need help with pfSense/haproxy reverse proxy setup with ssl termination

Status
Not open for further replies.

Sean Coston

Contributor
Joined
Jul 25, 2014
Messages
128
I just got my very own pfSense device up and running on its own hardware:
Mini ITX pfSense Router/Firewall with 5x Gbe LAN, 64Gb SATA SSD pre-loaded with 64 bit pfSense 2.2.6

I have FreeNAS-9.3-STABLE running on a Lenovo TS-140
Platform Intel(R) Xeon(R) CPU E3-1276 v3 @ 3.60GHz
Memory 28438MB

I have 8 jails successfully installed and running well:
Plex, Transmission, ownCloud on NGINX, mythTV backend with mythweb, HD homerun DVR, calibre, KMTTG (tivo), and a Minecraft server.

Several of these have http webgui interfaces that can't be configured with ssl connections. I know I'm asking a lot, but I'd like to be able to point them at the internet and be able to somewhat safely access them by implementing a reverse proxy on my pfSense device. I have a domain that is constantly monitored by DynDNS and updated to my outward facing Comcast modem's ip address. From here on out I'll refer to that domain as "SDC.net" (though in actuality it is different) . Attached is an image of my very basic network configuration.

The FreeNAS has several jails running that all have their own LAN ip addresses. Some of the jails (like MythTV backend, calibre, and my kiddo's Minecraft server) all present http interfaces and I'd like to be able to use https (SSL) from the www to navigate to my home domain, have SSL terminate in the pfSense reverse proxy server and have the server forward either http or https connections to the proper LAN IP's.

Can anyone point me to a resource that, at a very granular and basic level, walks through setting up Haproxy onpfSense to do this? I found these threads on the pfsense forum which have some good info, but I still can't seem to get my set up to work.
https://forum.pfsense.org/index.php?topic=103726.0
https://forum.pfsense.org/index.php?topic=93766.msg527268#msg527268

Lots of ground covered in these... The second one gives a link to pdf attachment with basics.

I am posting here because I'm really trying to access my FreeNAS jail servers/apps more safely from the outside world.
Also, the pfSense forums are not well very active, it seems. The pfSense community seems to want to point people to the paid support resources, and certainly - If I was running a business - I'd go that route. But this is just my file and media server and lowly home network.

Anyone out there who's done this who is willing to help?

Sean
 

Attachments

  • home network.png
    home network.png
    458.1 KB · Views: 1,029

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
This really has nothing to do with FreeNAS, so the best bet is to find instructions on setting up haproxy on pfsense. The only component that is FreeNAS is that it is hosting the "VMs" running your apps....
 

Sean Coston

Contributor
Joined
Jul 25, 2014
Messages
128
Indeed, what you say is true. But I knew that someone here in these forums has done this and that someone would be willing to point me in the right direction.
Thank you for the links.

Sent from my Nexus 6P using Tapatalk
 

fontes31

Explorer
Joined
Apr 6, 2012
Messages
96
Well, i see that you have calibre installed, i tried to install calibre but without success.
 

snaptec

Guru
Joined
Nov 30, 2015
Messages
502
What problems do you have setting that up?
If you want ssl only:
Make Firewall rule from wan Port 443.
Config all certs in cert Manager.
One primary frontend configured with the wan ip.
Shared frontends for the sub Domains.
Frontends directed to the backend.
Backend configuration is quite simple, just the internal ip and Port 80.
maybe set the host monitoring to off.
If you got problems, without the logs its impossible to help.


Gesendet von iPhone mit Tapatalk
 

Sean Coston

Contributor
Joined
Jul 25, 2014
Messages
128
I've got the reverse proxy running, but for calibre and mythweb the ssl offloading handled by Haproxy breaks some aspects of web interface. I've not had time to fully investigate, but it seems to have something to with the server serving up http which is translated back into https by Haproxy at the firewall with loss of some functionality in the process.

Sent from my Nexus 6P using Tapatalk
 
Status
Not open for further replies.
Top