Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    HAProxy : Shared Frontend: SSL and Non-SSL Backends?

    Cache/Proxy
    2
    2
    118
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oguruma last edited by oguruma

      I have one public IP, and 3 different webservers behind a PfSense router. All 3 webservers are in a DMZ.

      One of the webservers is a development server, and it's basically just for toying around with different web designs. I rarely need SSL for these sites, since I'm never accessing them over the internet. Though, sometimes I do want SSL for when I have to login to the site over the internet.

      The other 2 webservers (a CRM and a Nextcloud instnace) need SSL and to redirect http to https.

      I THINK I want to install the certificates on the PfSense box, and I don't THINK I need encryption form the proxy to the webservers (there's not much of an opportunity to snoop, anyway).

      I am getting myself cross-eyed on how to set up the back/front-ends and make everything play nice.

      1 Reply Last reply Reply Quote 0
      • C
        Clarence last edited by

        Hi oguruma,

        I am by no means an expert on the topic but what you described in your post is exactly the kind of setup I have successfully deployed at home.
        You are right in assuming that you do not need SSL for the communication between HAProxy and the servers themselves.
        It's a home brew setup... you're not a bank with strict security guidelines you have to adhere to. 😉

        General outline of my setup on PfSense:

        • ACME Certificates - automatically renews the Lets Encrypt for my domain (Domain Service Provider: DynuDNS)
          wildcard dns records are not support by every service but I find it seriously cool
          This video helped me with the initial setup: https://www.youtube.com/watch?v=jpyUm53we-Y
          I needed to add CAA records for Lets Encrypt and TXT records for both my "root" domain and the wildcard domain (for all subdomains) as part of the verification process during certificate renewal. This is required to prove that you are the owner of the domain. There are alternative verification methods to choose from.
          Example CAA records:
          2632e87d-30f1-4f60-b08c-d892a6661b24-image.png

        • Dynamic DNS Service - update A records when your public IP address changes if you have a dynamic one.
          This is what my cron job to check my IP every 5 minutes looks like:
          e7bd4dbb-c352-4746-8039-420ed7bba46c-image.png

        • HAProxy - use this tutorial to setup a shared https frontend accompanied by an automatic http→https redirect:
          https://www.youtube.com/watch?v=7WiZ1i2u-Lc

        For added security on the frontend I'd recommend adding these options to "Advanced pass thru" under "Advanced settings":
        http-response set-header X-Xss-Protection 1;\ mode=block
        http-response set-header X-Content-Type-Options nosniff
        http-response set-header X-Robots-Tag noindex
        http-response set-header X-Frame-Options SAMEORIGIN
        http-response set-header Referrer-Policy same-origin

        The shared https frontend will then basically be the only contact point with the internet and contain your certificate, so that you never ever again have to worry about updating certificates for each individual server. 😃

        If you'd like some more pointers on for instance how to make a server accessible through the reverse proxy via "servicesubdomain.domain.tld" but deny all access to said server from the internet just let me know.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense Plus
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy