I finally took the time to setup a proxy so the site could appear “proper” from the WAN. HA Proxy + OPNsense was the route I took since I already had an OPNsense instance running. Some things to note for any paying attention:
- Let’s encrypt plugin on OPNsense is a bit finicky. I recommend to use the staging environment so your domains are not locked out for exceeding request limits during setup/testing. The only problem with this is the plugin DOES NOT like to switch back to production. Mine would not update the certificate in production and wouldn’t give errors. I finally guessed upon a solution that worked: re-register your LE account with LE set to production. I was ten able to grab my cert.
- HTTPS proxy to a HTTP server (how I originally had the site setup) did not work. The site loaded but offsite items (like fonts and others linked in CSS) did not load. I created a quick self signed cert, pointed the real server to 443 and everything fired up.
Now I can have as many SSL sites hidden behind the firewall as I want. Whats next?