Guest VLAN and Haproxy/acme
I have a LAN with a mailserver. I have configured haproxy with acme, so my mailserver is accessible from the internet. The ssl offloading is handled by the firewall.
I have a second LAN for guests which is a separate VLAN on the firewall. I have created a firewall rule and have set up a split DNS for the mail server. I can access the mail server from my guest LAN using the full dns name but as expected I get a certificate error.
Is there an elegant way to solve this?
- Make an IP Alias VIP on Localhost using a /32 from an unused subnet. You can use other addresses here for other Localhost VIPs if the need arises.
- Port Forward the desired traffic from the outside to that VIP.
- Be sure the WAN rules pass the traffic to the VIP, not WAN address. The Auto-rules should be fine.
- Tell HAproxy to listen on that VIP on the frontend instead of the WAN address.
- Split DNS inside hosts to that VIP instead of the backend server itself.
- Look, Ma, no NAT reflection, and HAproxy does all the TLS for hosts inside and out.
- Have a cocktail.
You could also listen on the WAN and the VIP in the frontend and forgo the port forward, I suppose. They key is getting HAproxy in between all clients and the server whether they are connecting from the inside or outside.
I was on summer break, hence the late reply. I guess I started with step 7.
Thanks for your reply! I will give it a try.