HAProxy, PfSense, Cloudflare. Consistently getting 502 error



  • Hi. Im currently on pfsense 2.4.4 Release p3 with HA proxy_devel 0.59_22.
    I'm using cloudflare for my DNS services. I also have Lets Encrypt SSL certs which through acme/cloudflare DNS challenge, been able to install with pfsense.

    Prior to attempting to use HAProxy as a reverse proxy, I had a working setup of pfsense->forwarding to internal FreeNAS jail with Apache serving as both the webserver and ReverseProxy. This setup was working. With my HA Proxy Setup right now I'm getting a 522 Connection Time Out Error. Internally I disabled the web server to listen only on port 80 without SSL and I can confirm I can reach the web server locally from inside the LAN.

    I'm wanting to setup more servers on the backend which require SSL so I figured I'd setup HAProxy as a Reverse Proxy and SSL Offloader.

    Pfsense setup:
    Here are my firewall WAN rules, I wondering if WAN address is appropriate for the 80/443 HTTPS ports -- some tutorials I've seen put This firewall in this field.:
    Screen Shot 2020-01-20 at 11.08.32 PM.png

    I've included a copy of my HAProxy config.
    haproxy_cfg.txt

    Questions :

    1. Do I have to setup the proxy differently if I need to access these webservers via SSL both internally (via a LAN address) and also via externally (via a WAN address)?
    2. I'm getting a Cloudflare 522 error with the current setup indicating host is not reachable. The pfsense system firewall logs records this error if trying to reach the webserver from a computer located within the LAN:
    Jan 20 23:20:52	WAN	Default deny rule IPv4 (1000000103)	  108.162.216.123:10810	  10.0.1.158:443	TCP:S
    

    I don't know how to interpret the error -- sincethe destination is from external address over a strange port wanting to be directed towards the webserver IP address on port 443. I thought the HA proxy would at least intercept this request and redirect to port 80 on LAN.

    1. I don't have a line such as the following within by backend section: source ipv4@ usesrc clientip. Is this needed?

    I'm really confused why things aren't working.

    Thanks for help.



  • @kevdog Cloudflare has a pretty lively community.
    It seems your issue has been addressed here. You may want to have a look at it.



  • @tn1rpi3

    I will try over at Cloudflare however previously I was passing all packets to the Apache reverse proxy/webserver and I wasn't receiving any 502 errors. Now that HA proxy is in the middle, things don't seem to be working.


Log in to reply