Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA Proxy and 503 error on pfSense

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 57 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • RyanMR Offline
      RyanM
      last edited by

      I was trying to setup HA Proxy so I could use my Let's Encrypt certs for internal hostnames.

      However, I think I screwed something up, and then I started getting a 503 error when accessing my pfSense router. I had to login using SSH and then do a

      pkg delete haproxy29
      

      I was then able to access my pfSense router again. Phew.

      I was trying to follow the guide here: https://codestrian.com/index.php/2024/11/22/setting-up-haproxy-as-a-reverse-proxy-on-pfsense-for-internal-services/

      But I think it glossed over some things.

      Is HA Proxy good for what I am trying to do? So I have self-signed certs for several internal hosts/services.

      So let's say my domain is internaldomain.com, and I have a TrueNAS server. I want to access it using https://truenas.internaldomain.com/. Currently this uses a self-signed certificate. I want to use HA Proxy so that I can hit that domain name, and it will proxy the traffic to the TrueNAS server, but use my internaldomain.com SSL cert from Let's Encrypt.

      Is that possible? Is there a better guide? If I re-install the HA Proxy package, will it try and run the settings I already have and start giving me a 503 error again?

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @RyanM
        last edited by

        @RyanM said in HA Proxy and 503 error on pfSense:

        So let's say my domain is internaldomain.com

        Does domain resolve to your public IP in a public DNS?
        If it doesn't, you won't get a Let's Encrypt cert at all.

        Is HA Proxy good for what I am trying to do? So I have self-signed certs for several internal hosts/services.

        Yes. You can install self-signed certs on your backend servers and direct all traffic over HAproxy, even from internal.
        However, you must not enable "SSL checks" in the backend.

        The better way, however, would be to generate the internal certs with a CA on pfSense. Then you can confiugre HAproxy to trust the CA and accept the server certs.

        When getting error 503 "service not available", the backend either does not respond to heath checks or the service is not reachable, or something else in HAproxy is configured wrong.
        So first of all go to the stats page and check if the backend is shown up as "online". If not check the health check configuration.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.