• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[solved] HAproxy ssl offloading only for internal Lan

Scheduled Pinned Locked Moved HA/CARP/VIPs
11 Posts 3 Posters 1.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    PiBa @noplan
    last edited by Apr 15, 2020, 9:06 PM

    @noplan
    Should not be needed..

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Apr 15, 2020, 10:09 PM

      huh?? What are you trying to accomplish exactly? Why would you be using HA proxy to access something internally?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • N
        noplan
        last edited by noplan Apr 15, 2020, 10:17 PM Apr 15, 2020, 10:14 PM

        used for
        ssl offloading
        to get rid of that self signed cert error

        fd869ca9-a039-4826-94d0-dca631dec262-grafik.png

        i solved the issue (after pointing the hostname to the pfS IP and not the client IP in DNS reslover)

        working with LE wildcard / haProxy and a pretty mean pfBlockerN conf on the box ;)

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Apr 16, 2020, 5:27 AM

          @noplan said in [solved] HAproxy ssl offloading only for internal Lan:

          to get rid of that self signed cert error

          Just install a non self signed on the actual server..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          N 1 Reply Last reply Apr 16, 2020, 7:11 AM Reply Quote 0
          • N
            noplan @johnpoz
            last edited by Apr 16, 2020, 7:11 AM

            @johnpoz

            ..... Hmmm Yeahhhhhhh..... Hmmmm
            No

            Tooooo much fun doin it this way
            And more money to spend for other fun things ;)

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Apr 16, 2020, 7:13 AM

              What does money have to do with.. Just create whatever certs you want on pfsense. Can be any domain, any san (rf1918 addresses even) etc..

              For that matter its local network - just use http ;)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              N 1 Reply Last reply Apr 16, 2020, 7:18 AM Reply Quote 0
              • N
                noplan @johnpoz
                last edited by Apr 16, 2020, 7:18 AM

                @johnpoz

                Point taken, wasn't thinking about us in pfS for the certs...

                Some stuff usese self signed per default
                And Browser warning is annoying
                U know there is something called
                woman acceptance factor
                On the frontend ;)

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by Apr 16, 2020, 7:19 AM

                  So example - here my cisco switch.. Can use IP or Name and secure with no warning.

                  switch.jpg

                  Until these browsers starting complaining about cert lifetime, just set it for 10 years and be done with it...

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • N
                    noplan
                    last edited by Apr 16, 2020, 5:15 PM

                    Thanks for the hint / tip

                    I ve never considered this as an option

                    1 Reply Last reply Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator
                      last edited by Apr 16, 2020, 5:45 PM

                      It was much better before browsers started lowering the life of the cert.. You could set the cert to be good for 10 years or something and never have to worry about it again..

                      Now they want to have longest life of 398 days - uggghhhh.. Glad all my certs grandfathered in, hehehe And good for the 10 some years ;)

                      cert.jpg

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 1
                      11 out of 11
                      • First post
                        11/11
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received