• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SSL offloading, accepting self-signed certs on LAN

Scheduled Pinned Locked Moved Firewalling
11 Posts 5 Posters 2.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    Derelict LAYER 8 Netgate
    last edited by Feb 25, 2015, 9:36 AM

    No.  WTH is "SSL Offloading?"

    Chattanooga, Tennessee, USA
    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
    Do Not Chat For Help! NO_WAN_EGRESS(TM)

    1 Reply Last reply Reply Quote 0
    • S
      Slasky
      last edited by Feb 25, 2015, 10:47 AM

      Well maybe not the correct term, but in theory, it should be the firewall handling all the SSL requests, and send forward the requests as itself, acting as a Proxy.

      I know some firewall/load balancers has this function, was just wondering if pfsense had this ability.

      I also know that some of these firewalls/load balancers doesn't Accept self-signed certificates as they doesn't trust the issuer.

      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by Feb 25, 2015, 5:07 PM

        I'm not sure if what you want is strictly possible (or desirable) but the base system can't do it. A package like haproxy-devel may be able to.

        SSL Offloading is a valid practice for a reverse proxy, but that would be something to ask in the packages board.

        It may also be possible with squid3-reverse, apache+mod_security, etc, but haproxy-devel is probably the most stable web server proxy package out there.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          Slasky
          last edited by Feb 25, 2015, 6:30 PM

          Ah ok. Thanks for the info and clarification  :)

          1 Reply Last reply Reply Quote 0
          • S
            Slasky
            last edited by Feb 25, 2015, 8:46 PM

            HAProxy-Devel did excactly what I wanted. The only problem is that pfsense wont allow using the same cert on the webconfigurator and the HAProxy frontend.

            So now I only have to choose which service is approved by a Public certificate, or wether or not i'm going to buy another cert :P

            Again, thanks for Your help

            1 Reply Last reply Reply Quote 0
            • H
              heper
              last edited by Feb 25, 2015, 10:34 PM

              you could get a free ssl cert for you non-public services (like pfsense webgui) at startssl …. only valid for a year tho

              1 Reply Last reply Reply Quote 0
              • S
                Slasky
                last edited by Feb 26, 2015, 7:32 AM

                Been there, tried that. Managed to botch my certificate, so it won't work With pfsense.

                But thanks for the tip tho :)

                1 Reply Last reply Reply Quote 0
                • P
                  PiBa
                  last edited by Feb 26, 2015, 7:36 PM

                  How do you mean? "pfsense wont allow using the same cert on the webconfigurator and the HAProxy frontend"
                  Seems possible to me?

                  1 Reply Last reply Reply Quote 0
                  • S
                    Slasky
                    last edited by Feb 26, 2015, 8:45 PM

                    When I choose the certificate for the webConfigurator, it wont show in the HA-Proxy FrontEnd config tab.

                    So I Guess pfsense or HAProxy doesn't allow the same cert to be used on both listeners..

                    I bought another cert for a subdomain and used that for the pfsense webconfigurator instead.

                    1 Reply Last reply Reply Quote 0
                    • P
                      PiBa
                      last edited by Feb 26, 2015, 9:11 PM

                      Hmm i see what you mean, indeed haproxy filters out the webgui cert.. i think i only intended to filter out the 'webConfigurator default' cert, as that specific cert is useless for normal use.. I cant think of a good reason to not allow a wildcard cert to get configured on both haproxy and webgui. Ill change that in next version..

                      1 Reply Last reply Reply Quote 0
                      11 out of 11
                      • First post
                        11/11
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received