HAProxy Seems to Forward to wrong Backend Port

sammiorelli · Nov 27, 2023, 7:45 PM

I'm setting up HAProxy and running into a very strange problem.

I'm pretty confident in my front end and back end configuration, with the back end needing to point to port 8000 on the target internal server. But, consistently HAProxy said the server was down, which was really strange to me, since running a curl command to the destination returned the webpage in the command prompt of the pfsense.

So I looked at the HAProxy report, and this is where my suspicions that something is wrong popped up. When I cursor over the backend that's "down," the IP address it shows in the mousover is :443, not :8000.

But as you can see, very clearly I've got it set to port 8000, not 443. Has anyone run into this?

sammiorelli · Nov 27, 2023, 9:48 PM

@sammiorelli update: uninstalled the normal version, installed -dev, rebooted everything, and it no longer is trying to go to port 443 internally and is going to 8000. Seems it was something stuck from the install.

kiokoman · Nov 29, 2023, 12:21 PM

@sammiorelli
for me, dev have a bug,
let's say you create a backend that point to port 8000
if you change the port from 8000 to something else it does not work, it's still redirecting to port 8000
i always have to delete the backend and reconfigure it to make it work

Elan67 · Nov 29, 2023, 2:15 PM

I can confirm a similar issue with my (not dev) installation. Changing the BE port is ignored unless I stop HaProxy then change the port and start haproxy again! Completely impractical in a production scenario!

Another issue that arose with HAProxy version 2.8.2-61a0f57, released 2023/08/09 is that SSL (self-signed certificate) BE are ok (ie green on stats) but accessing the from FE return in an endless loop.
Still investigating in the meanwhile I had to switch to not -SSL BE to get it work again.

gmpreussner · Jan 11, 2024, 10:37 PM

I have the same problem, except it goes to port 80 instead of 443 (because my backends are HTTP, not HTTPS, on non-standard ports, such as 8080, 8081, 7860, etc.).

pfSense 2.7.2
haproxyy 0.63_1 (haproxy-2.8.3)

Currently, the workaround is to reboot pfSense after HAProxy settings changes.
See also https://forum.netgate.com/topic/172972/haproxy-config-changes-not-loaded-pfsense-restart-needed

Elan67 · Jan 17, 2024, 11:09 AM

I solved the empty response behavior from an SSL BE. The BE name of the BE must match the FDQN and cannot be arbitrary anymore, ie:

the Field explanations do not help at all:

fedesoundsystem · Apr 12, 2025, 12:07 PM

Yeah, same problem here, I was hitting the wall for days, messing with certificates, and it was this exact bug. april 2025 recent pfsense/haproxy devel install, and still nothing.