You dont need to drop it all, you could just use nginx in front of haproxy for SSL support, keeping all your load balancing config. You dont even need to use nginx for HTTP if you don't want to. Nginx can pass both X-Forwarded-For and a custom header indicating SSL is in use (and client cert information if you want). Nginx config snippet that sends required information:
proxy_set_header SCHEME $scheme; # http/https
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header CLIENT_CERT $ssl_client_raw_cert;
PFSense is a modular firewall distribution based on Freebsd. It can be extended via either Apache, Mod_security, Squid, or Openvpn (and others).
I'd use:
- Apache for HTTP serving and extensibility
- Mod_security for web application protections
- Squid for proxy functionality / reverse proxy / caching
- Openvpn for VPN functionality
As you can access the x509 certificate functionality in above products, yes, it is possible. You can read over some of the x509 client TLS vpn information at
http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN
There is also a way to use Squid to do traffic interception, called SSLbump
http://wiki.squid-cache.org/Features/SslBump
I'd recommend using an offline CA for some of the PKI specific ideas, and evaluating the PFsense compatibility list with crypto offload devices (HSMs).
There are ethical considerations in traffic interception that are greater for external clients than are for internal employees. Employees can easily be addressed via a standard - we can read everything, intercept everything, etc type of EULA click through, such as the one that DoD uses, e.g. https://dod411.gds.disa.mil/
Because I am lazy and security paranoid, I'd prefer to do something a little different than what you mentioned: multiple tunnels & Out of Band Management
Multiple tunnels
client ---- Network device <<<<<< Tunnel 1, IPSEC >>>>>>> PFSense ---- IIS
client -------- Tunnel 2, IPSEC -------- IIS
Keep in mind that IPSEC is more complex than TLS, with better security, at a cost of usability. You can also use TLS and IPSEC vpn types together.
Out of Band management
Create another network specific to management, and isolate it from production (data) traffic. Enable incoming management only via the management interface. Disable all but production traffic on the production side. Make your rules rigid, via a gradual tightening process. Enforce least privilege on your IIS servers with the bare minimum (HTTP or HTTPS) talking on the production network side.
While this is more work than what you asked in the question
- You can rest easier knowing your security is tighter
- Your auditors are likely to love you :)
Best Answer
So I'm assuming this:
In that case, you have these options: