SSL offloading, accepting self-signed certs on LAN

Derelict · Feb 25, 2015, 9:36 AM

No. WTH is "SSL Offloading?"

Slasky · Feb 25, 2015, 10:47 AM

Well maybe not the correct term, but in theory, it should be the firewall handling all the SSL requests, and send forward the requests as itself, acting as a Proxy.

I know some firewall/load balancers has this function, was just wondering if pfsense had this ability.

I also know that some of these firewalls/load balancers doesn't Accept self-signed certificates as they doesn't trust the issuer.

jimp · Feb 25, 2015, 5:07 PM

I'm not sure if what you want is strictly possible (or desirable) but the base system can't do it. A package like haproxy-devel may be able to.

SSL Offloading is a valid practice for a reverse proxy, but that would be something to ask in the packages board.

It may also be possible with squid3-reverse, apache+mod_security, etc, but haproxy-devel is probably the most stable web server proxy package out there.

Slasky · Feb 25, 2015, 6:30 PM

Ah ok. Thanks for the info and clarification :)

Slasky · Feb 25, 2015, 8:46 PM

HAProxy-Devel did excactly what I wanted. The only problem is that pfsense wont allow using the same cert on the webconfigurator and the HAProxy frontend.

So now I only have to choose which service is approved by a Public certificate, or wether or not i'm going to buy another cert :P

Again, thanks for Your help

heper · Feb 25, 2015, 10:34 PM

you could get a free ssl cert for you non-public services (like pfsense webgui) at startssl …. only valid for a year tho

Slasky · Feb 26, 2015, 7:32 AM

Been there, tried that. Managed to botch my certificate, so it won't work With pfsense.

But thanks for the tip tho :)

PiBa · Feb 26, 2015, 7:36 PM

How do you mean? "pfsense wont allow using the same cert on the webconfigurator and the HAProxy frontend"
Seems possible to me?

Slasky · Feb 26, 2015, 8:45 PM

When I choose the certificate for the webConfigurator, it wont show in the HA-Proxy FrontEnd config tab.

So I Guess pfsense or HAProxy doesn't allow the same cert to be used on both listeners..

I bought another cert for a subdomain and used that for the pfsense webconfigurator instead.

PiBa · Feb 26, 2015, 9:11 PM

Hmm i see what you mean, indeed haproxy filters out the webgui cert.. i think i only intended to filter out the 'webConfigurator default' cert, as that specific cert is useless for normal use.. I cant think of a good reason to not allow a wildcard cert to get configured on both haproxy and webgui. Ill change that in next version..