@llinty If your forwarding on your hypervisor - that is where you would have to put in the nat reflection its that simple..

Not sure how you expect the haproxy to proxy traffic it is never seeing.. Put in a host override in pfsense so you client resolves the fqdn to whatever pfsense actual wan IP is where the haproxy is listening.

@jimp Perfect, thanks for the explaination :)

@braunerroei Then your frontend config looks like this?

196c1e01-1e74-49f5-87c8-4d22eb7bf590-image.png

That's the SSL Offloading I was talking about. If you don't check that box, then pfSense won't negotiate SSL. I was worried that you might be processing unencrypted.

In any event, I resolved my 503 problems. I'm not using the default port 443 for this new connection. Therefore, the value of the "Host Matches" ACL entry needed to be my.host.com:6407. I had used my.host.com with no port.

I had assumed that HAProxy would tack the port number on to the value because the port number is specified in the external address table. I see now it can't do that. The External Address table may contain multiple entries. It follows that the ACL match routine has no way to know your intentions unless you specify the port number in the ACL.

Thanks for the help. Your answers got me questioning my own configuration which turned out to be in error.

Here's what worked for me. I did have to add the lua script to files, however, see my screen shot for the CORS settings. Once I read the lua documentation I was able to add what I needed to get my CORS data to work properly.

Screenshot 2022-11-01 at 23-13-27 TheWall.jrfam.net - Services HAProxy Frontend Edit.png
Not that I did remove my domain for privacy. It's .mydomain.com. I used the . to include all subdomains.

@creationguy
Any further ideas?

Answering my own question...

I had forgotten that the URL was originally configured in Squid Guard -> General Settings -> Blacklist options at the bottom of the page. Saving the new value here makes it permanent.

I'm not really sure why there is the option to enter a different URL in the Blacklist update page - that seems like a confusing UI design decision.

My problem with this is the need of a whitelist. I curruntly don't know how to have something like "whitelist all except blacklist and pages scaned with a virus" I don't use squidguard but PFBLockerng-devel witch is in my opinion better.
It should be a regex like ^.* minus blacklist but I don't see anything on how to do this properly.

I have a thread about this: https://forum.netgate.com/topic/175557/squid-clamav-mitm-custom-setting?_=1667128733894

I think you may need to use the development version. MQTT support appears to have been added in HAProxy 2.4.

Steve

@creationguy said in HAProxy & ACME - Site not loading:

HAProxy / Frontend
Screenshot 2022-10-27 at 00-14-45 TheWall.jrfam.lan - Services HAProxy Frontend Edit.png
I selected Proxmox address as the site is on a VM in Proxmox server (10.20.20.3) on the VLAN, that server (10.20.20.4) is Ubuntu Server with Portainer running a docker for an intranet dashboard. 9455 is the port that the docker container uses for the intranet. This particular docker container does not ship with HTTPS.

An Update:
The front end configuration was the problem, the port needs to be 443. Also, just to note, on the backend, if the site does NOT have SSL, then you need to uncheck Encrypt(SSL) on the BACKEND.

HAProxy / Backend
intranet.mydomain.com
Screenshot 2022-10-27 at 00-13-35 TheWall.jrfam.lan - Services HAProxy Backend Edit.png

Everything is now working. Unfortunately, if I go to https://crt.sh/ and check my domain, I have a BUNCH of SSL certs. Oh well.

Question:
How does this tool auto-update my public IP with Cloudflare so that my @ record is always up to date?

Dear Periko

Yes I enabled DNS Resolver option as Services tab - DNS-resolver-General options. In Network interfaces - LAN Selected while in outgoing Network Interfaces, I selected WAN interface.
version of pfsense is 2.6.0-release (amd64).

No ideas or suggestions?

@sensewolf

anybody got this working?

@gertjan thanks i will do that

@mrit
Okay, figured it out myself (and with the help of the WayBackMachine). Turns out, subdomains are only included for a domain if the domain is the only entry in the domain list.

So makes it very hard for me, to also add subdomains (as wildcard) to my allowlist. Maybe it works using regular expressions...

Source: https://web.archive.org/web/20210727190453/http://www.squidguard.org/Doc/aboutblocking.html