HAProxy 502 bad gateway with Cloudflare Proxy
-
@te7 I also tried the packet capture feature and get tcp traffic but it seems like it never reached the service defined in the haproxy backend. Without the cloudflare proxy, everything works, but this is not optimal. This could also be a funky issue with lan bridging and if that is the case the switch could fix that. It is fascinating how many tools pfsense provides for debugging out of the box. I do not understand all tools but I try to learn about them step by step.
-
I now tried some other things:
- Using the cloudflare origin certificate on the haproxy frontend and as webConfigurator certificate -> did not change anything.
- Setting the SSL/TLS encryption mode in cloudflare to flexible intsead of full or full (strict) -> did also not fix it. Without the cloudflare proxy, the full (strict) mode works fine.
These where some things I saw as suggestion to fix the problem. Sadly without success.
-
@klaussemmler Have you found an solution of this issue? I had the same setup and the same problem as you had.
-
@jycai I have installed a Mikrotik CRS305 as Switch in my Network and at least the odd kde connect behaviour is fixed.
But the cloudflare issue still remains.
-
I now tried to setup up everything with squid reverse proxy instead of haproxy but the issue with cloudflare proxy still remains. So it should not be a problem with haproxy itself.
-
It seems like I have found the answer!
Cloudflare DNS Proxy only works with http/https traffic on free tier. If non http/https traffic is used, for example when using a minecraft server, the DNS Proxy does not work.
This is where I got the information from:
https://community.cloudflare.com/t/cloudflare-minecraft-proxy/167417
-
@klaussemmler Some people mention pfBlockerNG is blocking traffic from Cloudflare proxied server, but my website still not work after I completely removed pfBlockerNG and reboot pfSense .
-
@jycai Have you whitelisted the cloudflare ips in your pfSense? You can actually do this automated with pfBlockerng.
The ipv4 ips can be found here: https://www.cloudflare.com/ips-v4
The ipv6 ips can be found here: https://www.cloudflare.com/ips-v6My pfBlockerng config for ipv4 looks like this (The alias at Custom DST Port contains port 80 and 443):
-
@klaussemmler Thank you I added the Cloudlfare IPs whitelist in pfBlockerNG as you suggest, however the Clourflare proxied still not working with Haproxy SSL offload on my nextcloud website. I don't get the error as 502, but missing half page info. It is working when Cloudlfare proxied is off.
I am runing version 2.6 and will try 2.52 and 2.4 later on to see if it makes a difference.
-
@jycai Okay, interesting. Another thing that could cause problems with cloudflare is the encryption mode in the SSL/TLS menu. Try the modes flexible, full and full (strict) and see, if this fixes your problem.
-
@klaussemmler
Flexible mode - no connection at all
Full - Load half page
Full(strict) - Error 526
V2.6, V2.52 and V2.4 with Acme or Cloudflare origin server certificate - all the same result.
-
@jycai I am kinda out of ideas. But you can try to toggle the options in SSL/TLS -> Edge Cetificates.
And are you sure you use the correct certificates for all servers?
-
@jycai with free cf choose flexible mode.
Check your pfsense firewall.
Sometimes problem at frontend and backend. I remove and recreate. It’s work