Transparent TLS termination with filter rules

[gs1]

In our setup, we do TLS termination on OpnSense. Some of our services use a self-signed certificate and OpnSense has access to a valid wildcard certificate. It looks like this:


┌────────┐                ┌────────────┐              ┌───────────┐
│        ├───────────────►│            ├─────────────►│           │
│ Laptop │ encrypted with │  OpnSense  │ encrypted    │ myservice │
│        │ wildcard cert  │            │ with self-   │           │
└────────┘                └────────────┘ signed cert  └───────────┘


We currently do this by having a NAT-rule on the OpnSense which redirects to localhost:1234. A HAProxy instance is listening on this port and forwards requests to the backend.

----

Unfortunately, this means the filter rules are not used since the NAT rule automatically allow the traffic. There are of course some alternatives, but they all come with substantial downsides:

* do the filtering in the NAT rules => filtering is now located in multiple views
* use an associated filter rule => each service would need its own NAT rule
* point the DNS entry to the OpnSense instance => we want to use the domain names for non-HTTPS traffic too

The simplest way seems to do NAT after filtering, but that does not seem to be supported. Is there a better way?