Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAPROXY with reverse https from LAN to LAN

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 455 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tueurdragon
      last edited by

      Good morning all,

      Please excuse me for my English.

      I allow myself to ask for your help.
      I have a PFSENSE with HAPROXY which allows me to do reverse in HTTPS, I can access my web servers from the internet in HTTPS.
      For internal access, I use DNS RESOLVER which works fine, but I connect using HTTP.
      I wanted to know if there is a way to use HAPROXY to listen on the LAN and at the same time allow the use of SSL certificates for an internal HTTPS connection?

      Here is the topology of my network:
      VLAN LAN1 (internal) 192.168.10.0/24
      VLAN LAN2 (internal) 192.168.20.0/24
      VLAN WIFI1 (internal) 192.168.30.0/24
      VLAN DMZ1 (external) 10.1.1.0/24

      Goal :
      Access the various servers in the DMZ1 zone from LAN1, LAN2 and WIFI1 via HAPROXY to benefit from an HTTPS connection with the HAPROXY certificate.

      Here is the test performed:
      I created a FRONTEND in HAPROXY which listens to LAN1 and I modified DNSRESOLVER to point the domain name of my WEB servers towards the gateway of LAN1 (192.168.1.254).
      So far everything is working fine, on the other hand having several LANs this system is not functional, because I cannot map the DNSRESOLVER on the gateways of each subnet.

      Do you have any idea how to do this?

      Thank you in advance,

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        I don't think you can do it with unbound, even if you use "view" because the cache is shared between views
        you can do it with bind9 and view as the cache is not shared
        but maybe there is an easier solution to this

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • P
          PiBa
          last edited by

          I don't think you should create 5 frontends just to access 1 backend webserver, instead you might point the 'internal' DNS to the same public ip where haproxy is already listening.? Or perhaps just point them all to the same LAN1-IP ?

          Other option might be to create a 5th subnet with a 'virtual' ip-alias 192.168.40.1/24 on the lo0 loopback interface to listen on? That might make your firewall rules a bit simpler..

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.