It's nice to be able to access your own services when you're on the move. The operation of a publicly accessible FreshRSS installed in the local network can be realized ingeniously simple with a Let's Encrypt certificate and HAProxy on the OPNsense firewall.
Nevertheless: Although this expansion stage is now suitable for public operation, it must be regularly updated and maintained. Nothing is worse than an outdated and therefore vulnerable installation.
Last update:
The setup looks like this:
┌─────────────────────────────┐
│ TrueNAS / FreeBSD │
┌──────────────────────┐ │ ┌─────────────────────────┐ │
│ OPNsense │ │ │ jails/rss │ │
WAN: 0.0.0.0:80 ─┼─► acme.sh:80 ───────┼─ LAN: IP:443 ──┼─┼─► freshrss │ │
WAN: 0.0.0.0:443 ─┼─► HAProxy:443 │ │ │ │ │
└──────────────────────┘ │ └─────────────────────────┘ │
└─────────────────────────────┘OPNsense is able to create and automatically renew Let's Encrypt certificates with the ACME client plugin (os-acme-client). The huge advantage is that we have a central certificate administration, do not have to laboriously manage the certificates on the internal target systems and do not have to make any NAT or other firewall settings.
The basic settings as described here are sufficient here with the following definitions:
HAProxy receives the calls for port 443 from outside, encrypts the connection and then forwards it to the internal FreshRSS server, also on port 443.
The nice thing is that several services can be provided simultaneously on port 443. A distinction is made via the called external host name.
This makes it possible, for example, for https://freshss.domain.de to be forwarded to FreshRSS and https://domain.de to the actual website, although both actually require port 443 on the same external IP address.
Here you also go through this article with the following definitions:
Then please test the following:
Voilá