Using SSL offloading to access Services
Re: [HAProxy](Letsencrypt and synology)
I saw a very old thread that you guys were part of, and was hoping to get some input. I basically want to accomplish something, but I would like to do it the “correct way “.
Currently, I have a pfsense router using Acme and Let’s Encrypt and then use HAproxy for SSL offLoading.
I access my Synology externally
I access WebDAV externally
And a couple of other services
I also access (and allow friends and family) and Emby server that is located on the NAS
Each of these are on different subdomains of a domain that I will permanently own for my wife’s business.
It appears that ACME is doing the job of renewing the certificates that are only good for 90 days on the pfsense router, and thus the HAproxy set up.
Within Emby I had originally pointed to a pkcs#12 version of the certificate created by Acme within PFsense. (That did take an extra step, and sometimes left me a few days where friends or family would complain that the server was not accessible.)
I just found out that EMBY has a setting that tells the server to let “reverse proxy handle the SSL.
My question is, does the Synology NAS actually require me to keep a up to date (or any at all for that matter) version of the certificate on the NAS itself if HAproxy is handling the SSL offloading? If it does not, then I can quit worrying about having to transfer the certificates from pfsense to Synology. Is there some sort of setting in the Synology Nas where I need to tell Synology to let SSL be handled by the reverse proxy?
@ahole4sure no, it is not required if you're using SSL Offloading option on Haproxy frontend. In this case it is better to use http for backend (or issue some internal ssl cert on pfsense for your synology)