HAProxy frontend is https with offloading and in the backend there are two nodes listening on port 80 with apache 2.2 that acts as reverse proxy to a tomcat webapp. Persistence is cookie based (no stick table).

Sometime the returned web pages to the client are incomplete, but there are no evidences of who stopped the transmission.

I can't use transparent ssl with source ip persistence (in this scenario the broken pages are not appearing ) because some clients are under NAT proxy, so they appear to call from a single public IP address, breaking the persistence.

Anyone faced similar behavior?

That pseudo shared front end is of type ssl/https (TCP mode).

Yes, I know that doesn't use HAProxy "correctly" since it doesn't offload TLS processing to the proxy.

Now, I have a new domain for which I would like to offload TLS processing. No problem, you might think: just add a new front end of type http/https (offloading) for that domain.

The rub is that I want that new domain to also be proxied on inbound TCP 443 which the existing "shared" front end already listens on.

My question is, is there any way to add a second front end of a different type that listens on an existing HAProxy front end port?

I think the answer is no -- but in case there's something I haven't thought of...

FWIW, I cannot switch the current front end to offloading due to backend server requirements.

Maybe this screenshot will explain better what I would like to acheive.

Check this proxy.pac file out tell me what you think it has a dns cache and strips the brackets has bypass for private addresses even a cache max even anti recursion for the wpad calls itself

like this var dnsCache = {};
var dnsOrder = [];
var DNS_CACHE_MAX = 500;

function cachedDnsResolve(host) {
    if (dnsCache[host]) {
        return dnsCache[host];
    }

    var ip = dnsResolve(host);

    if (ip) {
        dnsCache[host] = ip;
        dnsOrder.push(host);

        if (dnsOrder.length > DNS_CACHE_MAX) {
            var oldest = dnsOrder.shift();
            delete dnsCache[oldest];
        }
    }

    return ip;
}

function FindProxyForURL(url, host) {
    url = url.toLowerCase();
    host = host.toLowerCase();

    // Strip brackets from IPv6 addresses
    var cleanHost = host.replace(/^\[|\]$/g, '');

    // Prevent WPAD recursion
    if (cleanHost === "192.168.1.6" || host === "wpad" || host === "wpad.local") {
        return "DIRECT";
    }

    // Localhost variants
    if (host === "localhost" || cleanHost === "127.0.0.1" || cleanHost === "::1") {
        return "DIRECT";
    }

    // Plain hostnames
    if (isPlainHostName(host)) {
        return "DIRECT";
    }

    // Local domains
    if (
        dnsDomainIs(host, ".local") ||
        dnsDomainIs(host, ".lan") ||
        dnsDomainIs(host, ".localdomain")
    ) {
        return "DIRECT";
    }

    // IPv4 literal local ranges
    if (
        /^(\d{1,3}\.){3}\d{1,3}$/.test(cleanHost) && (
            isInNet(cleanHost, "10.0.0.0", "255.0.0.0") ||
            isInNet(cleanHost, "127.0.0.0", "255.0.0.0") ||
            isInNet(cleanHost, "169.254.0.0", "255.255.0.0") ||
            isInNet(cleanHost, "172.16.0.0", "255.240.0.0") ||
            isInNet(cleanHost, "192.168.0.0", "255.255.0.0") ||
            isInNet(cleanHost, "198.18.0.0", "255.254.0.0")
        )
    ) {
        return "DIRECT";
    }

    // Explicit IPv4 bypasses
    if (cleanHost === "192.168.1.1" || cleanHost === "192.168.1.2") {
        return "DIRECT";
    }

    // Router hostname
    if (host === "lee_family.home.arpa") {
        return "DIRECT";
    }

    // Explicit IPv6 router
    if (cleanHost === "2001:470:8052:a::1") {
        return "DIRECT";
    }

    // VPN subnet
    if (isInNet(cleanHost, "192.168.8.0", "255.255.255.0")) {
        return "DIRECT";
    }

    // Local IPv6 (ULA + link-local)
    if (cleanHost.startsWith("fe80") || cleanHost.startsWith("fd")) {
        return "DIRECT";
    }

    // IPv6 routed subnet via proxy
    var ip = cachedDnsResolve(cleanHost);
    if (ip) {
        ip = ip.replace(/^\[|\]$/g, '');  // Normalize in case DNS returns bracketed IPv6
        if (shExpMatch(ip, "2001:470:8052:a:*")) {
            return "PROXY [2001:470:8052:a::1]:3128";
        }
    }

    // Proxy HTTP family
    if (
        url.startsWith("http:") ||
        url.startsWith("https:") ||
        url.startsWith("ftp:") ||
        url.startsWith("gopher:")
    ) {
        return "PROXY 192.168.1.1:3128";
    }

    // Final fallback
    return "DIRECT";
}

I think this is way better than the standard point to proxy one.

2025-12-08 16:07:04.652 UTC [812] WARNING tls_sbufio_recv: read failed: error:0A000126:SSL routines::unexpected eof while reading 2025-12-08 16:07:04.652 UTC [812] LOG S-0x7aa64290fae0: oc_testeurope01_property_fc1640606c9144ca8426de04bc633567/backup@10.100.30.9:7432 closing because: server conn crashed? (age=6s) 2025-12-08 16:07:04.652 UTC [812] LOG C-0x5905f700e420: oc_testeurope01_property_fc1640606c9144ca8426de04bc633567/backup@10.100.30.19:62334 closing because: server conn crashed? (age=6s) 2025-12-08 16:07:04.652 UTC [812] WARNING C-0x5905f700e420: oc_testeurope01_property_fc1640606c9144ca8426de04bc633567/backup@10.100.30.19:62334 pooler error: server conn crashed?

This relates to our production systems (Fairmas offers B2B SaaS products for the Hotel Industry) and effects our user base. So this is business critical for us and we would really appreciate if you can help out here!
Platform: Whitebox/Other
Software Platform: pfSense
Software Version: pfSense Plus 25.07.1

// AnyDesk
if (dnsDomainIs(host, "anydesk.com") ||
    shExpMatch(host, "*.anydesk.com") ||
    shExpMatch(host, "*.net.anydesk.com") ||
    shExpMatch(host, "relay-*.anydesk.com") ||
    shExpMatch(host, "*.relay.anydesk.com")) {
    return "DIRECT"; 

would make anydesk connections don't go through proxy because anydesk doesn't work with a transparent proxy config, it did work for teamviewer but anydesk is intermitent (only works 10% of the time)

I have no ssl interception and Transparent HTTP Proxy is disabled.

checked ssl offload in frontend and selected the acme generated certificate
under SSL Offloading.

result after Apply Changes:

Errors found while starting haproxy
[NOTICE] (72045) : haproxy version is 2.9.14-7c591d5
[NOTICE] (72045) : path to executable is /usr/local/sbin/haproxy
[ALERT] (72045) : config : Couldn't open the ca-file '/var/etc/haproxy_test/clientca_WAN_117.pem' (No such file or directory).
[ALERT] (72045) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:15] : 'bind x.x.x.x:443' in section 'frontend' : 'ca-file' : unable to load /var/etc/haproxy_test/clientca_WAN_117.pem
[ALERT] (72045) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg
[ALERT] (72045) : config : Fatal errors found in configuration.

also package _devel has the same issue.

on other boxes where haproxy was configured on 24.11 - upgraded to 25.07.1 its working.

BUG ?? so what can we do now -bolded text we need this function.

thank you all in advance

The goal was to use HAProxy as a reverse proxy for several internal web services, for example:

• Proxmox on port 8006
• TrueNAS on port 443
• A few other servers on my LAN

Each service had its own backend set up in the GUI.

Everything appeared configured correctly, but some backends (especially newly duplicated ones) would fail with:

503 Service Unavailable
No server is available to handle this request.

However, connecting directly (for example, https://192.168.1.30:8006) worked fine.

The problem was caused by duplicate internal IDs in the generated HAProxy configuration file. When you clone (duplicate) an existing backend and modify it for a new service, HAProxy reuses the same numeric ID for both backends.

You can see this by checking your configuration file at /var/etc/haproxy.conf.

Example:

backend pfsense_backend
    server truenas 192.168.1.10:443 id 101 ssl verify none

backend proxmox_backend
    server proxmox 192.168.1.30:8006 id 101 ssl verify none

Both backend servers above are using the same id 101.

Backends with the same IDs leads to connection and 503 errors.

To fix it, delete that backend completely instead of cloning it and then recreate it from scratch manually. After this, you can check haproxy.conf again, each server line should now have a unique ID.

Once I recreated the backend, the 503 error disappeared immediately.

Hope it helps!

I use the squid Pakage (Version 0.5.3, on PFSense 2.8.1) as Reverse Proxy and acme for Lets Encrypt. I setup a Nextcloud behind pfsense, everything works well. If i enter http://cloud.example.org I came to https://.... without a SSL-error. That works, because Nextcloud switch himself to https. Now I install Vaultwarden, this side is only available with http. If I enter the URL from Vaultwarden with https:// ... everything works, but If I enter just vaultwarden.example.org in the Browser, there is no switching to https. I tray setup a redirect:

But it does not work. There is no redirect. Any ideas?

Web Servers:

And Mappings: