The goal in this example is to provide HTTPS for external traffic while the internal traffic is HTTP.
Prereqs
- Install HAProxy in pfSence
- Create Subdomain
- Setup Let’s Encrypt
- Create wildcard Subdomain to Let’s Encrypt key
Basic Configuration
In pfSense go to Services | HAProxy. The HAProxy page will display. The first thing to do is to set the Max SSL Diffie-Hellman size to 2048 under the Tuning section.
Backend
Select Backend and select Add. Now we are setting up the frontend and backend HAProxy for a blog running at blog.mydomain.com. As Mr. Karlton states below, coming up with names is hard. What makes sense in one context does not in another. Let’s just name this backend blog and see how this works out.
There are only two hard things in Computer Science: cache invalidation and naming things.
– Phil Karlton
Clicking on the little green arrow below mode allows the backend server information to be added.
Again, we have to come up with a name. This website will run in Kubernetes so I will prefix this backend with k8s followed by the namespace and then followed by the service name.
Setting the healthcheck to basic or none will insure the backend will work for the initial test. We will explore other healthcheck methods in later posts.
Frontend
Select Add to create a new frontend. We have yet another name to think up. Let’s use mydomain.com for this one.
Give it a description and set it to active. The external address in this case is just set to the WAN address. The actual address can be found in Interfaces | WAN IPv4 Address The port should be set to 443 since we are accessing via HTTPS' and select HTTP Offloading. The type setting below is left at the http/https(offloading) default.
The combination of an Access Control List and an Action is how HAProxy determines where to send the inbound request. We define an ACL, in this example when the inbound host matches blob.mydomain.com use the blog backend.
Below is how I configured the certificate section.
The name blog is fine for the backend but what happens when you want to host another blog? Naming the backend blog.mydomain.com is verbose but more helpful.