some clarification about ports (general understanding)
-
Hi Folks,
I have an openVPN Server running on pfSense.
It listens on port 443. I use it on my phone to connect to my home network. to avoid getting blocked on public hotspots, company and so on I have chosen tcp 443 port.now I want to set up HAProxy and host an own webpage, also on port 443 and 80.
I think that might clash. can I tell my firewall somehow to sort this? if the telegram is for openvpn or for the webserver? -
Here is how I do this..
In your openvpn setup that listens on 443, in the advanced section, custom options for that openvpn instance.
port-share 127.0.0.1 9443Now when traffic hits your openvpn, and its not openvpn traffic it sends it to port 9443, which is the port HaProxy is listening on.. It can then send this traffic to where you want.
I have this setup so access ombi (requests for plex) works on 443..
Your port 80 would be its own setup in haproxy, because 80 not going to be going to openvpn.
-
that works perfect!
many thanks
since you are already in this, may I raise a few more questions.
1.) in HAProxy i am using ssl offloading. means the server does not have a certificate. for HAProxy and the outside world, I would like to use a certificate.
DuckDNS offers you the option to get a dyndns. the ACME package can claim a certificate from letsencrypt. is the txt record added to duckdns via the token?2.) Lets say I calim the certificate "domain.duckdns.org".
Via HAProxy i want to revers proxy "subdomain.domain.duckdns.org" is that certificate from lets encrypt added into the frontend valid for the backend or do i need to get a certificate with the same name as the backend?3.) i managed it somehow to get wordpress working, via https. but it looks ugly, the page looks broken. If I go to the page via the IP over LAN it looks, as it should. If I check with my phone from cellphone network, it looks broken. any Idea?
-
Your front end ssl cert does not have to match the backend cert. Where you get the certs is up to you.. If duckdns will create a dns entry for you to grab a cert via acme, that works.
You can also use wildcard certs so *.whatever.tld works..
If page looks broken - normally this points to css not loading.. Have to look to how the site tells the browser to load the css file.