Internal websites with HAproxy

[motionthings]

I have set up HAproxy for my external services with a wildcard cert, and this works great.

But, I would like https on my internal services as well, and my AP's/routers, switches, iot-devices, etc..
Is this possible with HAproxy, or do I need to setup an internal proxy to do that?

I tested by making a dns record for one of my switches, then setting up everything as normal in HAproxy, but not add it to the 'Public services' listening on port 443.
This did of course not work, since that is the one listening on port 443.

Can I clone the 'Public services' "rule" and have it listen on my lan network too?
Or is there a better, more correct way?

[meyergru]

I just did this a minute ago for wpad. I reconfigured my OpnSense to listen on 444 instead of 443 and not on 80 at all, but I wanted to have http://wpad/wpad.dat working.

You can give the 1_HTTPS_Frontend multiple certificates, for example one from Let's Encrypt and one from your own CA. They will all be presented.

Then, you can have the map file point at internal backends. I configured WPAD_backend to wpad:444.

From the LAN, wpad resolves to my OpnSense. Port 80 is HAProxy, redirecting at 443. Port 443 is 1_HTTPS_Frontend mapping wpad to WPAD_backend, which in turn contacts wpad on port 444 via SSL.

Since a correct certiticate is presented that contains wpad and is issued by my own CA, everything is fine.

[motionthings]

Thanks for your reply.

I ended up putting everything on the 'public service' and put authentik on it.
Good enough for me

Since I'm using Cloudflare DNS you cant really find any of the domains using my wildcard cert anyways.

Have a good one