Redirect HTTP to HTTPS whilst allowing ACME challenges through the 'Standalone HTTP server' method (with ACME and HAProxy)?

_mbx_

I use my pfSense with ACME and HAProxy extensions to manage and auto-renew certificates as well as having a reverse proxy with load balancing capabilities. In my ACME module I define my domains to challenge for like so:

This means once my certificate will be re-newed, a standalone HTTP server will be launched that will listen on port 80. The 'well known acme challenge' files will be reached on such server and my certificate will be validated.

Now I'd like to redirect all HTTP traffic to HTTPS in the reverse proxy (HAProxy frontend) of pfSense. For this, I could setup a new frontend that listens on the WAN address on port 80 in the HAProxy module that will redirect if the path does not start with /.well-known/acme-challenge/ like so:

So if the path starts with /.well-known/acme-challenge/, no redirect will occur, but if not, the HTTP request will respond with a Location header to the HTTPS version of the requested URL. The ACL conditioning works so far, but my problem is that HAProxy will now return "503 Service Unavailable - No server is available to handle this request." when I request anything within /.well-known/acme-challenge/.

This is obvious: HAProxy started to listen on the port 80 of the WAN address, so my Standalone HTTP server gets shadowed by it. HAProxy can only return error 503 as it doesn't know what pfSense itself would do with such request.

What I think I need to do is to setup a backend that I send the request to, if the request's path starts with /.well-known/acme-challenge/, but how do I have to setup such backend in HAProxy, so it works with the Standalone HTTP server of the ACME module?

I've tried to add a backend for 127.0.0.1:80 as well as the IP of my host on port 80. I then added another Action on my frontend in HAProxy with the Condition acl names acme to such backend, but I still get error 503 and this is not due to the fact that my standalone server is not running yet. I get the same error when I try to run the ACME challenge with the Let's Encrypt Staging Environment.

[

How can I make the ACME Standalone HTTP server as well as my HTTP to HTTPS redirection co-exist without any problems?

stephenw10

Hmm, interesting problem.

Is there no way you can use on of the other methods?

_mbx_

This post is deleted!

_mbx_

I don't know what I did wrong previously, but I re-attempted it and managed to get it to work with the same thought processing in mind. I created a backend that will be my local web server:

My http/https offloader (front-end) defines a path rule and redirects to such backend if we have an ACME challenge:

Maybe it was the ordering of the actions, maybe it was the naming. I was pretty confident that I tested my previous setup with 127.0.0.1 as well, but this seems to work and I don't know why it did not work previously.

Now it was very easy to confirm the configuration is right when using postman. Say you have the domain example.org, you should do a GET request to two different URLs to validate their response:

• http://example.org/foobar: Should return a Location header with the https version of the URL, so confirming the offloader works
• http://example.org/.well-known/acme-challenge/foobar: Should timeout! It must not return an error immediately, or the configuration is wrong. If the configuration is right, it will try to talk to the standalone HTTP server that only runs during the ACME challenge, so it will timeout with 503 Service Unavailable after 60 seconds or so, which means it will succeed if the standalone HTTP server is running.

With this setup the "Standalone HTTP server" method will work.