I have set up HAProxy and ACME for internal SSL certs. During that process, DNS overrides were created to point all my hostnames at HAProxy/pfSense. Those same hostnames are the actual hostnames of the servers and I used to use them for other protocols like SSH and SMB. Obviously, those no longer work and I’m using IP addresses for the time being. Is there any solution to this where I can continue to use the same hostnames that are now used for https or do I just need to create secondary “host names/DNS overrides” for servers where I use SMB and SSH as well?
The goal is to not have to use IP addresses for these things because they can be hard to remember, cumbersome to type, and they do not look as nice.
HAProxy is great and extremely flexible. I don’t run it on pfSense, so I don’t remember which options that interface exposes (if that’s what you’re using), but you should be able to proxy any TCP connection, including ssh and smb.
One thing to think about: you probably don’t want smb on the internet, so make sure you don’t have any public dns entries that will resolve your smb shares.
There may be other ways to achieve the workflow you’re after. For example, in my network I use HAProxy only for web services that need to be or may need to be publicly accessible. Internal-only services that aren’t web-based, I use an internal domain (so files.lan instead of files.example.com for an smb server).
For ssh, my preference is always the .ssh/config file. You can set aliases there that point to ip addresses or FQDNs and specify a bunch of other options. For example, if I want to ssh to my file server for some maintenance and I know it uses a specific key or even a specific set of cyphers, all that’s set in the config file and I just have to type ssh files.
I would argue that any third party package that is only supported by volunteers shouldn’t be used on pfsense. That list includes Suricata/Snort/ Squid, HA Proxy.
You have to understand that these packages are maintained in the pfsense repo by volunteers not by Netgate. That said If there is a security issue with any one of those packages you are at the mercy of a volunteer- in the case of Squid there is no maintainer for the package in thr pfsense repo.
HA Proxy is a fine app in a very limited scenario if run on your firewall but in reality there is no good justification to have this running in enterprise IT on a firewall.
My advice is to spin up a docker container of nginx proxy manager or traefic. Keep these things decoupled from your security appliance
Very true, but the real mercy you are at is the attack surface that code runs on.
The elephant in the room is this crap all runs with zero isolation from the host. In today’s day and age this is totally unacceptable anywhere except the router. For this crucial component we ignore security best practices all in the name of easy.
Yes i agree. Which is why im a huge advocate for not installing any 3rd party packages on a pfSense. Its a giant liability. There is no guarantee that the code is secure (we trust netgate is reviewing but are they…?) , as you mentioned the packages arent isolated from each other in any way and its all volunteered supported which is just a disaster waiting to happen.
That said, if this is a home lab then install away but under no circumstance should any of these packages be installed on a edge firewall…