Pstark Posted April 22, 2023 Share Posted April 22, 2023 For the past few days I have been attempting to make so that if I type in the browser address bar, for example "nextcloud.home.arpa" pfSense would resolve that domain to a local IP, 10.10.111.3:8666 in this case. I feel it's possible but I can't get it working. I just want to use domains because I can't remember all the IP's and port numbers. Domain override works but you can't enter port numbers. Quote Link to comment
apandey Posted April 22, 2023 Share Posted April 22, 2023 I have haproxy running in pfsense which routes to specific containers wherever they are on the network Dns names will only resolve to IPs, if you want port translation, you need a reverse proxy or similar routing mechanism in between Quote Link to comment
MrGrey Posted April 22, 2023 Share Posted April 22, 2023 Do you have your own domain (like you registered/paid $10/year for it), or you're trying to do it completely free? You have certificates for your domain? 3 hours ago, Pstark said: if I type in the browser address bar, for example "nextcloud.home.arpa" In my experience (which isn't much) that will want a secure connection with a valid SSL/TLS (call it what you want) certificate. It MUST resolve to "httpS" in most browsers or you'll get a warning (even in your own house -- the nerve) I have this working (reverse proxy) in pfSense for both local and public and hidden addresses. My time is limited. I'm following this thread. MrGrey. Quote Link to comment
Pstark Posted April 22, 2023 Author Share Posted April 22, 2023 5 minutes ago, MrGrey said: Do you have your own domain (like you registered/paid $10/year for it), or you're trying to do it completely free? You have certificates for your domain? In my experience (which isn't much) that will want a secure connection with a valid SSL/TLS (call it what you want) certificate. It MUST resolve to "httpS" in most browsers or you'll get a warning (even in your own house -- the nerve) I have this working (reverse proxy) in pfSense for both local and public and hidden addresses. My time is limited. I'm following this thread. MrGrey. I'm trying to resolve nextcloud.home.arpa locally, to the docker container. I can access nextcloud from anywhere via the my WAN domain. I want an internal domain. Quote Link to comment
apandey Posted April 22, 2023 Share Posted April 22, 2023 9 hours ago, Pstark said: I'm trying to resolve nextcloud.home.arpa locally, to the docker container You need your home dns server to resolve that to an IP. And you need your clients (browsers) to use that dns server. For me, this is dns resolver in pfsense, resolving to haproxy frontend Further, you need something running at default web ports on the resolved IP address to proxy that host name to corresponding docker ip:port. For me this is haproxy running in pfsense. Without this layer, you can also directly resolve the name to docker IP, but then you will have to use name:port in browser Quote Link to comment
Pstark Posted April 24, 2023 Author Share Posted April 24, 2023 On 4/22/2023 at 5:42 AM, apandey said: For me this is haproxy running in pfsense. Is there a guide to do this? Quote Link to comment
apandey Posted April 27, 2023 Share Posted April 27, 2023 (edited) On 4/25/2023 at 12:10 AM, Pstark said: Is there a guide to do this? I don't know of a guide, I had prior experience with haproxy and looked up whatever I needed help for to set it up. Broadly, I think it means: 1. Change pfsense web UI port, so that 80/443 are freed up for haproxy 2. Install haproxy addon in pfsense. Create a frontend to listen at 80 or 443 on a pfsense IP (let's assume pfsense IP) . Create a backend this frontend routes to. I would start with http to begin with until you understand how it works 3. Have your local domain resolve to haproxy frontend IP (let's assume my.home resolves to pfsense IP) 4. On the haproxy backend, create ACLs to map each app-name.my.home sub domain to it's respective ip and port wherever that app is running (the Docker ip and port in unraid) That should resolve app-name.my.home if your clients use pfsense dns In my case, I have a more evolved setup: - I have a public domain x.com - I have mapped home.x.com to haproxy frontend IP - I have acme plugin in pfsense to issue a wildcard certificate for *.home.x.com from letsencrypt. This allows me to setup a proper https frontend for haproxy, and this is also why I use a public domain name - I have a https frontend running at port 443 using the wildcard certificate. This is how I access my backend apps. All my backend apps are http, so ssl terminates at haproxy - I also have a http frontend running at port 80 which simply redirects to https. Please note my whole setup is intranet only. None of this is exposed to the internet. I use a VPN into my network if I need to access these remotely Edited April 27, 2023 by apandey Quote Link to comment
MrGrey Posted May 20, 2023 Share Posted May 20, 2023 On 4/24/2023 at 9:10 AM, Pstark said: On 4/22/2023 at 8:42 AM, apandey said: For me this is haproxy running in pfsense. Is there a guide to do this? On 4/21/2023 at 11:29 PM, Pstark said: I'm trying to resolve nextcloud.home.arpa locally, to the docker container. It won't work. (in my experience). If you want pfSense to route local it will, by default. If you want to "fool" it by not having any way to "publicly" verify a "public" certificate then, well, if you can do it, it's a security flaw. MrGrey. Quote Link to comment
apandey Posted May 20, 2023 Share Posted May 20, 2023 11 hours ago, MrGrey said: If you want pfSense to route local it will, by default. If you want to "fool" it by not having any way to "publicly" verify a "public" certificate then, well, if you can do it, it's a security flaw. home.arpa is not a public TLD, so you need to use a self signed certificate. Since you are signing your own, you need to add the root signing cert to trust store of clients (which should all be under your own control inside the home network). The verification will work fine, and serves the trust chain as designed If you use a public domain, you can get a public trust certificate from any of the issuers, this is what I do If the connection is unencrypted, none of this matters Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.