@AndyD Finally an explanation what happened after 2.4 where HAProxy performance dropped like a stone :), lets hope this comes to CE version too.

@danwize @viragomann
I've got it working now. I changed to just use one front end and added my acl for cloud back. I removed my attempts to set the header and changed my could back end to point to 10.10.0.2:443 after I had changed it to 10.10.0.2:10223 for testing. After I did that, and after saving and applying the changes several times, cloud.mydomain.com was still resolving to 10223. I even tested in igognito windows and restarted the ha proxy service from the pfsense ui and it kept resolving to 10223.

I finally got it routing to 443 after editing the front end settings for cloud to use a different backend, saved those changes, and then changed it back to my cloud.mydomain.com backed and saved again. Possibly my problem from the beginning was the fact that the settings didn't take initially.

@nfaheem said in Trying to Access Home Assistant from outside network:

but recently tried to migrate to Home Asisstant and using their cloud service, I still cannot using certain services because my network blocks traffic.

If Home Assistant has a cloud service then I wouldn't expect any of this to be necessary. Everything would be accessed via the cloud. I could be misreading that though.

Problem solved.
The files wasn't backed up so I hade to fetch them again.

guide here https://dkict.com/pfsense-haproxy-authelia/

Do you restrict the number of states allowed on some connections? I noticed once I said for example 1 state allowed at a time for GUI it start to speed up a lot. Some I added expire timers on like my VPNs etc.

ACL for the HA proxy system should only have how many states??? Maybe just one as it is linked to the other proxy.

Screenshot 2024-03-15 at 13.15.33.png

I don't know if that helps, but some cookies kept creating multiple states for some weird reason and slowing everything down. But that was just me this fixed it for me with KEA use also.

Hi,

same problem here after upgrading from 2.6 to 2.7.2,
Certificate manager don't fill 'In use' column for some of the certifcates used by HAProxy.

Anyone has an explanation or solution?

Thanks

Trying to find a solution to this as well. It doesn't seem OpenVPN has an option to forward headers which basically makes it impossible to use openvpn as the primary on port 443 if you need to see client IP addresses on haproxy..

As an alternative, I wondered if it might make sense to set haproxy listening on 443 and OpenVPN as a backend on a different port. Has anyone tried this yet? Does this cause double encryption (slow down the connection too much)? Here is an example of one guy who claims to have got it working:
https://discourse.haproxy.org/t/haproxy-with-openvpn-over-tcp-443-on-pfsense/4731/2

EDIT

It looks like he create a TCP frontend on 443 with a default backend going to OpenVPN:TCP:1194 and an acl that checks for SSL and sends SSL traffic to an HTTPS Backend set to localhost:9443. Then he configured localhost:9443 as a Frontend that handles the forwarded Web Traffic.

That looks like it should work, but It's a bit too complicated for me to test on my live server right now and I don't have a lab setup. Happy to help anyone else who might have a lab environment setup for testing.

@EChondo

What's your pfSense version ?
The instructions are shown here :

1acdc586-cb29-4148-9e36-81ade4e5e60c-image.png

A restart of a service will start by re creating their config files. If a certificate changed, it will get included. When the process starts, it will use the new certificate.

@EChondo said in Issue with ACME Certificates Refresh & Restarting HAProxy:

I haven't been able to confirm if the above works(mine just renewed, don't feel like doing it again just to test), so we'll see in 60 days I guess.

No need to wait x days.
You can re test / renew right away, as you are 'allowed' to renew a couple (5 max ?) of times per week.

@Berick
That's not really much.
Maybe you can find more details, when running the browser debugging mode.

I got a similar problem solved by adding this response header:

http-response header set > name: content-security-policy, fmt: upgrade-insecure-requests

You can try, but not sure if this helps.

Nice!

I forgot to link to the issue ticket: https://redmine.pfsense.org/issues/14764

My apologies I gave bad advice.

Documentation is opposite what I suggested. https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide-prepare.html#packages

Yes I am using haproxy-devel v0.62_13