Being in IT, I have a lot of test servers and applications running in my LAN Network. Most of these have self-signed SSL certificates; these produce an error every time I access them internally. What I am going to do in this tutorial is setup a certificate and have HA Proxy provide this cert, then proxy me to the correct server based on the URI entered. You can set this up externally or in the cloud, but for this demo I am going to do it for my LAN only. This is a long tutorial but once you have done it once, you will see how easy it really is.
Things you will need:
- Public domain name
- Cloudflare account (Can easily be setup for free with no credit card)
- Pfsense Router
Install acme and HAProxy
- Log into pfsense and select System -> Package Manager.
- Select the “Available Packages” tab.
- Find “acme” and “haproxy” and install both.
- Once installed they will appear on the Installed Packages tab.
Change PFSense web port
- Since we are going to use port 443 for our proxy, we need to change the default PFSense web port.
- Go to System -> Advanced
- Under “TCP Port” change this to another port, I use 1234. Remember once changed you need to use this port to login. So I will use https://10.0.0.1:1234
Setup your domain on Cloudflare
- Log into your Cloudflare account, if you don’t already have one you can make an account for free Cloudflare account
- You will get to the step of adding your domain, if you already have an account select “Add Site” from the dashboard.
- Enter your public domain name.
- Select the free plan, it will work perfectly for this.
- Cloudflare will try to scan your current DNS records, if you already have other records add them here.
- Now you will need to change your Domain Name’s name servers. This will be different for everyone; I will show mine using hover.
- Select “Check Nameservers” in Cloudflare. It may take a few hours for your nameservers to change and Cloudflare to update.
Setup Acme Certificate and Cloudflare API
- Still in Cloudflare select your domain and press “Overview”
- Scroll down and copy your Zone ID and Account ID, just into a notepad for now.
- Next select the user icon in the top right and go to “My Profile”
- Select “API Tokens” and press View on your Global API Key, copy this into notepad too.
- Lastly, under API Tokens press “Create Token”
- Next to “Edit zone DNS” select “Use this Template”
- Under Zone Resources, select your domain
- Select Continue and Create Token. Copy this to notepad also.
- Now login to Pfsense and go to Services -> Acme Certificates
- Then select Account Key.
- Now we are going to register an account with Let’s Encrypt. This is really easy, select add. Enter a name, select ACME v2 Production and an email address.
- Press “Create new account key” (You may have to wait for a minute), then “Register ACME account key”. Once done, select Save.
- Now go to the Certificates page and press “Add”
- Enter a name and description if you like.
- Now under “Domain SAN list” select DNS-Cloudflare
- Enter your Domain Name in the box Eg. spacedino.rocks. You can also use a subdomain Eg. I could use local.spacedino.rocks
- Enter your Cloudflare Account email and then the Zone ID, Account ID, API Key (Global Key) and the API token we created earlier.
- We also need to restart the Proxy when the Cert is updated, under Actions List select “Add” and enter /usr/local/etc/rc.d/haproxy.sh restart
- Now Select “Save”
- On the certificate page, select Issue/Renew to get a cert. You should see a success text block come up after a few seconds and the date will update.
- Thats it for the Cert! You now have a certificate for your domain that will auto renew.
Setup HA Proxy
- Go to Services -> HAProxy. Select the “Backend” tab and press “Add”
- This is where we setup our internal web sever that we want to proxy to. My server is a web server on 10.0.0.7 port 80. Enter a name for the server, then press the down arrow under “server list”. Now enter your internal server IP and port. If it is secure enter 443 and tick “Encrypt(SSL)”, do not tick “SSL Check” as it would be a self-signed certificate on your server and cause an error.
- Scroll down to Health Checking and select “None”
- Scroll to the bottom and press save.
- Now select “Front End” from the top tabs. This is where we setup the front-end proxy and have it redirect with our certificate to the back-end server.
- Select “Add” and enter a name. Now under listen address you can select where request will come from. I am only going to accept requests from my LAN so I will select LAN Address(IPv4) and enter port 443. Don’t forget to tick “SSL Offloading”. If you want this to be accessible from the internet you can also add WAN Address(IPv4). You will also need to open port 443 for external access.
- Now scroll down to “Access Control list”. Press the little down arrow and enter a name, change expression to “Host Matches” and enter the domain name you want in the “Value field”. I will enter spacedino.rocks
- Now under “Actions” press the little down arrow and select “Use backend”. Now enter the name of the rule you made in the previous step, make sure it is exactly the same. Select the Backend from the dropdown, you will likely only have one option from earlier.
- Lastly Scroll to “SSL Offloading”. Here, change the certificate to the one we created earlier.
- Now press save.
Setup Local DNS
- For this to work, we need our domain spacedino.rocks to point to the IP of the Pfsense router 10.0.0.1 (The IP and domain will differ for you)
- Go to Services -> DNS Resolver. At the bottom we need to add a mapping under Domain Overrides. If you are not using Pfsense for your DNS you will need to add this override to that DNS Server (Eg windows server or PI-Hole)
- Enter your domain and your Pfsense Router IP. Press Save.
- Thats it, all done! Now to test. If all is setup correctly you should be able to enter your domain and it should connect to your server with an SSL connection, using a valid certificate.
- I will enter https://spacedino.rocks to test. As you can see if I enter the domain, I get a secure connection with a valid certificate.
- If, however I enter the local IP of the server it is not secure. HAProxy is providing and keeping the cert updated for us.