after some resetting i've created the following config that works: # Automaticaly generated, dont edit manually. # Generated on: 2024-03-11 21:50 global maxconn 1000 stats socket /tmp/haproxy.socket level admin expose-fd listeners uid 80 gid 80 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats refresh 3 stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend shared-https-merged bind WAN_IP:443 name WAN_IP:443 ssl crt-list /var/etc/haproxy/shared-https.crt_list mode http log global option socket-stats option http-keep-alive timeout client 30000 acl <subdomain-2> var(txn.txnhost) -m str -i <subdomain-2>.<domain-name>.<com> acl aclcrt_shared-https var(txn.txnhost) -m reg -i ^([^\.]*)\.<domain-name>\.<com>(:([0-9]){1,5})?$ acl aclcrt_shared-https var(txn.txnhost) -m reg -i ^<domain-name>\.<com>(:([0-9]){1,5})?$ acl <subdomain> var(txn.txnhost) -m str -i <subdomain>.<domain-name>.<com> acl <subdomain-3> var(txn.txnhost) -m str -i <subdomain-3>.<domain-name>.<com> acl <subdomain-4> var(txn.txnhost) -m str -i <subdomain-4>.<domain-name>.<com> http-request set-var(txn.txnhost) hdr(host) use_backend <subdomain-2>-<domain-name>_ipvANY if <subdomain-2> use_backend <subdomain>-<domain-name>_ipvANY if <subdomain> use_backend <subdomain-3>-<domain-name>_ipvANY if <subdomain-3> use_backend <subdomain-4>-<domain-name>_ipvANY if <subdomain-4> frontend http-redirect bind WAN_IP:80 name WAN_IP:80 mode http log global option http-keep-alive timeout client 30000 http-request redirect scheme https backend <subdomain-2>-<domain-name>_ipvANY mode http id 100 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server <subdomain-2> 192.168.1.11:444 id 101 backend <subdomain>-<domain-name>_ipvANY mode http id 102 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server <subdomain> 192.168.1.1:10443 id 101 ssl verify none backend <subdomain-3>-<domain-name>_ipvANY mode http id 103 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server <subdomain-3> 192.168.1.7:443 id 101 ssl verify none backend <subdomain-4>-<domain-name>_ipvANY mode http id 104 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server <subdomain-4> 192.168.1.5:443 id 101 Letting this one here in case someone needs it. As a sidenote to whole experience i find pfsense much more instable than it was few years ago when i used it first time . If i'd knew this ... And netgate presence is kinda zero, documentation is also in a very poor state. Anyway its working now ...

can be closed

@keval-shah This is from another thread: Haproxy just makes a plain tcp connection to port 25 and sends a few commands.. to push out a receiver subject and body.. the mailserver must be configured to not require authentication from haproxy's ip for this to work.

@Gertjan said in HAProxy: Servers with existing SSL certificates: what is logic Security. If someone were to take down a server with a DoS vulnerability, for example, they could spoof a service in that server's place and the wildcard cert would accommodate that. The SAN cert guarantees that I'm talking to who I want to be talking to. Another scenario would be if a server was compromised and the wildcard key was extracted, that would allow all the traffic across the network to be decrypted. However, I suppose if you use HA as the only TLS end point and don't re-use that wildcard certs on the servers themselves, that scenario doesn't really exist (though I imagine that some people probably do that). Then, the traffic from HAProxy to the server is unencrypted. I want end-to-end encryption.

https://forum.netgate.com/topic/186331/new-squid-6-7-and-clamav-1-3-0

@planetinse 23.09.1 I have taken away all other logic and just trying to offload TLS, (no fiddle with sni_fc_ssl or likewise) - and instead of expected 101 and Upgrade response header, I get 200, the tunnel is created and it works, but browser reuses earlier tunnel if i switch url that should use another backend. (it gets confused by the 200 response is my theory) 2.4 doing the same thing with the in 2.4 i get Expected 101 and Upgrade response header. Direct If i access backend directly it gives me the expected 101 and Connection upgrade.

@mbl_s_1 geniunly confused........ so just to confirm, there never was a problem with pfsense or HA proxy? If thats the case then yeah..i guess...close..the forum post?

@planetinse confirmed the later add tcp-request inspect-delay in TCP mode only.

anyone?

@danwize @viragomann I've got it working now. I changed to just use one front end and added my acl for cloud back. I removed my attempts to set the header and changed my could back end to point to 10.10.0.2:443 after I had changed it to 10.10.0.2:10223 for testing. After I did that, and after saving and applying the changes several times, cloud.mydomain.com was still resolving to 10223. I even tested in igognito windows and restarted the ha proxy service from the pfsense ui and it kept resolving to 10223. I finally got it routing to 443 after editing the front end settings for cloud to use a different backend, saved those changes, and then changed it back to my cloud.mydomain.com backed and saved again. Possibly my problem from the beginning was the fact that the settings didn't take initially.

https://forum.netgate.com/topic/183088/error-libssl-so-30-not-found-when-installing-package/3

@benjamesfleming said in [SOLVED] haproxy-auth-request luasocket support?: https://pkg.freebsd.org/freebsd:11:x86:64/latest/All/lua53-luasocket-3.0.r1_5,1.txz Reply Hello, I am having the same issue on PFSense Plus 23.09.1-RELEASE and HAProxy-devel 2.9.d2. This package no longer seems to be available for download and I cannot seem to find equivalent for FreeBSD 14. I tried browsing to the FreeBSD package URL's and get an NGINX forbidden when I attempt to browse to find what the latest package URL's are. Any guidance on how download the latest version of lua53-luasocket? Thanks

@viragomann Thanks for your reply. The firewall is just open for testing right now, Later it will be limited to the ports that the Vaultwarden Docker container uses (3012 for Websocket, 7010 for internal 443 and 7011 for internal 80). The domain frontend only has actions fot http requests to allow or deny. I basically followed the Dani Garcia setup linked above since it's my first time with HAProxy. The Dani Garcia setup seem s to be working for others so I'm wondering where I did wrong, maybe I misunderstood the ports to be used or put the wrong IP in the wrong place...or else, I just can't figure it out...most likely because I don't know HAProxy at all. The Vaultwarden frontend ACL1 and 3 are almost identical except the "Not option" which is yes in ACL1 and no in ACL3 The goal is to have my locally hosted Vaultwarden accessible at vault.mydomain.nz from WAN. (browser plugins, phone apps etc.)

@garyd I did eventually get Snort's Open App ID with full text rules running. My text rules I call the sorcerers code file, anyway it was able to show the applications that were running without any use over the network and pinpoint it to my Android smartphone. I got a new phone it stopped. Again, I knew it was there my goal was to find a way to stop it globally something I could report. Yes Snort's appID was the closest as you can detect the app use. Again, it does not list containers used. I was researching this over summer break and found you can use pf to detect the OS in use in the tcp stack if you want to check this out. All for the goal of a more secure system. But it requires a OS container database much like a blacklist for this to function again this is similar to AppID with the text files. [image: 1706150040159-screenshot-2024-01-24-at-18.33.20.png] [image: 1706150674808-screenshot-2024-01-24-at-18.41.02.jpg] [image: 1706150181448-screenshot-2024-01-24-at-18.34.17.png] [image: 1706150359796-screenshot-2024-01-24-at-18.34.26.png] [image: 1706150391100-screenshot-2024-01-24-at-18.34.38.png] [image: 1706150417267-screenshot-2024-01-24-at-18.34.46.png] [image: 1706150417451-screenshot-2024-01-24-at-18.34.55.png] [image: 1706150417540-screenshot-2024-01-24-at-18.35.05.png] So any containers can be detected this way. What I want to do is set up a signature of what I use and start to block the bad ones. Least privilege approval. I am sure some are real and needed but some are unknown also. I had a big one in my NAS that was found the other day also. Got that issue fixed.

@dutsnekcirf Basically there is no need to run a website within a subdirectory behind a reverse proxy. This makes things more complicated. However, HAproxy is able to insert a string at the beginning of the path. You can use "http-request set-path" to do this. You can set it in the frontend or backend. The preferred method depends on your setup. Add an action, select "http-request set-path" and enter "/web/%[path]" below. This assumes that the website has further subdirectories. However, with this, the additional path is inserted into all requests.If your website send URLs to call to the client, which already inlcludes the "/web/", you have to bind this action to an ACL to ensure it is not applied in this case.