But your lockout rule is to port 10443 - shouldn’t it be 443?
In terms of your other servers within your LAN – do they all handle SSL certs individually? Reverse proxies in one aspect make SSL cert management easier if they terminate the SSL connections since you can have all your certs on one computer. I understand however this isn’t always desired in some cases. Each of your servers should be accessible within your LAN by host-name and SSL compatible if you have a DNS override for each server registered on pfsense and your DHCP server from your clients resolves to pfsense first (or its the first server on the list).
In terms of trying to access your server on port 443 – from an internal computer – have you just tried wget https://pfsense.wbm4.com? What error message is it reporting? And just to make sure – do you have a host override for pfsense.wbm4.com within the DNS resolver or server settings? I use DNS resolver however it probably doesn’t make a difference.
It should, but when I change the port (in System / Advanced / Admin Access) to 443 i get locked out.
“…each server registered on FreeNAS.” Do you mean pfsense?
“…the first server on the list.” What list?
$ wget https://pfsense.wbm4.com
--2020-03-20 01:12:51-- https://pfsense.wbm4.com/
Resolving pfsense.wbm4.com (pfsense.wbm4.com)... 192.168.3.1
Connecting to pfsense.wbm4.com (pfsense.wbm4.com)|192.168.3.1|:443... connected.
HTTP request sent, awaiting response... 503 Service Unavailable
2020-03-20 01:12:51 ERROR 503: Service Unavailable.
And yes I do have a host override for pfsense.wbm4.com. If I delete it, I lose access to pfsense via https://pfsense.wbm4.com:10443. Only https://192.168.3.1:10443 works and the connection is not secure.
This is most likely the source of my 443 problem, but I can’t figure out what needs to change in the webconfigurator, haproxy, and/or DNS resolver to make it all work the way I want.
I’ve just signed up to (hopefully) fix your issue. I don’t quite have this config in my lab for other reasons, but I think it should work, and from memory I have tried it in the past, but if I’m wrong, then I apologise in advance for talking nonsense and wasting your time.
As you have HA Proxy bound to 443 on your LAN you can’t have pfSense also bound to 443, as that would mean two services are using the same IP and the same port, which is not possible, as you’ve found out.
However, I believe there is a way around this issue.
Under Firewall - Virtual IPs create a new IP alias, something like 192.168.3.30 (make sure that it’s not in use and outside of your DHCP range etc.) on the LAN interface as a single IP. Point your DNS records for freenas etc. to this IP rather than pfSense (which I believe is 192.168.3.1 in your configuration). Then change the frontend of HA Proxy to listen on this virtual IP rather than the entire LAN, and finally change pfSense back to port 443.
Now you should have pfSense (192.168.3.1) listening on port 443 and HA proxy listening on 192.168.3.30 on port 443 so there won’t be a conflict and it should work how you want.
I hope that makes sense, if you want a screenshot just ask or post up the bit you don’t understand and I’ll do my best to help.
@Acestes I have to admit I’m a little perplexed. I understand your solution. However if he’s deactivated HA proxy – then why would you need to do what you are proposing? I’m struggling with a solution as well and would be interested to know if what you are suggesting works, however I’m also trying to understand what is it about his current config that doesn’t work either with HA Proxy deactivated.
@kevdog HA proxy is still activated. I never deactivated it. See my post above. @Acestes I watched a couple of YouTube videos recently that also suggested using a VIP in HAproxy. I’ll give it a shot over the weekend.
I thought you deactivated HA Proxy??? Oh geez. Well I guess that explains it. Just curious – what are you using HA proxy for? HA proxy is usually a reverse proxy for serving multiple domains with one IP address, or its other function is a load balancer. I’m fairly certain you are not using it for load balancing.
@kevdog I think @maddoxw is using HA proxy as an internal only reverse proxy to allow SSL/TLS offloading for all of his end points. That way a wildcard certificate can be used on HA proxy and you don’t have to create a commercial certificate per device\service. Whilst you could argue this isn’t considered best practice in a production environment, for a home lab it makes having valid certificates a whole lot easier.
I think I asked the question why he was using HA proxy many times but never received a clear response.
In terms of keeping a type of “SAN cert” vs individual certificates, I’ll concede its a heck of a lot easier to keep one certificate on one device and use that.
However I’d also argue that keeping individual certificates on “scattered devices” isn’t really all that difficult either if you are using something like acme.sh that automatically would install and deploy the certs either.
The problem I have with HA proxy bundled with pfSense — its a very old old version. It also is quite chatty trying to verify the “presence” of the backend servers. Although you can set the “phone home” interval in the settings, I found for me at least that HA Proxy thought the backend servers weren’t reachable when they clearly were. After posting on the HA Proxy forum, it seemed a common solution was to upgrade to the latest version to try out “x” feature. Oh course this was impossible because of the pfsense limitation.
Anyway – glad you got it working and I hope your reverse proxy experience with HA Proxy is a whole lot better than mine. When I’m requiring a reverse proxy, I usually use nginx which seems to work better for me.
Another option is to just use another reverse proxy rather than HA proxy. I’m not sure if you have access to setting up VM’s, however its totally possible to setup up another reverse proxy within a VM or within a container like docker. You would then just forward all packets on ports 80/443 to the internal VM or container. It’s a pretty easy workaround.
