I need some help in understanding some basics.
I used to have an IPv4 only ISP. I had a nginx reverse proxy with lets encrypt for multiple subdomains.
The nginx proxy would redirect unencrypted to the other hosts. Yeah I know this is not ideal
Now I have a DualStack ISP with static IPv6 /48 prefix. Hurray!
I decided to start to migrate my voice chat software mumble.
mumble.example.com has a AAAA record that directly points to the mumble host and the firewall. It is simple and beautiful in my opinion. No NAT, and it even works if the proxy is down. For the IPv4 only users, there is a NAT with the mumble port 64738. Lets encrypt is done on the mumble host with certbot.
I also have another webpage to track time called time.example.com
Added a AAAA record, and Let's Encrypt cert. Works great. But my cellphone carrier is IPv4 only.
And this time, I can't use a port, because it uses 443.
I tired to proxy pass the traffic with nginx without luck. Somewhere I read that HAProxy is perfect for this. I tried to setup HAProxy on OPNsense but could not get it to work.
Just to nudge me in the right direction, does HAProxy need a cert itself?
Does it just proxy everything without even touching it?
Or does that seem like a man in the middle attack and that is why I need also a cert on HAProxy?
I tried getting a cert for time.example.com on the proxy and the host but that did not work.