I want to configure OPNsense to update my Let's Encrypt certificate and to serve as a reverse proxy for the web server inside my firewall. What's the recommended way for the web server to use the same Let's Encrypt certificate when computers inside the firewall talk to it?
I can think of a few answers to my question:
- make the computers inside the firewall use the same reverse proxy as those outside of it.
- periodically curl/wget/scp the certificate from the firewall to the web server
The network inside the firewall (2.5GBE) is faster than the NIC in the firewall (1GBE), so #1 isn't my preferred solution.
Open to suggestions and pointers to tutorials.
1. is perfectly fine and your internal computers using the WAN IP address to connect will not limit the speed to 1G. The traffic does not pass through the physical port.
Look at the Caddy plugin for the easiest way to get this set up.
Is this true if the internal computers don't use the WAN IP address to connect? If they use the LAN address of the reverse proxy? The firewall's LAN NIC is also 1G.
If the LAN NIC is also 1G you are of course limited to that. You wrote the internal network was 2.5G. That includes the firewall LAN in my book.
Quote from: talmage on March 22, 2025, 09:08:17 PMI want to configure OPNsense to update my Let's Encrypt certificate and to serve as a reverse proxy for the web server inside my firewall.
If the reverse proxy is hosted on OPN, the traffic even goes over the LAN NIC TWICE for non-cached content.
Quote from: EricPerl on March 25, 2025, 12:00:30 AMIf the reverse proxy is hosted on OPN, the traffic even goes over the LAN NIC TWICE for non-cached content.
But it's all full duplex nowadays, so does not really matter.
Thank you for the helpful guidance. I know what to do now. I'm going to set up Caddy as the reverse proxy and make it manage my Let's Encrypt certificate. I'll figure out a way for the web server to automatically fetch the certificate from the firewall so the internal clients don't have to communicate with it through the Caddy.
You can use the nifty ACME Challenge Redirection
https://docs.opnsense.org/manual/how-tos/caddy.html#redirect-acme-http-01-challenge
If you add a cert bot to your webserver as well, caddy will reverse proxy the challenge for you, no need to copy certificates around.
Quote from: Monviech (Cedrik) on March 26, 2025, 02:08:50 PMYou can use the nifty ACME Challenge Redirection
https://docs.opnsense.org/manual/how-tos/caddy.html#redirect-acme-http-01-challenge
TIL :-)
@Patrick
I added that at the very beginning already for my Exchange Server usecases I still had back then. This way the Exchange Server could get a certificate easily while still being reverse proxied (since it must use TLS at all times).