HAProxy, PfSense, Cloudflare. Consistently getting 502 error
kevdog last edited by kevdog
Hi. Im currently on pfsense 2.4.4 Release p3 with HA proxy_devel 0.59_22.
I'm using cloudflare for my DNS services. I also have Lets Encrypt SSL certs which through acme/cloudflare DNS challenge, been able to install with pfsense.
Prior to attempting to use HAProxy as a reverse proxy, I had a working setup of pfsense->forwarding to internal FreeNAS jail with Apache serving as both the webserver and ReverseProxy. This setup was working. With my HA Proxy Setup right now I'm getting a 522 Connection Time Out Error. Internally I disabled the web server to listen only on port 80 without SSL and I can confirm I can reach the web server locally from inside the LAN.
I'm wanting to setup more servers on the backend which require SSL so I figured I'd setup HAProxy as a Reverse Proxy and SSL Offloader.
Here are my firewall WAN rules, I wondering if WAN address is appropriate for the 80/443 HTTPS ports -- some tutorials I've seen put This firewall in this field.:
I've included a copy of my HAProxy config.
- Do I have to setup the proxy differently if I need to access these webservers via SSL both internally (via a LAN address) and also via externally (via a WAN address)?
- I'm getting a Cloudflare 522 error with the current setup indicating host is not reachable. The pfsense system firewall logs records this error if trying to reach the webserver from a computer located within the LAN:
Jan 20 23:20:52 WAN Default deny rule IPv4 (1000000103) 22.214.171.124:10810 10.0.1.158:443 TCP:S
I don't know how to interpret the error -- sincethe destination is from external address over a strange port wanting to be directed towards the webserver IP address on port 443. I thought the HA proxy would at least intercept this request and redirect to port 80 on LAN.
- I don't have a line such as the following within by backend section: source ipv4@ usesrc clientip. Is this needed?
I'm really confused why things aren't working.
Thanks for help.
tn1rpi3 last edited by
kevdog last edited by
I will try over at Cloudflare however previously I was passing all packets to the Apache reverse proxy/webserver and I wasn't receiving any 502 errors. Now that HA proxy is in the middle, things don't seem to be working.