Firstly, I would like to say I am new to this forum, but am a long time viewer of the youtube channel (Tom, you are a literal saint, thank you for the work you do. I don’t know how many times I have watched/rewatched your videos about pfsense with much interest)
Being new here, I wanted to say thank you for letting me be here. I have read the community guidelines and had a look around, but please let me know if I can improve my behavior in any way.
On to my query at hand.
I currently have a pfsense setup as the home firewall, various services both internal and external setup with docker, proxmox, and xcp-ng (i wanted to try out different hypervisors before i settled). At the moment this is more of a hobby, but I’m hoping to move into a more “side gig” style eventually. Been working on it for about 6 months or so in my off time.
What I am hoping to do is have a authenticating/authorizing proxy setup, using haproxy in pfsense and keycloak as the “ldap” type style of user and service management. I have managed to setup keycloak in limited tests, and i already have haproxy in my production working almost flawlessly, but for some reason i can not figure out how to get haproxy to authenticate/authorize traffic on the pfsense side. For some reason it just goes right over my head. I’m not sure if i am missing something small or if I am just way over my head.
Google-ing and reddit browsing have just shown more people in the same boat as me, and the keycloak documentation for the proxy side shows haproxy in in a more standalone version, not the haproxy in pfsense with the gui and such.
I have looked into Authelia and Pomerium, and my limited trial runs haven’t show much progress in implementation or feature sets. As i understand it, keycloak is kinda the gold standard when it comes to this sort of thing.
What I am looking for as a resolution is,
- how to configure haproxy in pfsense to authenticate/authorize traffic with keycloak. I believe i can confiure the keycloak side, but since I have not managed a working scenario, I am not 100% confident on that side.
- perhaps some best practices or wisdom in such a endeavor
- I do plan to turn this into a SSO type solution as well, but that that is further down my list, and is not a make or break scenario
If anyone can help me out, point me in the right direction, or maybe offer a alternative solution to securing a network i am open to ideas. This may seem like a big project/ask, and I am open to paying for some professional help, but i was hoping to start in the forums and do some leg work because I really want to know how to do this, not just have this be done.
Thank you in advance for taking the time to read this, and thank you in advance for any assistance. I really appreciate your time, expertise, and kindness in this matter.
In best regards,
-Alethio
TLDR;
I need help configuring HAproxy in pfsense to authenticate/authorize using keycloak. After looking around I have not gotten anywhere on my own or with my friends in a similar situation.