Hello,
I'm looking for the best way to have https enabled on all my internal servers. After years of delaying this, guess I should finally attack the issue.
Today, I'm having:
- Internet: dynamic public IP
(fe 195.195.195.10) - Domain: own domain, hosted by webhostingprovider, and a A-forwarder, forwarded to mooo.com.
And mooo.com is getting public IP from opnsense.
(fe LAN.mydomain.org > mydomain.mooo.com > 195.195.195.10 - Server A (10.10.10.10), port natted on opnsense: WAN:16666 > 10.10.10.10:443
Server B (10.10.10.11), port natted on opnsense: WAN:16667 > 10.10.10.11:443
Server B (10.10.10.11), port natted on opnsense: WAN:16668 > 10.10.10.11:80
...
When I'm now going to http://lan.mydomain.org:16668, I'm arriving nicely at http://10.10.10.11:80.
Is is possible to put a kind of subdomain-certificate (?) on opnsense? Of what's the best way to do this? Is there somewhere a nice how-to for opnsense for these kind of setups?
What you really want is a reverse proxy - one web application (like nginx) that accepts all inbound connections and proxies them to the appropriate backend servers.
You can do this on OPNsense through the os-nginx plugin (along with os-acme-client for SSL certs) but personally I keep stuff like that off my firewall and run it in a dedicated Linux container. If you want to do it on OPNsense there are tutorials on this forum.
Thanks for your quick feedback!
Quote from: Greelan on October 18, 2021, 10:19:37 AM
What you really want is a reverse proxy - one web application (like nginx) that accepts all inbound connections and proxies them to the appropriate backend servers.
Any good examples how to do this? I'm specially wondering how the certificates must be ordered, loaded....
Quote from: Greelan on October 18, 2021, 10:19:37 AMYou can do this on OPNsense through the os-nginx plugin (along with os-acme-client for SSL certs) but personally I keep stuff like that off my firewall
Any pro's / con's to keep this off the firewall?
I just have a philosophy of avoiding running extraneous stuff on my firewall. I figure I will leave the firewall to do what it does best, and not have other stuff - particularly stuff that is open to the internet - on it
The advantage of doing it on OPNsense is that the plugins allow you to do stuff through the GUI, and make it easier to configure if this is new territory
By coincidence, this was posted recently about using a docker image to set this up on a separate server: https://homenetworkguy.com/how-to/deploy-nginx-proxy-manager-in-dmz-with-opnsense/. Could be helpful to you (can't vouch for it myself)