Pfsense tls passthrue

morno · September 24, 2020, 6:29am

Hello Long time lurker

i have looked at “How To Setup ACME, Let’s Encrypt, and HAProxy HTTPS offloading on pfsense” but i want tls passthrue but the pfsense gui is abit weird im new to HAProxy.

Senario:

i want port 80 and 443 to go to diff servers depending on there hostname and let Lets Encrypt passthrue to let the backends handle it .

i got a unifi controller that i want to handle LE by itself. all ports that needs to me opend are port forwarding.

if anyone can show me how do to this or is the way Tom is showing us a good way to use this?

LTS_Tom · September 24, 2020, 11:07am

I am not sure why you would want to do that, but you can follow my video and tell HA Proxy not to handle the certificate.

xMAXIMUSx · September 24, 2020, 9:16pm

He probably needs the proxy for layer 7 routing all his sites on 443 and to have end to end encryption at that point

sdfungi · September 25, 2020, 8:51am

Yeah definitely sounds like he is trying to get around not having enough IP addresses.

morno · September 25, 2020, 9:07am

Hello all thanks for the tips @LTS_Tom. i followd you´re guide and let PFSense handle the SSL Certs…

with the Unifi network app on my phone and changeing the connection port on the app fron 8443 to 443 it works i diddent get a invalid ssl cert

i will put up more stuff via PFSense when i got the time

kevdog · September 25, 2020, 4:37pm

So your wanting a reverse proxy based on domain name with TLS passthrough? I only wish I knew how to do this with HA proxy.

xMAXIMUSx · September 26, 2020, 3:46pm

This is the end result of a config made in pfsesne but if you have your own standalone haproxy then this is how you write the config. This will do SSL passthrough based on domain name and redirect http to https. I hope this helps someone I took out public IP for obvious reasons. If you have questions on what is going on in this config I’d be happy to answer.

global
	maxconn			10000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend frontend_80
	bind			<PUBLIC_IP>:80 name <PUBLIC_IP>:80   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	http-request redirect scheme https code 301 if !{ ssl_fc } 

frontend frontend_443
	bind			<PUBLIC_IP>:443 name <PUBLIC_IP>:443   
	mode			tcp
	log			global
	timeout client		30000
	tcp-request inspect-delay	5s
	acl			sub1_host	req.ssl_sni -i sub1.yourdomain.com
	acl			sub2_host	req.ssl_sni -i sub2.yourdomain.com
	tcp-request content accept if { req.ssl_hello_type 1 }
	use_backend sub1_backend_ipvANY  if  sub1_host 
	use_backend sub2_backend_ipvANY  if  sub2_host 


backend sub1_backend_ipvANY
	mode			tcp
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			sub1_backend 192.168.9.105:443 id 102 check inter 1000  

backend sub2_backend_ipvANY
	mode			tcp
	id			101
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			sub2_backend 192.168.11.5:443 id 103 check inter 1000