Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HaProxy : shared Frontends - how to do SSL of loading and SNI forwarding

    Scheduled Pinned Locked Moved
    Cache/Proxy
    2
    3
    914
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      smalldragoon
      last edited by

      Hi ,
      I started a first Topic here if you want to understand more context about my problem .
      So currently, I would need to redirect based on SNIs 3 addresses and do SSL termination on a 4th one redirecting connection to an internal host in http ( non ssl ) port 80.
      From previous other post and researches , seems that my solution are shared frontends.
      here is a recap of my need :

      I have 1 single public IP address,
      I need the following at the same time :

      I have a domain , smalldragoon.com , where

      A1 - A.smalldragoon.com, B.smalldragoon.com, C.smalldragoon.com need to be forwarded to an internal which is managing the SSL connection ( equivalent to my old config which was just port forwarding of the 443)
      A2 - D.smalldragoon.com need to have its SSL communication terminated on PFSense and redirected to an internal host which is running on port 80 ( so not in https , it is a basic website).
      Ex : https://D.smalldragoon.com redirect to http://192.168.1.1:80

      First question maybe : is this possible ? ( I tried some config , cf my previous post for screenshots, but it doesn't seem to work )

      thanks !

      N 1 Reply Last reply Reply Quote 0
      • N
        nasheayahu @smalldragoon
        last edited by nasheayahu

        @smalldragoon this is what my infrastructure looks like:

        Infrastructure Diagram

        and I have 4 Certs, 3 Single's and a wildcard, kohanyim.com, www.kohanyim.com and two others. These Certs are used to encrypt my network and my 4 public web servers. It took me a while to figure out how to separate and point both kohanyim sites to there own server without trying to figure out how to get Shared Frontend to work (never did), but after listening to How To Setup ACME, Let's Encrypt, and HAProxy HTTPS offloading on pfsense several times I finally got it.

        For me to get this to was:

        1. Need your default SSL Offloading / Certificate, I use the Wildcard Cert and make sure "Add ACL for certificate Subject Alternative Names" is checked.
        2. add SSL Offloading / Additional certificates, the Single Cert. NOTE: This is what I needed to get this to work!

        The video explains why this portion is important and I hope this helps.

        S 1 Reply Last reply Reply Quote 1
        • S
          smalldragoon @nasheayahu
          last edited by

          @nasheayahu Thanks a lot for this, looks very detailed , I will work on this and back to you with the outcome
          Thanks
          Lionel

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.