The goal in this example is to provide
HTTPS for external traffic while the internal traffic is
- Install HAProxy in pfSence
- Create Subdomain
- Setup Let’s Encrypt
- Create wildcard Subdomain to Let’s Encrypt key
In pfSense go to Services | HAProxy. The HAProxy page will display. The first thing to do is to set the Max SSL Diffie-Hellman size to 2048 under the Tuning section.
Select Backend and select Add. Now we are setting up the frontend and backend HAProxy for a blog running at blog.mydomain.com. As Mr. Karlton states below, coming up with names is hard. What makes sense in one context does not in another. Let’s just name this backend
blog and see how this works out.
There are only two hard things in Computer Science: cache invalidation and naming things.
– Phil Karlton
Clicking on the little green arrow below
mode allows the backend server information to be added.
Setting the healthcheck to basic or none will insure the backend will work for the initial test. We will explore other healthcheck methods in later posts.
Select Add to create a new frontend. We have yet another name to think up. Let’s use
mydomain.com for this one.
Give it a description and set it to
active. The external address in this case is just set to the WAN address. The actual address can be found in Interfaces | WAN
IPv4 Address The port should be set to 443 since we are accessing via
HTTPS' and select HTTP Offloading. The
type setting below is left at the
The combination of an Access Control List and an Action is how HAProxy determines where to send the inbound request. We define an ACL, in this example when the inbound host matches
blob.mydomain.com use the
Below is how I configured the certificate section.
blog is fine for the backend but what happens when you want to host another blog? Naming the backend
blog.mydomain.com is verbose but more helpful.