Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy, PfSense, Cloudflare. Consistently getting 502 error

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kevdog
      last edited by kevdog

      Hi. Im currently on pfsense 2.4.4 Release p3 with HA proxy_devel 0.59_22.
      I'm using cloudflare for my DNS services. I also have Lets Encrypt SSL certs which through acme/cloudflare DNS challenge, been able to install with pfsense.

      Prior to attempting to use HAProxy as a reverse proxy, I had a working setup of pfsense->forwarding to internal FreeNAS jail with Apache serving as both the webserver and ReverseProxy. This setup was working. With my HA Proxy Setup right now I'm getting a 522 Connection Time Out Error. Internally I disabled the web server to listen only on port 80 without SSL and I can confirm I can reach the web server locally from inside the LAN.

      I'm wanting to setup more servers on the backend which require SSL so I figured I'd setup HAProxy as a Reverse Proxy and SSL Offloader.

      Pfsense setup:
      Here are my firewall WAN rules, I wondering if WAN address is appropriate for the 80/443 HTTPS ports -- some tutorials I've seen put This firewall in this field.:
      Screen Shot 2020-01-20 at 11.08.32 PM.png

      I've included a copy of my HAProxy config.
      haproxy_cfg.txt

      Questions :

      1. Do I have to setup the proxy differently if I need to access these webservers via SSL both internally (via a LAN address) and also via externally (via a WAN address)?
      2. I'm getting a Cloudflare 522 error with the current setup indicating host is not reachable. The pfsense system firewall logs records this error if trying to reach the webserver from a computer located within the LAN:
      Jan 20 23:20:52	WAN	Default deny rule IPv4 (1000000103)	  108.162.216.123:10810	  10.0.1.158:443	TCP:S

      I don't know how to interpret the error -- sincethe destination is from external address over a strange port wanting to be directed towards the webserver IP address on port 443. I thought the HA proxy would at least intercept this request and redirect to port 80 on LAN.

      1. I don't have a line such as the following within by backend section: source ipv4@ usesrc clientip. Is this needed?

      I'm really confused why things aren't working.

      Thanks for help.

      tn1rpi3T 1 Reply Last reply Reply Quote 0
      • tn1rpi3T
        tn1rpi3 @kevdog
        last edited by

        @kevdog Cloudflare has a pretty lively community.
        It seems your issue has been addressed here. You may want to have a look at it.

        1 Reply Last reply Reply Quote 0
        • K
          kevdog
          last edited by

          @tn1rpi3

          I will try over at Cloudflare however previously I was passing all packets to the Apache reverse proxy/webserver and I wasn't receiving any 502 errors. Now that HA proxy is in the middle, things don't seem to be working.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.