Hello, I have an understanding problem.
I now have the haproxy running with Letsencrypt to distribute a wildcard SSL certificate internally.
But what I don’t understand is the issue with the DNS entry.
I have, as in the YouTube video, made a host overide.
This internally points the server name to the IP of the PFSENSE, so you can’t access the server internally with its DNS name, it works now https:// via the PFSENSE to the server, but no services I want to access via the DNS name, which is now the IP of the PFSENSE of the LANNET.
Is there another possibility?
Or do I have to work with virtual names?
I would appreciate a tip
Use tools on each device such as dig to figure out of the pfsense is responding with the correct DNS. If they are then do a test to see if HAProxy is responding correctly.
Hello, haproxy works, what no longer works is the internal DNS resolution, which I had to overwrite.
Example: Server internal IP 192.168.178.10 Name prox.domain.de
DNS new, so that HAProxy works for DNSName:443,
192.168.178.1 prox.domain.de.
192.168.178.1 is the address of the PFsense.
Now I can no longer do ssh by the DNS Name, why it as then end on the pfsense.
Is there another way to control this or do I have to create virtual names for this?
Hallo Markus, there is no way around separate names. You should consider separating service names from server names.
That means, each server has a local name (it may, but does not have to, be a subdomain of your publicly resolvable domain , e.g. server1.domain.de, it can also be a subdomain within your local network’s domain, e.g. server1.lan). This is the domain you use for accessing your server internally, e.g. via SSH.
Then you assign names to your services. If service1.domain.de happened to be hosted on server1.lan, then the internal DNS entry for it would point to the IP of server1.lan. In your case, service1.domain.de is proxied through HAProxy, so its internal DNS entry should point to your pfSense’s IP. HAProxy can then use either server1.lan’s name or its IP address for the upstream connection.
Combine that with an external (publicly resolvable) DNS entry for service1.domain.de that points to the router’s WAN address and you have split DNS.
