HAProxy 502 bad gateway with Cloudflare Proxy

@jycai I have installed a Mikrotik CRS305 as Switch in my Network and at least the odd kde connect behaviour is fixed.

But the cloudflare issue still remains.

I now tried to setup up everything with squid reverse proxy instead of haproxy but the issue with cloudflare proxy still remains. So it should not be a problem with haproxy itself.

It seems like I have found the answer!

Cloudflare DNS Proxy only works with http/https traffic on free tier. If non http/https traffic is used, for example when using a minecraft server, the DNS Proxy does not work.

This is where I got the information from:

https://community.cloudflare.com/t/cloudflare-minecraft-proxy/167417

jycai

@klaussemmler Some people mention pfBlockerNG is blocking traffic from Cloudflare proxied server, but my website still not work after I completely removed pfBlockerNG and reboot pfSense .

@jycai Have you whitelisted the cloudflare ips in your pfSense? You can actually do this automated with pfBlockerng.

The ipv4 ips can be found here: https://www.cloudflare.com/ips-v4
The ipv6 ips can be found here: https://www.cloudflare.com/ips-v6

My pfBlockerng config for ipv4 looks like this (The alias at Custom DST Port contains port 80 and 443):

Screenshot 2022-04-01 at 01-05-42 pfSense.home.arpa - Firewall pfBlockerNG IP IPv4.png

jycai

@klaussemmler Thank you I added the Cloudlfare IPs whitelist in pfBlockerNG as you suggest, however the Clourflare proxied still not working with Haproxy SSL offload on my nextcloud website. I don't get the error as 502, but missing half page info. It is working when Cloudlfare proxied is off.

I am runing version 2.6 and will try 2.52 and 2.4 later on to see if it makes a difference.

@jycai Okay, interesting. Another thing that could cause problems with cloudflare is the encryption mode in the SSL/TLS menu. Try the modes flexible, full and full (strict) and see, if this fixes your problem.

Bildschirmfoto von 2022-04-01 09-07-50.png

jycai

@klaussemmler
Flexible mode - no connection at all
Full - Load half page
Full(strict) - Error 526
V2.6, V2.52 and V2.4 with Acme or Cloudflare origin server certificate - all the same result.

@jycai I am kinda out of ideas. But you can try to toggle the options in SSL/TLS -> Edge Cetificates.

And are you sure you use the correct certificates for all servers?

firewallwiki

@jycai with free cf choose flexible mode.
Check your pfsense firewall.
Sometimes problem at frontend and backend. I remove and recreate. It’s work