pfSense + Let’s Encrypt SSL + HAProxy + Hosted DNS

Building an SSL Labs A+ rated home server

 

 

 

 

For a while now I’ve spent some time running web servers at home behind my pfSense firewall. Anyone who knows me, knows my affinity for pfSense and the myriad of things it can handle. What continued to bug me though was my lack of SSL for all the sites I had. In addition to that, I was manually forwarding random external ports to the various web servers behind my firewall. Frustrating myself for support ability as well as annoying my user base that had to remember what port a particular site ran on.

I figured it was about time to rectify those issues and began looking into setting up a reverse proxy with SSL support. I found a few different methods which seemed to offer the functionality I was looking for, but ultimately things failed and I had to keep searching. In the end, I settled on Let’s Encrypt for handling the SSL certificates and HAProxy for the reverse proxy duties. Here’s how I built a pfSense SSL HAProxy home solution.

Some of the information here was found in my searches here: https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki but I ended up using it as a basic reference and teasing apart what I needed.

 

  1. Install the Let’s Encrypt pfSense package
  2. Configure the Let’s Encrypt package for use with your registrar
  3. Acquire a certificate that covers all of the sub-domains you’ll be using
  4. Install the HAProxy pfSense package
  5. Configure the HAProxy package to handle reverse proxy duties as well as HTTP to HTTPS redirection

 

Right, so lets begin.

Go ahead and install the Let’s Encrypt pfSense package called Acme Certificates using the available packages selection System -> Package Manager and then head over to Services -> Acme Certificates.

From there you’ll need to create a production account key. Simply click the Add button and select Let’s Encrypt Production from the drop down list.

Click the Create Account Key button and once it has generated they key, click the Register Account Key button.

The next part will differ depending on your hosted DNS solution. My domain happens to be registered with GoDaddy which is a supported method for automated Acme Certificate use within pfSense. Acme supports a plethora of other hosting providers to which I imagine the steps will be fairly similar. For GoDaddy, you’ll need to generate an API key so the Acme client on pfSense can automatically generate DNS entries when it attempts to issue a certificate.

To do that, head over to https://developer.godaddy.com/keys/ and in the Production section, click the +. Give the API token a useful name like Let’s Encrypt, then copy the API key and  Secret.

Once you have that, back in the Acme section of pfSense, click the Certificates and click the Add button.

Give it a useful name — something like productionLetsEncryptCert and a description if so desired. Set the status to Active and under the Acme Account choose the account key name you created earlier.

Then under the Domain Name section, fill out the FQDN you’d like a certificate created for. In the Method section, choose DNS-Godaddy from the drop down list

You’ll now need to enter the API Key and the Secret that you saved earlier.

Repeat this process for any other hostnames that you want to be included in the certificate. I for example added 5 or 6 for the various different subdomains that will point to different systems later with HAProxy.

 

 

enable firewall rule for new gui ssl port

move gui off 443 to other port like 4433

enable firewall rule for port 443

create dummy ssl redirect back end

create ssl redirect front end

create shared ssl front end

create back ends

create hosts under shared ssl front end

HSTS / Cookie protection — 15552000 seconds

Set “secure”