The goal in this example is to provide HTTPS
for external traffic while the internal traffic is HTTP
.
Prereqs
- Install HAProxy in pfSence
- Create Subdomain
- Setup Let’s Encrypt
- Create wildcard Subdomain to Let’s Encrypt key
Basic Configuration
In pfSense go to Services | HAProxy. The HAProxy page will display. The first thing to do is to set the Max SSL Diffie-Hellman size to 2048 under the Tuning section.
Backend
Select Backend and select Add. Now we are setting up the frontend and backend HAProxy for a blog running at blog.mydomain.com. As Mr. Karlton states below, coming up with names is hard. What makes sense in one context does not in another. Let’s just name this backend blog
and see how this works out.
There are only two hard things in Computer Science: cache invalidation and naming things.
– Phil Karlton
Clicking on the little green arrow below mode
allows the backend server information to be added.
Again, we have to come up with a name. This website will run in Kubernetes so I will prefix this backend with k8s followed by the namespace and then followed by the service name.
Setting the healthcheck to basic or none will insure the backend will work for the initial test. We will explore other healthcheck methods in later posts.
Frontend
Select Add to create a new frontend. We have yet another name to think up. Let’s use mydomain.com
for this one.
Give it a description and set it to active
. The external address in this case is just set to the WAN address. The actual address can be found in Interfaces | WAN IPv4 Address
The port should be set to 443 since we are accessing via HTTPS' and select HTTP Offloading
. The type
setting below is left at the http/https(offloading)
default.
The combination of an Access Control List and an Action is how HAProxy determines where to send the inbound request. We define an ACL, in this example when the inbound host matches blob.mydomain.com
use the blog
backend.
Below is how I configured the certificate section.
The name blog
is fine for the backend but what happens when you want to host another blog? Naming the backend blog.mydomain.com
is verbose but more helpful.