HAProxy to pfsense webui



  • Hi,
    I have haproxy setup to reverse proxy (both :80 and :443) to several servers successfully however I have been trying to also use haproxy to reverse proxy to pfsense web ui with no success.

    pfsense is set to port 443.

    FrontEnd:
      SSLSharedFrontend, WAN, 443, Type ssl/https.
      – pfSenseFrontEnd, Primary SSLSharedFrontend,  ACL set to "SNI TLS Matches pfsense.mydomain.com, Action uses backend pfsenseBackend.

    Backend:
      pfsenseBackend, 127.0.0.1, 443, SSL no, HealthCheck none, Use client-ip.

    Under Firewall Rules I have tried several settings the latest being
    LAN:  ipv4, *, *, 127.0.0.1, 443, *, none
    WAN: ipv4, *, *, WAN address, 443, *, none

    and I disabled the previous pfsense remote access working port forward :8080 to :443

    No matter what I try I get a 503 Service Unavailable when I access the domain from an external network (ie mobile phone).

    Has anyone managed to do this successfully or have any advise on what I'm doing wrong.

    Thanks
    Blendin_Blandin



  • Hi Blendin_Blandin,

    Have you tried without the 'Use client-ip.' ?

    If you enable healthchecking it does show success on the stats page.?

    Regards,
    PiBa-NL



  • Hi PiBa,
    I thought I had tried that before so not sure why it works now but once I disabled client-ip it works. Its complaining about the ssl certificate so I need to deal with that next but its progress.

    As per health check I have only been able to get basic to work with pfsense.

    Thanks



  • Hi Blendin_Blandin,

    For HTTP health checks you can do the following:

    • enable 'ssl' on the backend server
    • Http check method : HEAD
      Though i would probably set a very low check frequency (once a minute or so.?.) or maybe not check at al..

    As for the certificate, as your passing the traffic with mode tcp so haproxy doesnt need any additional settings there, a valid certificate needs to configured for the webgui though for the name your typing in the browser.

    Regards
    PiBa-NL