Ssl – Pfsense and Dns Resolver – SSL/TLS for internal access

internal-dnsnextcloudpfsensessl

I have a Pfsense box that is able to issue/renew acme certificates, with haproxy installed, that has two backend servers that use the generated acme certificate that works fine.
(email and nextcloud servers)

From outside my local network, going to nextcloud.site.com or email.site.com works perfectly, it has the secure ssl certificate through haproxy and it correctly either takes you to the mail site or the nextcloud site

However, on my local network which is behind pfsense, I cannot seem to get dns resolver to give a proper ssl connection to either. This is a problem because when using the nextcloud app on my phone, it'll work fine outside the network but inside it complains that the ssl certificate is incorrect (because only http works inside the network)

I have dns resolver set to forward the same exact nextcloud address (nextcloud.site.com) to the internal ip address, which works but isn't using the ssl certificate. I have the same certificate selected under dns resolver > ssl/TLS certificate

Is this even possible with dns resolver or is there another solution??

Best Answer

So I'm assuming this:

pfSense runs HAProxy, externally your clients/peers/whatever connect to the pfSense's WAN IP.
The Nextcloud box is a host in your LAN or DMZ
pfSense's DNS available only LAN facing and redirects nextcloud.site.com to the Nextcloud box' LAN/DMZ IP.
pfSense's HAProxy serves TLS (HTTPS by HAProxy) and has the HSTS header set.
pfSense's HAProxy proxies nextcloud.site.com to the box in LAN/DMZ to serve external clients

In that case, you have these options:

Remove your DNS override and set up NAT hairpinning/reflection
Reconfigure your Nextcloud Host to serve its content via HTTPS
Remove the HSTS header from HAProxy

Related Solutions

Use HAproxy with SSL and X-Forwarded-For Headers – PHP SSL Configuration Guide

You dont need to drop it all, you could just use nginx in front of haproxy for SSL support, keeping all your load balancing config. You dont even need to use nginx for HTTP if you don't want to. Nginx can pass both X-Forwarded-For and a custom header indicating SSL is in use (and client cert information if you want). Nginx config snippet that sends required information:

proxy_set_header SCHEME $scheme;      # http/https
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header CLIENT_CERT $ssl_client_raw_cert;

Firewall – PFSense with client certificates, SSL cert hosting

PFSense is a modular firewall distribution based on Freebsd. It can be extended via either Apache, Mod_security, Squid, or Openvpn (and others).

I'd use:

Apache for HTTP serving and extensibility
Mod_security for web application protections
Squid for proxy functionality / reverse proxy / caching
Openvpn for VPN functionality

As you can access the x509 certificate functionality in above products, yes, it is possible. You can read over some of the x509 client TLS vpn information at

http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN

There is also a way to use Squid to do traffic interception, called SSLbump

http://wiki.squid-cache.org/Features/SslBump

I'd recommend using an offline CA for some of the PKI specific ideas, and evaluating the PFsense compatibility list with crypto offload devices (HSMs).

There are ethical considerations in traffic interception that are greater for external clients than are for internal employees. Employees can easily be addressed via a standard - we can read everything, intercept everything, etc type of EULA click through, such as the one that DoD uses, e.g. https://dod411.gds.disa.mil/

Because I am lazy and security paranoid, I'd prefer to do something a little different than what you mentioned: multiple tunnels & Out of Band Management

Multiple tunnels

client ---- Network device <<<<<< Tunnel 1, IPSEC >>>>>>> PFSense ---- IIS

client -------- Tunnel 2, IPSEC -------- IIS

Keep in mind that IPSEC is more complex than TLS, with better security, at a cost of usability. You can also use TLS and IPSEC vpn types together.

Out of Band management

Create another network specific to management, and isolate it from production (data) traffic. Enable incoming management only via the management interface. Disable all but production traffic on the production side. Make your rules rigid, via a gradual tightening process. Enforce least privilege on your IIS servers with the bare minimum (HTTP or HTTPS) talking on the production network side.

While this is more work than what you asked in the question

You can rest easier knowing your security is tighter
Your auditors are likely to love you :)

Best Answer

Related Solutions

Use HAproxy with SSL and X-Forwarded-For Headers – PHP SSL Configuration Guide

Firewall – PFSense with client certificates, SSL cert hosting

Related Topic