2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE
I want to provide both public and private (intranet) web service using pfSense for my firewall and DNS. Right now in pfSense under System / General Setup; my Domain is set to domainName.net, but I’ve purchased a public domain with NOIP with the same name but .com, already purchased a wildcard Cert and the Manage DNS came with a free single Cert and its already pointing to my local server and keeping it updated using Dynamic DNS.
I want to import both Certs to secure all connections both private and public using the Certificate Manager and by doing this using SSL on the HAProxy to direct all connections to the proper web server. So to make this setup work properly, the pfSense Domain name should be domainName.com correct?
Not asking for help with the FreeBSD system, just how to properly setup my domain infrastructure. Rockey is an addition to my current intranet (kohanyim.net) and will be used as my public web server. Was going to use Let’s Encrypt, but NOIP does not have an API for the ACME / Domain SAN list. So I want to use the Certs I purchased from them. From the Let’s Encrypt Forum, one suggest my intranet should be kohanyim.com. So this is why here and diagram below is how my domain infrastructure looks.
Generally it doesn’t matter what the name of your firewall is or whatever domain it is using. The only important parts for this is how you are going to configure the access to get to your webserver. If you are just going to have traffic pass through the firewall directly to the web server, then you just put the certs for the domain you purchased on there, and configure the vhost for it appropriately.
If you are going to use haproxy on the firewall (assuming that pfsense does have that as an option), then the haproxy config will need to recognise the domain that you will be redirecting through it. So whether that then means the firewall has to have that domain configured, or just the haproxy part, you would need to check that.
If you want to use the certs on your firewall for https connections to it for management, then yes the domain would matter in the firewall configuration at this point.
And if you are using HAproxy or similar then the cert needs to be for all the domains it will act as a proxy for (using SAN). You only need to add the firewall domain to the SAN list if you expect to serve pages under that domain.
Thanks for your replies , I appreciate it very much.
Yes, will be using HAProxy provided by pfSense for the secure connection to each of the Rocky web servers and just use Let’s Encrypt just for pfSense’s webConfigurator.
