HAProxy - Offload HTTPS (from internet) into HTTP (WORKING + config EXAMPLE)

sokolum · Oct 20, 2017, 9:21 AM

–-- Found my answer, scroll below to see the configuration details ----

For the following I have no idea an total noob on this, help very appreciated.

Question: Howto let PFSense translate incomming HTTPS into HTTP

On the server i have running a http service (a old peace of software with a built in HTTP service)
Is it achievable to put PFSense intercept HTTPS request from a client and forward this as a HTTP request to the HTTP service?

See also the drawing.

Thank you.

edit: After an better understanding, changed the tittle more appropriate.

doktornotor · Oct 18, 2017, 9:27 PM

Use HAproxy.

sokolum · Oct 20, 2017, 9:01 AM

ok, I have got it working and this example I like to share is the most basic, essentially needed to make it work.
The whole setup is running on PFSense 2.4.0-RELEASE (the latest release in October 2017).

This drawing is to show how the traffic will flow within PFSense.
I have used different PORT NUMBERS, so you can actually see what is happening.

6 majors steps are needed to complete:

1) Installing: SystemPackage Manager > HAProxy package
5) Adding: Firewall > Virtual IPs
3) Configure: Service > HAProxy > Settings
4) Configure: Service > HAProxy > Backend
5) Configure: Service > HAProxy > Frontend
6) Adding: Firewall > NAT > Port Forward

1) Installing the package, just add it.

2) Adding: Firewall > Virtual IPs
Virtual IP is added to have a better control and understanding for what is happening, not need, but it helped me understand how it all works.

3a) Configure: Service > HAProxy > Settings
Enable "HAProxy" and set a limit of connections you desire, I choose "50"

3b) Configure: Service > HAProxy > Settings
Set the "Internal Stat Port", I have choose for the example "2200".

3c) Configure: Service > HAProxy > Settings
Set the "MAX SSL Diffie-Hellman size", I have choosen for "2048".

4a) Configure: Service > HAProxy > Backend
Configure as shown:

4b) Configure: Service > HAProxy > Backend
This how it looks on the Backend tab when finnished.

5a) Configure: Service > HAProxy > Frontend
Configure as shown:

5b) Configure: Service > HAProxy > Frontend
Configure as shown:

5c) Configure: Service > HAProxy > Frontend
This how it looks on the Frontend tab when finnished.

6) Adding: Firewall > NAT > Port Forward
And a NAT Port Forward for the Incoming traffic from the Internet to the Virtual IP:

6) Adding: Firewall > NAT > Port Forward
The rule on the WAN interface is automatically added, if not, this is how it looks like:

This is literally all what is needed….
Good luck!

![Virutal IP.PNG](/public/imported_attachments/1/Virutal IP.PNG)
![Virutal IP.PNG_thumb](/public/imported_attachments/1/Virutal IP.PNG_thumb)
![NAT rule.PNG](/public/imported_attachments/1/NAT rule.PNG)
![NAT rule.PNG_thumb](/public/imported_attachments/1/NAT rule.PNG_thumb)
![WAN rule.png](/public/imported_attachments/1/WAN rule.png)
![WAN rule.png_thumb](/public/imported_attachments/1/WAN rule.png_thumb)