HAProxy - Offload HTTPS (from internet) into HTTP (WORKING + config EXAMPLE)

  • –-- Found my answer, scroll below to see the configuration details ----

    For the following I have no idea an total noob on this, help very appreciated.

    Question: Howto let PFSense translate incomming HTTPS into HTTP

    On the server i have running a http service (a old peace of software with a built in HTTP service)
    Is it achievable to put PFSense intercept HTTPS request from a client and forward this as a HTTP request to the HTTP service?

    See also the drawing.

    Thank you.

    edit: After an better understanding, changed the tittle more appropriate.

  • Banned

    Use HAproxy.

  • ok, I have got it working and this example I like to share is the most basic, essentially needed to make it work.
    The whole setup is running on PFSense 2.4.0-RELEASE (the latest release in October 2017).

    This drawing is to show how the traffic will flow within PFSense.
    I have used different PORT NUMBERS, so you can actually see what is happening.

    6 majors steps are needed to complete:

    1) Installing: SystemPackage Manager > HAProxy package
      5) Adding: Firewall > Virtual IPs
      3) Configure: Service > HAProxy > Settings
      4) Configure: Service > HAProxy > Backend
      5) Configure: Service > HAProxy > Frontend
      6) Adding: Firewall > NAT > Port Forward

    1) Installing the package, just add it.

    2) Adding: Firewall > Virtual IPs
    Virtual IP is added to have a better control and understanding for what is happening, not need, but it helped me understand how it all works.

    3a)  Configure: Service > HAProxy > Settings
    Enable "HAProxy" and set a limit of connections you desire, I choose "50"

    3b)  Configure: Service > HAProxy > Settings
    Set the "Internal Stat Port", I have choose for the example "2200".

    3c)  Configure: Service > HAProxy > Settings
    Set the "MAX SSL Diffie-Hellman size", I have choosen for "2048".

    4a) Configure: Service > HAProxy > Backend
    Configure as shown:

    4b) Configure: Service > HAProxy > Backend
    This how it looks on the Backend tab when finnished.

    5a) Configure: Service > HAProxy > Frontend
    Configure as shown:

    5b) Configure: Service > HAProxy > Frontend
    Configure as shown:

    5c) Configure: Service > HAProxy > Frontend
    This how it looks on the Frontend tab when finnished.

    6) Adding: Firewall > NAT > Port Forward
    And a NAT Port Forward for the Incoming traffic from the Internet to the Virtual IP:

    6) Adding: Firewall > NAT > Port Forward
    The rule on the WAN interface is automatically added, if not, this is how it looks like:

    This is literally all what is needed….
    Good luck!

    ![Virutal IP.PNG](/public/imported_attachments/1/Virutal IP.PNG)
    ![Virutal IP.PNG_thumb](/public/imported_attachments/1/Virutal IP.PNG_thumb)
    ![NAT rule.PNG](/public/imported_attachments/1/NAT rule.PNG)
    ![NAT rule.PNG_thumb](/public/imported_attachments/1/NAT rule.PNG_thumb)
    ![WAN rule.png](/public/imported_attachments/1/WAN rule.png)
    ![WAN rule.png_thumb](/public/imported_attachments/1/WAN rule.png_thumb)

  • Hello Sokolum,
    The pictures you posted are gone, care to reup? I really want to follow what you put here!

  • add me to the list of people who would like to see the screenshots, please re-add if possible.

  • Banned

    Last Online 23 Oct 2017, 23:46

    You can probably wait a long time. Better do some RTFM:

  • NFM! thanks.

Log in to reply