to get rid of that self signed cert error

            Just install a non self signed on the actual server..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            N 1 Reply Last reply Apr 16, 2020, 7:11 AM Reply Quote 0
            • N
              noplan @johnpoz
              last edited by Apr 16, 2020, 7:11 AM

              @johnpoz

              ..... Hmmm Yeahhhhhhh..... Hmmmm
              No

              Tooooo much fun doin it this way
              And more money to spend for other fun things ;)

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Apr 16, 2020, 7:13 AM

                What does money have to do with.. Just create whatever certs you want on pfsense. Can be any domain, any san (rf1918 addresses even) etc..

                For that matter its local network - just use http ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                N 1 Reply Last reply Apr 16, 2020, 7:18 AM Reply Quote 0
                • N
                  noplan @johnpoz
                  last edited by Apr 16, 2020, 7:18 AM

                  @johnpoz

                  Point taken, wasn't thinking about us in pfS for the certs...

                  Some stuff usese self signed per default
                  And Browser warning is annoying
                  U know there is something called
                  woman acceptance factor
                  On the frontend ;)

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by Apr 16, 2020, 7:19 AM

                    So example - here my cisco switch.. Can use IP or Name and secure with no warning.

                    switch.jpg

                    Until these browsers starting complaining about cert lifetime, just set it for 10 years and be done with it...

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • N
                      noplan
                      last edited by Apr 16, 2020, 5:15 PM

                      Thanks for the hint / tip

                      I ve never considered this as an option

                      1 Reply Last reply Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator
                        last edited by Apr 16, 2020, 5:45 PM

                        It was much better before browsers started lowering the life of the cert.. You could set the cert to be good for 10 years or something and never have to worry about it again..

                        Now they want to have longest life of 398 days - uggghhhh.. Glad all my certs grandfathered in, hehehe And good for the 10 some years ;)

                        cert.jpg

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 1
                        1 out of 11
                        • First post
                          1/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received