SSL offloading, accepting self-signed certs on LAN

Slasky · Feb 25, 2015, 7:49 AM

Hello

I've recently gotten a approved cert on the webGUI, to get rid of the Message of unsecure website, and to have a trusted CA create the certificate.

The question now is; is there a way to get pfsense to handle SSL offloading, so I can use self-signed certificates on the inside, while the Public certificate handles the cryptography?

I have a NAS With a web-server on it, and instead of going through the hassle of changing the certificate on that one, I thought I'd use pfsense to do this. That way the Connection seems secure.

Does pfsense Accept self-signing certificate traffic on the LAN side? Between the firewall and NAS that is?

Sorry if this is the wrong part of the forum

Derelict · Feb 25, 2015, 9:36 AM

No. WTH is "SSL Offloading?"

Slasky · Feb 25, 2015, 10:47 AM

Well maybe not the correct term, but in theory, it should be the firewall handling all the SSL requests, and send forward the requests as itself, acting as a Proxy.

I know some firewall/load balancers has this function, was just wondering if pfsense had this ability.

I also know that some of these firewalls/load balancers doesn't Accept self-signed certificates as they doesn't trust the issuer.

jimp · Feb 25, 2015, 5:07 PM

I'm not sure if what you want is strictly possible (or desirable) but the base system can't do it. A package like haproxy-devel may be able to.

SSL Offloading is a valid practice for a reverse proxy, but that would be something to ask in the packages board.

It may also be possible with squid3-reverse, apache+mod_security, etc, but haproxy-devel is probably the most stable web server proxy package out there.

Slasky · Feb 25, 2015, 6:30 PM

Ah ok. Thanks for the info and clarification :)

Slasky · Feb 25, 2015, 8:46 PM

HAProxy-Devel did excactly what I wanted. The only problem is that pfsense wont allow using the same cert on the webconfigurator and the HAProxy frontend.

So now I only have to choose which service is approved by a Public certificate, or wether or not i'm going to buy another cert :P

Again, thanks for Your help

heper · Feb 25, 2015, 10:34 PM

you could get a free ssl cert for you non-public services (like pfsense webgui) at startssl …. only valid for a year tho

Slasky · Feb 26, 2015, 7:32 AM

Been there, tried that. Managed to botch my certificate, so it won't work With pfsense.

But thanks for the tip tho :)

PiBa · Feb 26, 2015, 7:36 PM

How do you mean? "pfsense wont allow using the same cert on the webconfigurator and the HAProxy frontend"
Seems possible to me?

Slasky · Feb 26, 2015, 8:45 PM

When I choose the certificate for the webConfigurator, it wont show in the HA-Proxy FrontEnd config tab.

So I Guess pfsense or HAProxy doesn't allow the same cert to be used on both listeners..

I bought another cert for a subdomain and used that for the pfsense webconfigurator instead.

PiBa · Feb 26, 2015, 9:11 PM

Hmm i see what you mean, indeed haproxy filters out the webgui cert.. i think i only intended to filter out the 'webConfigurator default' cert, as that specific cert is useless for normal use.. I cant think of a good reason to not allow a wildcard cert to get configured on both haproxy and webgui. Ill change that in next version..