Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA Proxy SSL Termination Forward To Traefik

    Cache/Proxy
    haproxy pfsense traefik headers ssl termination
    2
    4
    943
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danwize
      last edited by

      I'm running a trunas scale server with Traefik installed. Traefik is required for one of the apps I'm using. I already use HA proxy and SSL termination on my pf sense router. I'm trying to route cloud.mydomain.com to my traffic service and set the host header to cloud.mydomain.com. cloud.mydomain.com is hosted behind Traefik on 10.10.0.2:443. I am able to mock this host header in postman and get a valid response, but I must have the settings wrong in pf sense. It doesn't seem to be setting the host header (I'm not sure of this. I'm having trouble getting logs to show me)

      Here is my pfsense setup:

      frontend settings

      2024-02-08 18_49_17- Services_ HAProxy_ Frontend.png

      - Services_ HAProxy_ Frontend_ Edit .png

      backend settings:
      Services_ HAProxy_ Backend_ Edit.png

      Postman Mock:
      postman success with cloud as host.png

      cloud.mydomain.com in browser:

      2024-02-08 18_58_44-Browser 404.png

      cloud.mycomain.com resloves to my pfsense router on my local network.

      Can anyone see what I'm missing in my ha proxy config? Or is what I'm trying to do not feasible?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @danwize
        last edited by

        @danwize said in HA Proxy SSL Termination Forward To Traefik:

        I'm trying to route cloud.mydomain.com to my traffic service and set the host header to cloud.mydomain.com.

        If the client calls "cloud.mydomain.com" it will set the host header already to this value, and the header will be passed through to the backend. So there is no need to reset it on HAproxy.

        Postman Mock:

        This goes directly to the backend. So what should it tell us?

        cloud.mydomain.com in browser:

        Did you try this from outside?

        Is this access even forwarded to the backend? Check its log.

        Possibly the ACL is never hit, since another one matched to request already as it's shared frontend.
        Would need to see the other frontend settings and the order.

        D 1 Reply Last reply Reply Quote 0
        • D
          danwize @viragomann
          last edited by

          @viragomann

          I tried setting the host manually after reading this. I guess that scenario is different because they are trying to change the host header.

          I originally had it all set up with one front end and I tried to add a second to try forcing cloud.mydomain.com to not use ssl termination since the traefik reverse proxy is doing that now. I found that I can't have a separate front end with the same ports so I just ticked the box to combine then.

          Postman Mock:
          Because of updates in my cloud app, It has to work behind traefik. the postman test is just to prove that setting that header and pointing to 10.10.0.2:443 causes traefik to route the request to my final back end cloud app. If I leave off the host header, traefik responds with the same 404 message that going through pfsense does.

          The ACL was being hit. I changed the back end in pfsense to point to a different port for another service and it worked.

          D 1 Reply Last reply Reply Quote 0
          • D
            danwize @danwize
            last edited by

            @danwize @viragomann
            I've got it working now. I changed to just use one front end and added my acl for cloud back. I removed my attempts to set the header and changed my could back end to point to 10.10.0.2:443 after I had changed it to 10.10.0.2:10223 for testing. After I did that, and after saving and applying the changes several times, cloud.mydomain.com was still resolving to 10223. I even tested in igognito windows and restarted the ha proxy service from the pfsense ui and it kept resolving to 10223.

            I finally got it routing to 443 after editing the front end settings for cloud to use a different backend, saved those changes, and then changed it back to my cloud.mydomain.com backed and saved again. Possibly my problem from the beginning was the fact that the settings didn't take initially.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.