Is there something like Nginx Revers Proxy Manager for pfSense?
I would love to have a Let’sEncrypt certificate for pfSense. And as far as I know, this means port 80 and 443 should be available for that use.
But I am also running a small NextCloud server on my network. And as that one needs Let’s Encrypt as well, it already has those ports forwarded.
Any creative ideas?
I know - I don’t HAVE to have a certificate for the firewall. But it is just so tempting to try to find a way. I will gladly admit it is more “estetics” than real need
The DNS challenge could be used if there was a way to update the Cloudflare DNS from pfSense.
You can use wildcard validation which requires a DNS-based method but would allow all the domains/sub domains to have a common LE cert. The you can use HA Proxy to manage the SSL termination using that certificate.
https://docs.netgate.com/pfsense/en/latest/packages/acme/wildcard.html
1 Like
I need to watch that one again!!!
For cases like this, I do the same as Laurence, or use pfSense + HAProxy to create the certificates and access them all, or else I use the Certbot + Cloudflare API to generate the certificates.
Just one thing about the Cloudflare API, it only works for paid domains, if you try to make use of .tk, .ml, .ga, etc. domains, they will not work! With .com domain, .com.br, etc., I have already tested and work normally.
Using Certbot v2 DNS options (I do it with CloudFlare) you don’t have to have 80 or 443 pointed at the pfSense. I have multiple client sites where I am using LE to create valid certs to devices that are only accessible to my IP on a non-standard port and it works fine.
Wildcard certs require the v2 options (which is what prompted my move to CloudFlare DNS), but the only place I’m using a wildcard is on my actual web server so that I can host multiple sub-domains with a single cert.
Well, after going through several videos, including yours, Tom. I am halfway there.
I have ACME working. I have done two certificates. My DNS is on Cloudflare and I go it working
I have managed to get one certificate working for pfSense with hairpinning, but not exposed to the outside - no ports forwarded - yet.
So my pfSense is https://pfsense.mydomain.com/
But I have a little test server running as well. On a different domain.
https://server.myotherdomain.com/ and I have managed to get the certificate for it.
I only have one wan. But I have several LAN’s. Not VLAN’s for now. My pfSense has 6 ports…
So my LAN is on 192.168.1.1
My sever lan is on 10.10.0.1
Just to keep things apart…
The thing I have not been able to find anywhere is how to set things up so that all traffic from the outside goes to HAProxy? What rules to use for that?
P.S. Does it make sense to route anything else than http and https through HAProxy? FTP? SSH?
For outside access you open up the WAN via a firewall rule to the firewall and port where you have HA Proxy.
Wild card certs are covered in this video https://youtu.be/jpyUm53we-Y
Hi Tom,
I have no problem opening up a firewall rule My doubt is where does HAProxy “live”. A service usually do not have an IP address or port.
And yes, I know what a wildcard certificate is. But it is useless in my case as I am talking about two different domains.
In the HA Proxy front end settings you choose the listen address and you have a different cert for each domain.
1 Like