by the way when i change the setting to port 80 i get "502 Bad Gateway The server returned an invalid or incomplete response." and the site does work on port 80 without the HaProxy.

after some resetting i've created the following config that works:

# Automaticaly generated, dont edit manually. # Generated on: 2024-03-11 21:50 global maxconn 1000 stats socket /tmp/haproxy.socket level admin expose-fd listeners uid 80 gid 80 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats refresh 3 stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend shared-https-merged bind WAN_IP:443 name WAN_IP:443 ssl crt-list /var/etc/haproxy/shared-https.crt_list mode http log global option socket-stats option http-keep-alive timeout client 30000 acl <subdomain-2> var(txn.txnhost) -m str -i <subdomain-2>.<domain-name>.<com> acl aclcrt_shared-https var(txn.txnhost) -m reg -i ^([^\.]*)\.<domain-name>\.<com>(:([0-9]){1,5})?$ acl aclcrt_shared-https var(txn.txnhost) -m reg -i ^<domain-name>\.<com>(:([0-9]){1,5})?$ acl <subdomain> var(txn.txnhost) -m str -i <subdomain>.<domain-name>.<com> acl <subdomain-3> var(txn.txnhost) -m str -i <subdomain-3>.<domain-name>.<com> acl <subdomain-4> var(txn.txnhost) -m str -i <subdomain-4>.<domain-name>.<com> http-request set-var(txn.txnhost) hdr(host) use_backend <subdomain-2>-<domain-name>_ipvANY if <subdomain-2> use_backend <subdomain>-<domain-name>_ipvANY if <subdomain> use_backend <subdomain-3>-<domain-name>_ipvANY if <subdomain-3> use_backend <subdomain-4>-<domain-name>_ipvANY if <subdomain-4> frontend http-redirect bind WAN_IP:80 name WAN_IP:80 mode http log global option http-keep-alive timeout client 30000 http-request redirect scheme https backend <subdomain-2>-<domain-name>_ipvANY mode http id 100 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server <subdomain-2> 192.168.1.11:444 id 101 backend <subdomain>-<domain-name>_ipvANY mode http id 102 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server <subdomain> 192.168.1.1:10443 id 101 ssl verify none backend <subdomain-3>-<domain-name>_ipvANY mode http id 103 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server <subdomain-3> 192.168.1.7:443 id 101 ssl verify none backend <subdomain-4>-<domain-name>_ipvANY mode http id 104 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server <subdomain-4> 192.168.1.5:443 id 101

Letting this one here in case someone needs it.
As a sidenote to whole experience i find pfsense much more instable than it was few years ago when i used it first time . If i'd knew this ... And netgate presence is kinda zero, documentation is also in a very poor state. Anyway its working now ...

can be closed

@keval-shah

This is from another thread:

Haproxy just makes a plain tcp connection to port 25 and sends a few commands.. to push out a receiver subject and body.. the mailserver must be configured to not require authentication from haproxy's ip for this to work.

@Gertjan said in HAProxy: Servers with existing SSL certificates:

what is logic

Security. If someone were to take down a server with a DoS vulnerability, for example, they could spoof a service in that server's place and the wildcard cert would accommodate that. The SAN cert guarantees that I'm talking to who I want to be talking to. Another scenario would be if a server was compromised and the wildcard key was extracted, that would allow all the traffic across the network to be decrypted. However, I suppose if you use HA as the only TLS end point and don't re-use that wildcard certs on the servers themselves, that scenario doesn't really exist (though I imagine that some people probably do that).

Then, the traffic from HAProxy to the server is unencrypted. I want end-to-end encryption.

https://forum.netgate.com/topic/186331/new-squid-6-7-and-clamav-1-3-0

@planetinse

23.09.1
I have taken away all other logic and just trying to offload TLS, (no fiddle with sni_fc_ssl or likewise) - and instead of expected 101 and Upgrade response header, I get 200, the tunnel is created and it works, but browser reuses earlier tunnel if i switch url that should use another backend. (it gets confused by the 200 response is my theory)

2.4
doing the same thing with the in 2.4 i get Expected 101 and Upgrade response header.

Direct
If i access backend directly it gives me the expected 101 and Connection upgrade.

@mbl_s_1
geniunly confused........
so just to confirm, there never was a problem with pfsense or HA proxy? If thats the case then yeah..i guess...close..the forum post? 😕

@oldschoolrouterjockey
So the problem isnt with pfSense or Squid.
Im sure you have a specific use case to go through a socks proxy but that could be whats causing you the pain.
Or you are visiting the site while on the corp vpn.
In either case a direct connection through pfsense doesnt cause an issue it seems.

@planetinse

confirmed the later add tcp-request inspect-delay in TCP mode only.

anyone? 😰

@danwize @viragomann
I've got it working now. I changed to just use one front end and added my acl for cloud back. I removed my attempts to set the header and changed my could back end to point to 10.10.0.2:443 after I had changed it to 10.10.0.2:10223 for testing. After I did that, and after saving and applying the changes several times, cloud.mydomain.com was still resolving to 10223. I even tested in igognito windows and restarted the ha proxy service from the pfsense ui and it kept resolving to 10223.

I finally got it routing to 443 after editing the front end settings for cloud to use a different backend, saved those changes, and then changed it back to my cloud.mydomain.com backed and saved again. Possibly my problem from the beginning was the fact that the settings didn't take initially.

https://forum.netgate.com/topic/183088/error-libssl-so-30-not-found-when-installing-package/3

@mr-elamin2 said in WordPress behind HAProxy:

// force SSL
$_SERVER['HTTPS']='on';

define('WP_HOME','http://mysite.com');
define('WP_SITEURL','http://mysite.com');

Thank you! This was a lifesaver!

@benjamesfleming said in [SOLVED] haproxy-auth-request luasocket support?:

https://pkg.freebsd.org/freebsd:11:x86:64/latest/All/lua53-luasocket-3.0.r1_5,1.txz

Reply

Hello,

I am having the same issue on PFSense Plus 23.09.1-RELEASE and HAProxy-devel 2.9.d2.
This package no longer seems to be available for download and I cannot seem to find equivalent for FreeBSD 14. I tried browsing to the FreeBSD package URL's and get an NGINX forbidden when I attempt to browse to find what the latest package URL's are.

Any guidance on how download the latest version of lua53-luasocket?

Thanks