PfSense: reverse proxy all the things. Part 5: Configure HA-Proxy for SSL-Offloading


In this part we configure HA-Proxy for SSL-Offloading.
Other Parts in this series:
– PfSense: reverse proxy all the things. Part 1: OpenVPN on tcp port 443
– PfSense: reverse proxy all the things. Part 2: Install HA-Proxy and configure frontend and backend for OpenVPN
– PfSense: reverse proxy all the things. Part 3: Configure HA-Proxy for SSL traffic
PfSense: reverse proxy all the things. Part 4: Install AMCE for automatic SSL certificates

Part 5: Configure HA-Proxy for SSL-Offloading

Configure backend for SSL-Offloading

we need (another) backend on the localhost to route the SSL-Offloading from the HA-Proxy frontend.
the name for my backend is '4-PublicOffloading'. Configured to send Offloading request to '127.0.0.1:444' That's where the frontend will be running for it.

Configure frontend for SSL-Offloading

We're now almost completed the setup just 1 more frontend and a couple backends to route the offloaded request to their servers.
Name: Reverse_HTTPS_Proxy_SSL_Offloading
External Address: localhost(IPv4) Port: 444

In my example below I route traffic to test1.example.com(http traffic- unencrypted) and test2.exmple.com(https traffic - self signed cert on backend server)

Scroll down to SSL-Offloading in the frontend and configure the certs properly ( you select the cert created in the previous part)

example backend for test1.example.com (http)

example backend for test2.example.com (https)

since this is https traffic that is offloaded Encrypt(SSL) needs to be checked.

Traffic flow

we need to make some small modifications to our frontends to let the traffic flow.

In the 'WAN_Reverse_HTTPS_Proxy' (WAN port 443) frontend we start splitting the traffic between vpn and ssl traffic.
In the 'Default backend, access control lists and actions' section of the frontend we need to add a rule:

This make sure that if traffic is SSL it's routed to the SSL backend ( configured in part3)
if the traffic is not SSL it will be routed to the OpenVpn entry.

Next.. In the 'Reverse_HTTPS_Proxy_SSL' (localhost Port8444) we need to change the default backend to '4-PublicOffloading'

That completes the flow.
So to continue from the previous frontend when the traffic arrives here it will check if it can match the SNI TLS extension and will route that to the specified backend.
If it can't find a match it will route the traffic to the SSL-Offloading frontend.
In the SSL-Offloading frontend it will check if it can match the request with the specified hostname (test1,test2) and route that to the specified backend. if it cannot match the traffic the normal error will be displayed.