How to modify the tls on the WAN Network
-
Hi to everyone,
Hope to find you well and healty.
One of our public ip's is managed with the pfSense.
According to the ssl labs this ip addres have the tls 1.0 1.1 and ssl 3 still active.
Suddenly we cannot deactivate these tls on the server for cost limits.
Are there some method to block the communication to the wan with the tls 1.0,1.1 only externaly from the pf-sense.
Let me know if you need more details about our issue.
I'm new in this forum so don't hesitate to corect me i wrote somethink wrong or in the wrong way.
Best Regards. -
@ion so you have a server behind pfsense that you allow through pfsense, or port forward to and this server you can not modify the https of this server to prevent the old tls versions.
Simple solution to this would be using haproxy package (reverse proxy) and do ssl offloading, this way haproxy will handle the ssl and you can limit this to only current 1.2 and 1.3 versions of tls..
edit: example here is service I have behind haproxy on pfsense. Only 1.3 and 1.2 available - I would limit it to only 1.3, but if you do then you can not get the A+ score ;)
edit: see if limit to only 1.3 you can only get an A vs A+ ;)
edit2: btw moved this to general, could maybe gone to the proxy section. But since this was more a general question with the haproxy being a solution. But it not really a routing multiwan sort of question. Welcome to the Forums btw!
-
-
@johnpoz Hi it seems to be the right way to solve the issue. Are there some guide for integration of the haproxy with pfsense
-
Our own guide is a little old at this point but still valid:
Youtube Videohttps://docs.netgate.com/pfsense/en/latest/packages/haproxy.html
Steve