Pfsense + haproxy + keycloak implementation help

Firstly, I would like to say I am new to this forum, but am a long time viewer of the youtube channel (Tom, you are a literal saint, thank you for the work you do. I don’t know how many times I have watched/rewatched your videos about pfsense with much interest)

Being new here, I wanted to say thank you for letting me be here. I have read the community guidelines and had a look around, but please let me know if I can improve my behavior in any way.

On to my query at hand.

I currently have a pfsense setup as the home firewall, various services both internal and external setup with docker, proxmox, and xcp-ng (i wanted to try out different hypervisors before i settled). At the moment this is more of a hobby, but I’m hoping to move into a more “side gig” style eventually. Been working on it for about 6 months or so in my off time.

What I am hoping to do is have a authenticating/authorizing proxy setup, using haproxy in pfsense and keycloak as the “ldap” type style of user and service management. I have managed to setup keycloak in limited tests, and i already have haproxy in my production working almost flawlessly, but for some reason i can not figure out how to get haproxy to authenticate/authorize traffic on the pfsense side. For some reason it just goes right over my head. I’m not sure if i am missing something small or if I am just way over my head.

Google-ing and reddit browsing have just shown more people in the same boat as me, and the keycloak documentation for the proxy side shows haproxy in in a more standalone version, not the haproxy in pfsense with the gui and such.

I have looked into Authelia and Pomerium, and my limited trial runs haven’t show much progress in implementation or feature sets. As i understand it, keycloak is kinda the gold standard when it comes to this sort of thing.

What I am looking for as a resolution is,

  1. how to configure haproxy in pfsense to authenticate/authorize traffic with keycloak. I believe i can confiure the keycloak side, but since I have not managed a working scenario, I am not 100% confident on that side.
  2. perhaps some best practices or wisdom in such a endeavor
  3. I do plan to turn this into a SSO type solution as well, but that that is further down my list, and is not a make or break scenario

If anyone can help me out, point me in the right direction, or maybe offer a alternative solution to securing a network i am open to ideas. This may seem like a big project/ask, and I am open to paying for some professional help, but i was hoping to start in the forums and do some leg work because I really want to know how to do this, not just have this be done.

Thank you in advance for taking the time to read this, and thank you in advance for any assistance. I really appreciate your time, expertise, and kindness in this matter.

In best regards,
-Alethio

TLDR;
I need help configuring HAproxy in pfsense to authenticate/authorize using keycloak. After looking around I have not gotten anywhere on my own or with my friends in a similar situation.

Hi there. I was looking at doing the same thing, except with nginx. It’s possible but I didn’t put much time into the config and got busy with other projects. However, I managed to accomplish this with traefik. It was easier compared to nginx and haproxy as it was a line liner specifying the middleware (keycloak). Sorry to not provide a solution, but I want to respond with some thoughts.

1 Like

I appriciate the insights.

The reason i chose using haproxy on pfsense, is Traefik looked a little daunting to me, the lack of a gui (which im getting more comfortable with now at least), and i didnt want to use 2 proxies in my network, and having a all in one solution like pfsense seemed like a better long term solution for me. Also, having a good certificate solution like tom showed seemed extremley valuable.

I wont say im against using traefik if i have to, but i would consider it sub optimal considering my above reasons.

Have you used keycloak as middleware? How did it go?

Most people, myself included, do not use HAProxy for auth. We rely on the authentication methods of the applications behind HAProxy and really only use HAProxy for handing the traffic & certs.

2 Likes

Thank you for your reply Tom. That is kinda nice to know how professional rock stars like yourself handle these sort of things.

I think my perspective boils down to the realization I don’t have much control how a particular service runs or handles anything, but I do have control for how the infrastructure around the services (at least in theory), so that is where I have been focusing my efforts.

It also strikes me as odd with all the effort put into security and hardening, not much effort seems to be placed into the networking side of things.

How difficult would it be if i decided I would like to be a persnickety person and power through with a haproxy authentication/authorization situation?

As I understand, the biggest tools in the networking belt are vlans, creative firewall rule management, or if i want to bite the bullet, a vpn per user. Are there possibly any other things I should look into to appropriately harden a network?

Currently I have a similar cloudflare setup and you have demonstrated, and its locked out unless any of clourflares ip addresses are the originating source. I also have cloudflare set up with a origin cert setup. I have been experimenting with vlans with pretty good early success, getting ready to setup up a good network plan with such.

Also, if i should more focus on the vm/service side for hardening, I hate to bother, but is there a good source of a nice checklist or tutorial to get a good game plan?

Once again, thank you (everyone) for your responses and any time, past and future, you have contributed.

A quick clarification, using a VLAN is for segmentation on the same wire, but not for security as that would be handled by the rules for subnets they transport.

There are a few good rules for security:

  • Reduce attack surface by closing all unused ports/services or even better put it all behind a VPN
  • Practice Principle of least privilege and only allow a minimum amount of access needed to get things done.
  • Have a patch management plan for the services you host

Some solid advice.

I very much agree, vlans can segment traffic over the same line, but the security aspect is rule management of the network (as i understand).

I was hoping to not have a VPN solution, my friends and family are not that technical.

My current patch management plan is about once a week, I go through and make sure everything is updated and functional.

As for practice of least privilege, would you consider a account that is a sudo under that preview? I am the only account on any vms or bare metals machine. Well, besides root account which should be disabled login, something I should rethink about doing.

Thank you very much Tom, I appreciate your time in this forum, and for the great work you do on youtube teaching and spreading information. I love sharing your videos to all my server friends. You very much make a positive difference.

-Alethio