SSL certificate setup for different servers

Started by brononius, October 18, 2021, 10:08:43 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 18, 2021, 10:08:43 AM
Hello,

I'm looking for the best way to have https enabled on all my internal servers. After years of delaying this, guess I should finally attack the issue.
Today, I'm having:


  • Internet: dynamic public IP
    (fe 195.195.195.10)
  • Domain: own domain, hosted by webhostingprovider, and a A-forwarder, forwarded to mooo.com.
    And mooo.com is getting public IP from opnsense.
    (fe LAN.mydomain.org > mydomain.mooo.com > 195.195.195.10
  • Server A (10.10.10.10), port natted on opnsense: WAN:16666 > 10.10.10.10:443
    Server B (10.10.10.11), port natted on opnsense: WAN:16667 > 10.10.10.11:443
    Server B (10.10.10.11), port natted on opnsense: WAN:16668 > 10.10.10.11:80
    ...
When I'm now going to http://lan.mydomain.org:16668, I'm arriving nicely at http://10.10.10.11:80.



Is is possible to put a kind of subdomain-certificate (?) on opnsense? Of what's the best way to do this? Is there somewhere a nice how-to for opnsense for these kind of setups?


October 18, 2021, 10:19:37 AM #1
What you really want is a reverse proxy - one web application (like nginx) that accepts all inbound connections and proxies them to the appropriate backend servers.

You can do this on OPNsense through the os-nginx plugin (along with os-acme-client for SSL certs) but personally I keep stuff like that off my firewall and run it in a dedicated Linux container. If you want to do it on OPNsense there are tutorials on this forum.
October 18, 2021, 10:28:38 AM #2
Thanks for your quick feedback!

Quote from: Greelan on October 18, 2021, 10:19:37 AM
What you really want is a reverse proxy - one web application (like nginx) that accepts all inbound connections and proxies them to the appropriate backend servers.
Any good examples how to do this? I'm specially wondering how the certificates must be ordered, loaded....


Quote from: Greelan on October 18, 2021, 10:19:37 AMYou can do this on OPNsense through the os-nginx plugin (along with os-acme-client for SSL certs) but personally I keep stuff like that off my firewall

Any pro's / con's to keep this off the firewall?
October 18, 2021, 10:34:55 AM #3
I just have a philosophy of avoiding running extraneous stuff on my firewall. I figure I will leave the firewall to do what it does best, and not have other stuff - particularly stuff that is open to the internet - on it

The advantage of doing it on OPNsense is that the plugins allow you to do stuff through the GUI, and make it easier to configure if this is new territory

By coincidence, this was posted recently about using a docker image to set this up on a separate server: https://homenetworkguy.com/how-to/deploy-nginx-proxy-manager-in-dmz-with-opnsense/. Could be helpful to you (can't vouch for it myself)
Print
Go Up Pages1
User actions