To leave my email server with SOGo untouched I added a second web server (FreedomBox Pioneer) to my setup for other purposes. Therefore I configured HAProxy (reverse proxy) on my pfsense firewall. But now I need to have another way to reach the second server, because the first one uses already the https port 443. NAT can only use a port once, so I need to configure another https port for NAT. In cockpit I have two zones, an internal zone with https and an external zone with https. It looks like the standard way to change the https port doesn’t work on FreedomBox (a better expression would be: I don’t understand how it works. I did try and messed up). Is it possible to change the port 443 on the external zone and still have port 443 on the internal zone intact to reach the server on this port from my LAN?
And if yes, how can I change the the external https port 443 to something like 4443?
It is not possible to easily change port 443 to 4443 on FreedomBox. However, this is not needed, see below.
If I understand correctly, you wish to setup two separate web servers on your network. Your desired setup is:
HAProxy (on pfsense router) forwards connections on port 443 to FreedomBox 1 with SOGo on port 443.
HAProxy (on pfsense router) forwards connections on port 4443 to FreedomBox 2 with other apps on port 4443?
In the above setup you don’t have change the port 443 to 4443 in FreedomBox 2. You can simply ask HAProxy to forward from external port 4443 to FreedomBox 2 port 443. However, there is a problem with this arrangement:
Let’s Encrypt TLS certificates will not be available for both FreedomBox machines simultaneously. FreedomBox 1 will successfully obtain the certificate as it is on standard port 80/443. FreedomBox 2 will not be able to obtain the certificate as it is running on non-standard port. So, you will see invalid certificate warnings when you visit FreedomBox 2 using 4443 port.
There are better ways however:
Forward all traffic from pfsense router 443 to FreedomBox 1. HAProxy is not needed. FreedomBox 1 will obtain the certificate and will work as expected for all URLs such as /app1, /app2. For /app3 and /app4, you can forward the traffic to FreedomBox 2 server using this guide. FreedomBox 2 will not be able to obtain a valid certificate but this is okay because FreedomBox 1 is serving it and forwarding traffic.
Setup pfsense/HAProxy to obtain and manage LE certificates. Configure HAProxy to forward traffic to FreedomBox 1 for URLs /app1 and /app2. And to FreedomBox 2 for URLs /app3 and /app4. Both FreedomBoxes will not be able to obtain a valid LE certificate but this is okay because HAProxy is serving the certificate and forwarding traffic.
The solution #1 is straight forward and “simple” to apply! I did try #2 and the system is running fine with this installation. I did choose this setup, because it is more “customizable” and will better fit some future use cases here.
Again, thank you for your recommendations!