After installing my new pfSense firewall, I wanted to expose some of my servers to the internet. First, I had HTTP and HTTPS made available for this blog by using NAT. But that’s not very secure, so I found HAProxy, a module inside pfSense. It’s a reverse proxy, among other things.
I configured it to use ACME, another module inside pfSense, to acquire SSL certificates from Let’s Encrypt, handle all SSL traffic and then send the requests to my internal servers. The internal servers no longer need to handle SSL traffic, so they talk to the HAProxy with unencrypted port 80 traffic. Thus separating the outside WAN from my servers on the inside LAN. I found an excellent guide on how to set this up.