HTTPS inside the firewall/reverse proxy that manages Let's Encrypt certs

Started by talmage, March 22, 2025, 09:08:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 22, 2025, 09:08:17 PM
I want to configure OPNsense to update my Let's Encrypt certificate and to serve as a reverse proxy for the web server inside my firewall.  What's the recommended way for the web server to use the same Let's Encrypt certificate when computers inside the firewall talk to it?

I can think of a few answers to my question:

  • make the computers inside the firewall use the same reverse proxy as those outside of it.
  • periodically curl/wget/scp the certificate from the firewall to the web server

The network inside the firewall (2.5GBE) is faster than the NIC in the firewall (1GBE), so #1 isn't my preferred solution.

Open to suggestions and pointers to tutorials.
March 23, 2025, 04:29:46 AM #1
1. is perfectly fine and your internal computers using the WAN IP address to connect will not limit the speed to 1G. The traffic does not pass through the physical port.

Look at the Caddy plugin for the easiest way to get this set up.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 24, 2025, 10:32:34 PM #2
Is this true if the internal computers don't use the WAN IP address to connect?  If they use the LAN address of the reverse proxy?  The firewall's LAN NIC is also 1G.
March 24, 2025, 10:55:40 PM #3
If the LAN NIC is also 1G you are of course limited to that. You wrote the internal network was 2.5G. That includes the firewall LAN in my book.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 25, 2025, 12:00:30 AM #4 Last Edit: March 25, 2025, 12:02:14 AM by EricPerl
Quote from: talmage on March 22, 2025, 09:08:17 PMI want to configure OPNsense to update my Let's Encrypt certificate and to serve as a reverse proxy for the web server inside my firewall.
If the reverse proxy is hosted on OPN, the traffic even goes over the LAN NIC TWICE for non-cached content.
March 25, 2025, 12:06:05 AM #5
Quote from: EricPerl on March 25, 2025, 12:00:30 AMIf the reverse proxy is hosted on OPN, the traffic even goes over the LAN NIC TWICE for non-cached content.

But it's all full duplex nowadays, so does not really matter.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 26, 2025, 01:33:36 PM #6
Thank you for the helpful guidance.  I know what to do now.  I'm going to set up Caddy as the reverse proxy and make it manage my Let's Encrypt certificate.  I'll figure out a way for the web server to automatically fetch the certificate from the firewall so the internal clients don't have to communicate with it through the Caddy.
March 26, 2025, 02:08:50 PM #7
You can use the nifty ACME Challenge Redirection

https://docs.opnsense.org/manual/how-tos/caddy.html#redirect-acme-http-01-challenge

If you add a cert bot to your webserver as well, caddy will reverse proxy the challenge for you, no need to copy certificates around.
Hardware:
DEC740
March 26, 2025, 02:15:25 PM #8
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 26, 2025, 02:44:07 PM #9
@Patrick

I added that at the very beginning already for my Exchange Server usecases I still had back then. This way the Exchange Server could get a certificate easily while still being reverse proxied (since it must use TLS at all times).
Hardware:
DEC740
Print
Go Up Pages1
User actions