Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
What's the optimal way to achieve HTTPS for internal services?
« previous
next »
Print
Pages: [
1
]
Author
Topic: What's the optimal way to achieve HTTPS for internal services? (Read 2064 times)
halpdesk
Newbie
Posts: 3
Karma: 1
What's the optimal way to achieve HTTPS for internal services?
«
on:
October 14, 2022, 10:18:40 pm »
I have an Nginx reverse proxy configured to provide access to several services that I need outside my lan and use IP:port references for internal services (accessed through Wireguard if I'm away from my network).
Is there any easy way to assign domain names with valid HTTPS certs for the services that I'd like to remain internal only?
I'm new to OPNsense and Unbound, so I'm a little lost as to where to even start.
Most of my services are installed via Docker on two different servers, so it would be preferable to be able to point OPNsense/Unbound to an Nginx/Caddy reverse proxy installed on one of the two servers (depending on which subdomain is being requested) to prevent the need of having to expose ports on my network.
Open to any other thoughts, though!
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Re: What's the optimal way to achieve HTTPS for internal services?
«
Reply #1 on:
October 15, 2022, 05:54:51 am »
My approach: I have a domain mydomain.com. I use a subdomain local.mydomain.com for local use only. I use acme.sh in a LXD container (alongside nginx) on my server to generate Let's Encrypt wildcard certs for *.local.mydomain.com, using DNS challenge. Then my nginx conf has server blocks for each internal service - server1.local.mydomain.com, server2.local.mydomain.com. My local DNS server has local IPv4 and IPv6 records for each.
End result is valid https certs on all local subdomains without any need for ports to be opened externally.
Logged
adn77
Newbie
Posts: 23
Karma: 2
Re: What's the optimal way to achieve HTTPS for internal services?
«
Reply #2 on:
October 16, 2022, 10:27:55 am »
If for some reason you can't use dns-01 with LetsEncrypt, you can still make Opnsense procure the certificates (ACME plugin). The certs can then be copied to your internal services using auto-deploment rules in the plugin.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
What's the optimal way to achieve HTTPS for internal services?