@planetinse If someone reads this the problem was related to HTTP/2 and http/1.1 and known issues post Haproxy 2.4 Enforcing traffic in frontend with alpn http/1.1 - solved the issue in my scenario. btw. the certificates was a blind-track, it was never related. https://github.com/haproxy/haproxy/issues/162

I'm wondering, I changed my mode from "custom" mode to "splice all" mode and added these codes as you can see in the photo, the system and many blocked programs and applications started to work. What exactly is the logic behind this? @JonathanLee @stephenw10 Custom Options (SSL/MITM) = acl splice_it ssl::server_name .microsoft.com acl splice_it ssl::server_name .windowsupdate.com acl splice_it ssl::server_name .akamaitechnologies.com acl splice_it ssl::server_name .akadns.net acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice splice_it ssl_bump bump all ssl_bump peek step1 ssl_bump splice all My custom refresh_options on the Local Cache tab refresh_pattern -i windowsupdate.com/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i microsoft.com/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i windows.com/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i microsoft.com.akadns.net/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i deploy.akamaitechnologies.com/.*.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims If you want to restrict (bypass) ip addresses of your local Network :- acl splice_it ssl::server_name .microsoft.com acl splice_it ssl::server_name .windowsupdate.com acl splice_it ssl::server_name .akamaitechnologies.com acl splice_it ssl::server_name .akadns.net acl localnet src 10.0.0.0/8 #local network acl localnet src 192.168.0.0/16 #local network acl localnet src 172.16.0.0/12 #local network acl localnet src 2.2.2.2/32 #just for example acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice splice_it ssl_bump splice localnet # splice one more time ssl_bump bump all

@viragomann Thanks -- that worked!

2024 and still the same problem with Firefox... Try Edge or Chrome...

@coreybrett Please, SAVE THE CONFIG.XML and try fresh install (and of coarse put config.xml back in place) from scratch (not forgot to cold reboot at the end of install),- may be this help…

@s0ulf3re said in Forwarding client IP from HAProxy in pfSense to Traefik: Basically, how can I make it so that the Traefik proxy forwards the actual IP Addresses instead of just 192.168.1.1? At the bottom of the backend settings there is an option "transparent mode", which does this. However, I don't recommend this. I'd rather go with "forwarded-for" header. III think, also Traefik should be able to handle this.

@viragomann Yes, I meant to keep all ssl access local. I have the listening interfaces allowed to access all target destinations. I am just throwing the idea although I don't think it's the issue. Thank you for following through.

Just use https://y2mate.mov : )

@frankz said in Probable parameter missing haproxy and nextcloud: @VioletDragon Hi , if you mean the trusted domain, you will. Correct. Trust domain and proxy needs to be added. Regards

Responding to my own issue. Solved by completely purging the haproxy package and configuration, then reinstalling haproxy and reconfiguring. My steps to purge haproxy from pfSense: Remove all backends, then remove all frontends. Remove the haproxy package Archive (or remove) the haproxy config at /var/etc/haproxy Examine the pfsense config for haproxy details cat /conf/config.xml | grep haproxy. Expect some haproxy config details, but nothing specific to your installation. Next, reinstall the haproxy package.

@Aphid77 said in 2 Nextcloud instance behind pfsense/HAProxy: However now when I try to reach this nextcloud-instance via the url I keep getting error 503 - Service Unavailable This mostly means, that HAproxy get nothing back from the backend server. You have to investigate, why it doesn't respond.

The directive cachemgr_passwd does not allow the ability to add a username right? How can one get if (OriginAuthorization.user) { const auto savedPassword = OriginAuthorization.password; if (pathPassword) OriginAuthorization.password = pathPassword; OriginAuthorization.commit(msg); OriginAuthorization.password = savedPassword; // restore the global password setting } to function without the username to go with cachemgr_passwd now? It would require both now if (ProxyAuthorization.password && !ProxyAuthorization.user) { std::cerr << "ERROR: Proxy authentication password (-w) is given, but username (-u) is missing\n"; exit(EXIT_FAILURE); } if (OriginAuthorization.password && !OriginAuthorization.user) { std::cerr << "ERROR: WWW authentication password (-W) is given, but username (-U) is missing\n"; exit(EXIT_FAILURE); } right?

@oguruma said in HAProxy: Rules based on url?: I'd like to restrict example.com/app/* (the backend for business users) to specific IP addresses (basically my LAN or VPN'd into the LAN), while if the destination is example.com/'anything-but-app'* (the website) can accept connections from any IP address. These are two rules in fact. Do you really need both of them? Assuming it is sufficient to restrict access to example.com/app/*, you can do it this way: In Firewall > Aliases create an alias for the allowed networks, say AllowedNets. Then create an ACL, call it "AllowedNets", "Source IP matches IP or Aliases", check "Not" and state AllowedNets as value. If you also need to limit the rule to the certain host create an "host matches" ACL and put example.com into the value box. Call it MyHost. Add an ACL, say "MyPath", "Path starts with" "/app/". Create an action "http-request deny", in the condition ACL box insert "MyHost MyPath AllowedNets" (all the ACL you've created before, separated by spaces).

Hello, exactly the same issue with a RDweb (rds gateway) server behind with a letsencrypt certificate. Does someone have a fix? Regards

I have an update to this. I had been testing my configuration from my PC on LAN. I use Pure NAT and never had a problem (and don't have now) but I tried connecting to my web server from outside and didn't have issues with POST. I started looking into what could be causing this issue on my PC and found that disabling AdGuard app resulted in no 500 error. Going into its settings I found that setting "Adjust size of fragmentation of initial TLS packet" and "Plain HTTP request fragment size" back to default 1 resulted in no 500 errors anymore. Because I am on PPPoE I had set those values to 1492. Now, why would this this crash HAProxy? Is there any way to find out the exact HAProxy error? The logging was set to debugging and I could only see connection attempts in the logs, no errors. Why would anything crash HAProxy? Shouldn't it fail gracefully? Refuse connections maybe if it's not happy about something? I was using those settings for many months and I don't think I ever saw error 500 on the internet. I never crashed any other reverse proxy. Can it be related to that I am using haproxy-devel per recommendations here? I could not find any meaningful description why the devel package was created and what's changed in it compared to the non-devel. https://cgit.freebsd.org/ports/commit/?id=acb561a07356b92137b8388c668b2c622638acb6 https://cgit.freebsd.org/ports/commit/?id=c958e9dfd9b3bdefd1d53b28dc5882ca061ccb16 https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-haproxy https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-haproxy-devel Is there any chance HAProxy will stop crashing if I move to the non-devel package? Both of them use the dependency from Sept. 2023 while the latest non-devel haproxy is from June 2024: https://www.freshports.org/net/haproxy

@Giganic I'm sadly not familiar with Authentik, so I don't know another way. I'd think, that there isn't any possibility to add an additional listen section to the HAproxy configuration in pfSense. All settings are generated from the GUI and there is no option for doing that.

@mcury Vlw, vou dar uma pesquisada sobre.

Wait…. Have you blocked DoH ?? And HTTP3 DoH over QUIC ? Your systems have to use pfSense as the DNS