• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HaProxy : shared Frontends - how to do SSL of loading and SNI forwarding

Scheduled Pinned Locked Moved Cache/Proxy
3 Posts 2 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    smalldragoon
    last edited by Apr 28, 2022, 12:33 PM

    Hi ,
    I started a first Topic here if you want to understand more context about my problem .
    So currently, I would need to redirect based on SNIs 3 addresses and do SSL termination on a 4th one redirecting connection to an internal host in http ( non ssl ) port 80.
    From previous other post and researches , seems that my solution are shared frontends.
    here is a recap of my need :

    I have 1 single public IP address,
    I need the following at the same time :

    I have a domain , smalldragoon.com , where

    A1 - A.smalldragoon.com, B.smalldragoon.com, C.smalldragoon.com need to be forwarded to an internal which is managing the SSL connection ( equivalent to my old config which was just port forwarding of the 443)
    A2 - D.smalldragoon.com need to have its SSL communication terminated on PFSense and redirected to an internal host which is running on port 80 ( so not in https , it is a basic website).
    Ex : https://D.smalldragoon.com redirect to http://192.168.1.1:80

    First question maybe : is this possible ? ( I tried some config , cf my previous post for screenshots, but it doesn't seem to work )

    thanks !

    N 1 Reply Last reply May 5, 2022, 5:47 PM Reply Quote 0
    • N
      nasheayahu @smalldragoon
      last edited by nasheayahu May 5, 2022, 5:50 PM May 5, 2022, 5:47 PM

      @smalldragoon this is what my infrastructure looks like:

      Infrastructure Diagram

      and I have 4 Certs, 3 Single's and a wildcard, kohanyim.com, www.kohanyim.com and two others. These Certs are used to encrypt my network and my 4 public web servers. It took me a while to figure out how to separate and point both kohanyim sites to there own server without trying to figure out how to get Shared Frontend to work (never did), but after listening to How To Setup ACME, Let's Encrypt, and HAProxy HTTPS offloading on pfsense several times I finally got it.

      For me to get this to was:

      1. Need your default SSL Offloading / Certificate, I use the Wildcard Cert and make sure "Add ACL for certificate Subject Alternative Names" is checked.
      2. add SSL Offloading / Additional certificates, the Single Cert. NOTE: This is what I needed to get this to work!

      The video explains why this portion is important and I hope this helps.

      S 1 Reply Last reply May 6, 2022, 3:12 PM Reply Quote 1
      • S
        smalldragoon @nasheayahu
        last edited by May 6, 2022, 3:12 PM

        @nasheayahu Thanks a lot for this, looks very detailed , I will work on this and back to you with the outcome
        Thanks
        Lionel

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received