HTTPS to PfSense and HTTP after? possible?
-
OK, ive got a weird or unique setup apparently (i can not, for the life of me, find any written examples of how to get working what im trying to do)...
Anyway, ive since given up trying to get end to end SSL and have decided, maybe the issue lies in the NAS not passing certs correctly. ANYWAY, is there a way to have all traffic coming in until it hits the PfSense box to travel as SSL (HTTPS) and then travel locally as simple HTTP traffic?
(FOr the record, setup is PfSense, TrueNAS Scale NAS that then runs Kubernetes pods. Ive had a H*LL of a time gettting HTTPS traffic to make it any further than the TrueNAS machine itself (HTTP traffic is easy).
Im also not sure that this question belongs here, but i didnt see an SSL category... maybe proxy? (feel free to move)
-
@menethoran
You're looking for the HAproxy package (reverse proxy). You can install it from the package manager and configure it to do TLS offloading. -
@viragomann unfortunately, no... HAProxy breaks something or something is broken while using HAProxy and TrueNAS Scale apps (ive been beating this thing with a sledge hammer for like 3 weeks now :) )
BUT!!! I did just make some progress. I can connect via HTTPS, but it says its not secured, and it reveals local IP address... (and i can only connect from another local machine)... for now :)
-
also odd. When i try to connect to cloud.mydomain.com ill get an error that 192.168.2.2 took too long to respond. (when connecting from an outside connection, internally it resolves perfectly)
-
@menethoran
When you don't want to let a proxy do the TLS stuff you have to setup your NAS properly to do it.Are you sure, your NAS is responding to outside connections even without TLS?
-
@viragomann i think the NAS isnt set up correctly (I think...)
but that also stems from the fact that i can easily have HAProxy handle HTTP traffic to it without any issues. My issues only arise when i start trying to secure the connection.
-
@menethoran
HAproxy only needs the SSL certificate which is matching to the hostname wich you type in the web browser is to handle TLS.Do you have a proper cert?
-
@viragomann yes, through ACME, set for the full domain name (cloud.mydomain.org) and also carried into the app (kubernetes pod) itself.
-
@menethoran and, ive tried reaching out to the truecharts team (the creators of the truenas scale applications, but, they are not... um... good at this kind of thing (is the best possible way i can put it). Theyre all "follow the video, click this button" kind of people, with i think, only 1 dev that understands the interplay between their pods and truenas...
-
@menethoran said in HTTPS to PfSense and HTTP after? possible?:
When i try to connect to cloud.mydomain.com ill get an error that 192.168.2.2 took too long to respond. (when connecting from an outside connection
192.168.2.2 from outside?
From outside your network you will have to connect to the public IP. -
@viragomann my mistake, i think i was seeing a latent error message (just hanging around from chrome) on my phone. trying to connect via firefox gives a 521 error (if my cloudflare SSL/TLS is set to flexible) and just seems to hang, eventually timing out, but not before it looks like it resolves the address to reflect my internal address ie: i connect to https://cloud.mydomain.com, long delay, address changes to https://192.168.2.2:9443/login and then times out) (if i have the SSL/TLS settings in cloudflare set to FULL)
so, it LOOKS like the traffic is being routed to where its supposed to go, but not sure why its translating the address to the internal one
-
@menethoran said in HTTPS to PfSense and HTTP after? possible?:
https://192.168.2.2:9443
And this works from inside your network?
Why port 9443?
Did you consider to change the port for pfSense WebGUI to something else than 443?
-
@viragomann no, i cant connect to 192.168.2.2:9443 from outside my network. Sorry, i think i phrased something wrong.
If i try to connect to https://cloud.mydomain.com the address bar will convert that to https://192.168.2.2:9443/login when it times out (like its hitting HAProxy or my NAT settings and translating it correctly but now actually hitting the pod on the NAS.and its set to 9443 becausevfor some stupid reason, ports lower than 9000 cant be assigned when creating the pods (that may be changed at a later date, but i assume its to keep people from using ports that the NAS does, who knows what happens in the minds of devs)
-
@viragomann and yes, my PfSense web interface is on 8443.
-
@menethoran said in HTTPS to PfSense and HTTP after? possible?:
no, i cant connect to 192.168.2.2:9443 from outside my network
I was asking for inside connection.
and its set to 9443 becausevfor some stupid reason, ports lower than 9000 cant be assigned when creating the pods (that may be changed at a later date, but i assume its to keep people from using ports that the NAS does, who knows what happens in the minds of devs)
So you connect to port 443 from the internet and forward it to port 9443 on your web server?
-
@menethoran i should also say, ive tried using traefik (as a pod) but, honestly, im completely lost with the way it integrates (because it was "designed" as a pod for truenas by truecharts, they do all the backend stuff and there are no ways that ive found to change anything in traefik by its GUI, and there is no access to the backend (cli), so, ive kind of disregarded it as a usable piece of software. at least for now. So, im trying to get PfSense/HAProxy to work correctly with the NAS and its pods
-
@viragomann yes, i can connect perfectly fine to https://192.168.2.2:9443 from inside my network. I can even connect to https://cloud.mydomain.com from inside my own network and it translates to https://192.168.2.2:9443 perfectly fine and everything works.
And yes, my PfSense is set up to forward connections coming in as https straight to 192.168.2.2:9443... but only works from inside my network.
(Or, i have HA Proxy set up to handle it... )
-
@menethoran
Consider to check your SSL settings with an online checker, e.g. https://www.ssllabs.com/ssltest, to get an idea what's wrong with it. -
@viragomann not entirely sure what the test tells me...
-
@menethoran
This is a test history for cloud.rndtech.org. So this host name was already tested on SSL Labs.
Is this your own domain? Or do you have a subdomain within this?