For those people who has HAproxy not on pfSense: frontend http-promex bind <%IP%>:9001 name <%IP%>:9001 ssl crt-list /var/etc/haproxy/http-promex.crt_list process 1 mode http log global option dontlog-normal option http-keep-alive maxconn 10 timeout client 30000 option http-use-htx http-request use-service prometheus-exporter if { path /metrics } stats enable stats uri /stats stats refresh 10s acl aclcrt_http-promex var(txn.txnhost) -m reg -i ^pfsensen01\.concosto\.com(:([0-9]){1,5})?$ http-request set-var(txn.txnhost) hdr(host) frontend https-f01 bind <%IP%>:443 name <%IP%>:443 ssl crt-list /var/etc/haproxy/https-f01.crt_list alpn h2,http/1.1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 mode http log global option httplog option http-server-close option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 acl grafana.concosto.com var(txn.txnhost) -m str -i grafana.concosto.com http-request set-var(txn.txnpath) path http-request set-var(txn.txnhost) hdr(host) capture request header X-Forwarded-For len 128 capture request header Host len 32 capture request header User-Agent len 128 use_backend grafana.concosto.com if grafana.concosto.com backend grafana.concosto.com mode http id 160 log global timeout connect 5000 timeout server 30000 retries 3 http-request set-header Host grafana.concosto.com server grafana.concosto.com <%IP%>:3000 id <%ID%> ssl check inter 1000 ca-file /var/etc/haproxy/internal-ca.pem verifyhost grafana.concosto.com resolvers globalresolvers sni str(grafana.concosto.com) check-sni grafana.concosto.com Note: find change <%IP%> and grafana.concosto.com in config to your one

It is fixed now. The solution was to change the setting under the report template from text to base and save it. [image: 1589863026534-solution.png]

Feature request: https://redmine.pfsense.org/issues/10541

@Evertvh said in Using HAproxy for reverse proxy with / in the backend: if i do go and say https://mail.remote-entry.tld/roundcube I get a Server does not exist return. because technically it the correct path for round cube is https://remote-entry.tld/roundcube 'Who' is saying the server doesn't exist.? I presume you have got the proper DNS records in place to point to haproxy? Your first post you wrote "but when i try to reach mail.mydomain.com/roundcube it just takes me to the 192.168.0.20" sounds like you actually did get a response.? (no idea if that was with http or https though.. as you seem to forget to actually specify these details which might actually matter..) @Evertvh said in Using HAproxy for reverse proxy with / in the backend: if i did get https://mail.remote-entry.tld/roundcube working it would defeat the purpose of what i am trying to achieve. What are you trying to achieve? what is the desired url to visit in a browser? what have you configured? (show the current config?) what is the current effect what have you checked and what do you expect might need to change? is a request from the browser send to the 'correct' webserver currently already? but its virtual-servers configuration just doesn't recognize the proper website to reply for? if so perhaps a simple set-header command with the actual domain would suffice? Anyhow i'm struggling parsing your reply and thoughts mixed together with a seemingly large lack of understanding..

@bihzs Configure your frontend type for SSL, and configure a acl that checks the ServerNameIndication

@Brailyn The frontend3-offloading uses type HTTP, this cannot pass openvpn traffic which doesn't use http.. You can still have a 'offloading' frontend of-course. But the backend that sends traffic there would not be the default backend for the frontend2-SNI. There would be a acl check for on or more SNI-name's like myFirstOffloadedSite.domain.tld mySecondOffloadedSite.domain.tld and then a action use-backend:frontend3-offloading when that acl matches. Then that frontend3 can handle the certificates and further splitting of host headers so first site and second site get actually handled by first- backend and second-backend. As for how the backend is named and what it does, that indeed is probably a little strange, but you can change the names of-course.. I was just telling with minimal changes how to achieve the initial goal while seeing that you where not actually using the that default backend at the time.

I'm glad, if you found my help helpful send me like this: [image: 1588525527237-5ae3b12f-26b9-43a9-9f0b-060a399b731f-image.png]

Solved in https://forum.netgate.com/topic/153028/haproxy-deleting-acl-on-modify-bug-or-am-i-missing-something/14

How you have it setup that is correct. With SSL filtering disabled Squid will only proxy http traffic. Steve

SafeSearch feature in the latest pfBlockerNG-devel: [image: 1588350490242-screenshot-from-2020-05-01-19-27-43.png]

@PiBa said in Unable to add PPA to Ubuntu server when connected to HAProxy.: I'm running out of ideas what to check without some 'hands on' checking.. But i think we are active in different time-zones.. 'CET-evenings'.. That's okay, I understand. I think I'm going to make a new question in a different topic that might have more folks who can help. I really appreciate you helping me out here.