HAproxy SSL PassThu with SNI

  • Hello! I am trying to setup HAproxy to pass through SSL requests to multiple servers so that multiple different application servers can share one public IP and maintain/renew their own LE SSL certs. I'm running into trouble right off the bat. I setup a separate pfSense VM just for this HAproxy application. The first site I will need to proxy is pfSense itself. I setup HTTP and HTTPS to what I think is correct but it's not working. When I try to connect to the hostname of pfSense, I see the connection in HAproxy stats but my web browser timeouts after a while. Here are my configs (anything left out is default). Any ideas? Thanks!

    HTTP backend:

    HTTPS Backend

    HTTP Frontend:

    HTTPS Frontend:


  • @MeCJay12
    The port :80 frontend cannot use SNI, as its getting a plain-text request from the browser.. You will have to change that to a frontend of type 'http', and check the Host header..

    You do not want to use certificates in haproxy itself right?, so for the :443 frontend you do not decrypt the traffic, then on the backend you DO encrypt the already encrypted traffic again. So the webserver gets the http traffic in 2 layers of SSL. certainly it wont know what to do with that.. , as such don't select the encrypt checkbox there. (but perhaps do perform the health-checks with ssl so check 'SSLchecks')

    Another possible issue might be the use of the transparentclient-ip feature.. You should select the interface that is connected to the 'webserver' there.. Which in case of the local pfSense webgui im not sure it could work at all.. Try not using that feature as a debugging step, it has that warning text for a reason ;) and even though it doesnt warn about webgui specifically, it certainly worth trying to use it if some kind of 'trouble' is found..

  • LAYER 8 Netgate


    I would get it working before enabling things like this too. You really have to know what you are doing to get all of that right.

Log in to reply