SSH via HAproxy?
I'm really loving the security and versatility of pfSense! However, I hit a slight snag.
I'm currently running multiple web servers behind the firewall. As such, I'm using HAproxy as a reverse proxy with ACL/SNI rules configured to route to the appropriate backends depending on domain name. It works GREAT as is. But, I now have others working remotely and I need to get them SSH access from outside my network, rather than setting up VPN access to the internal network(s).
Is there any documentation available for setting up HAproxy inside pfSense to use for SSH access via SNI? If not, could someone please assist in configuring it?
After doing a little digging, I found this on the HAproxy site. It is exactly what I am trying to achieve in my network. Specifically, I would like to keep a single external port open, like 17822, then be able to access each machine by machine/domain name. I.e. ssh firstname.lastname@example.org -p 17822, and have that forward to port 22 via the backend.
I believe the setup I need is similar to the 3rd one mentioned: Route the connections to a specific server using its internal DNS name. Since pfSense is my DNS server, I think this will do. Can anyone offer some guidance with regard to applying similar settings to HAproxy in pfSense? Can a config file be easily altered manually?
Does nobody have any information on advanced HAproxy configuration inside pfSense?
@pits_king I'm going to setup something similarly, but regulated! I don't think you can do it like you want it to. From a security perspective I would not do it like you describe.
My plan was to use:
- Radius (at least use some sort of user authentication)
- Wireguard (OpenVPN as backup)
- Dedicated rules + VLAN (do the remote workers have a fixed IP address?)
- ACME certificates
- DNS Resolver with host overrides
See also Youtube 'Lawrence Systems' @ https://www.youtube.com/channel/UCHkYOD-3fZbuGhwsADBd9ZQ he explains a lot.
Thanks for your response. Yes, Lawrence Systems is how I initially discovered pfSense a few years ago! He's definitely very knowledgeable. I also followed several parts of this guide by "nguvu." I do already have a "roadwarrior VPN" running via OpenVPN, as Wireguard wasn't an available package upon initial configuration.
Just to be clear, it's a home network and the project is between activists. It's more of a hobby than a corporate venture. The web servers are on a VLAN which is basically a DMZ. I was the one doing the initial configuration, so having access for myself wasn't an issue. Even remotely, the RWVPN gets me right in.
Now, a couple of friends are jumping in. I understand the inherent risks of opening up public SSH access, but that is also where modifications to the sshd_config file can be made to enhance authentication. Being it's only a couple of "outsiders" being granted access, it's never been a thought to configure a RADIUS server! Would be good practice, but a bit overkill! And no, to the best of my knowledge, they would either be working from a residential line or their cell phone, so I would assume their IPs will be dynamic.
In reality, I look at it like I would if I was purchasing a VPS package through a hosting company. The servers are fully exposed, in a 1:1 NAT. However, to minimize security threats, they change the SSH port. 7822 comes to mind with one company I've used. Yes, someone with a port scanner will see it's open, but their being able to get in is going to be very difficult if your security is tight.
Ideally, I want to make it easy for them, using a domain name. I know I can apply a couple of port forwarding rules and call it a day, but I would like to use pfSense/HAproxy to its full potential.
@pits_king You can install the FreeRadius3 package on pfSense (See Lawrence!). Eligible for up to 500 users (depending on hardware specifications of course).
If single pfSense install snort or suricata for IDS/IPS alongside pfBlockerNG. Open up a high numbered port on your firewall for use with SSH/VLAN rules and configure HAProxy accordingly. The package HAProxy on pfSense is the same as your previously mentioned guide. That shouldn't make a difference. Dedicated login authentication via FreeRADIUS3. Even OpenVPN can be used with the FreeRADIUS3 pfSense package.
See it as
Frontdoor = pfSense + packages
Backdoor = HAProxy + webservices
I do not pretend that I know it all. Far from. Just thinking out loud now.
@rle, I'll definitely look more into RADIUS.
I guess I forgot to mention the fact that I have HAproxy up and running, but it's currently only working for HTTP and HTTPS on ports 80 and 443, respectively. I'm also already running Snort with the paid rules set. I understand Suricata is somewhat better with Layer 7 app detection. Specifically, it can identify HTTP and SSH traffic on non-standard ports, which would likely be more beneficial in this use case now that you mention it.
Trust me, I'm the same way! I'm learning as I go here! :-)