pfSense Default SSL Port

misteralexander · December 1, 2024, 11:41pm

While (attempting) to follow Tom’s guide on HA (reverse) Proxy Setup, I went to “System > Advanced > TCP Port” and typed in “10443”, as later in the tutorial we tell HAProxy to listen for incoming connections on 443 …

When I make this change, the WebGUI becomes entirely unresponsive, and the page fails to load. The only way back was to SSH in, restore a recent configuration change, and reboot.

I have attempted this change using an Acme Cert and the default WebConfigurator self-signed, thinking that might be involved.

I’m not sure if I have a rouge setting somewhere that prevents me from doing anything but port 443, but I’d appreciate some expertise on this if there is any to be had.

I never enabled HAProxy, so it’s not some infinite redirect loop or something.

Also, as a side note, I tried to use “NTOPNG” or something like that—a monitoring program you can install that typically lives on the FW at port 3000—but when I was using that, too, that port would also time out. I got frustrated enough that I just uninstalled that package.

xMAXIMUSx · December 2, 2024, 12:04am

If you are using HAproxy, create a VIP and assign that internal IP to your haproxy. Don’t mess with changing the default SSL port of your pfsense box.

misteralexander · December 2, 2024, 12:56am

So, I tend to agree with you here @xMAXIMUSx , so I created a VIP (10.10.10.2) which is not attached to any vLAN or assigned anywhere else. Then I updated the DNS of “lidarr.int.snyderfamily.co” to match 10.10.10.2 and I also created two listeners for the FrontEnd to include SSL-Offloading for port 443 and plain HTTP on port 80.

When I do this, I go to lidarr.int.snyderfamily.co and I get an error:

503 Service Unavailable
No server is available to handle this request.

Appreciate the help here.

misteralexander · December 2, 2024, 1:08am

When I Disable HTTP Strict Transport Security and I checked the box Disable HTTP_REFERER enforcement check … then I’m able to change the default TCP Port to 10443 (hooray).

But when I update the DNS of lidarr I still get the same 503 error as before.

LTS_Tom · December 2, 2024, 12:49pm

Under System → Advanced → Admin Access set the TCP port to something not in use (for me that that is 10443) and also check the “Disable webConfigurator redirect rule”

Putting HAProxy on a separate IP is fine if you want to, I generally bind it to the main network where it will be accessed.