HAProxy & Cloudflare - 526 Invalid SSL
-
Hi All,
Been having some issues setting up HAProxy as a reverse proxy for my services. What i aim to achieve is use Cloudflare network to access my services securely over the wan. have ha proxy handle my services that are on the same ports [80 / 443] i have a couple i cannot change the port numbers and can not run through the Cloudflare ZTP tunnel service as it would be a breach of service.
So I have managed to get everything installed and setup [ To the best of my knowledge ] but i receive Cloudflare Error 526 - invalid SSL. Any help ficing this would be apreciated
Please see my configs and methodology below
I am aware internal IPs are on show this is a test network that wil be terminated after this posting.
!!! ALL CONFIGS HAVE BEEN ANONYMISED & GIVE NO REVELLING INFO !!!
- PFSense
- GUI Port change
Going into the system Advance tab I moved the default port for PFSense GUI [443] to a secure port for my admin network [FIG 1].
- Aliases Creation
Using the firewall tab I created aliases for the following [FIG 2]...
- IP Networks[Contains all cloudflares proxy networks] up too date as of 2023
- Prots required for HAProxy [80 & 443]
- Port Forwarding
Again using the firewall tab I created a port forward from WAN to firewall itself [as HAProxy has been installed on the firewall] using the aliases created above, I have limited the source to cloudflare proxy networks as the DNS config on cloudflare will be proxied [FIG 3].
- Certification
Using the system tab i uploaded my cloudflare origin certificate, key & cloudflare authorities certificate [FIG 4].
- HAProxy
Using the services tab i configured HAProxy, I created a backend [In this example i'm using PLEX], gave it a name server listing & disabled health checking. No SSL was added here as the server does not have any ssl certificates setup [FIG 5].
I created a shared front end for HTTP:// & HTTPS://. Under External addresses i selected WAN - Ports 80 / 443, click the SSL Offloading next to 443 & confirmed that type was set to http / https (Offloading) [FIIG 6].
I created an ACL for PLEX & An Action too be taken if the ACL is triggered [FIG 7]
Under SSL Offloafing I selected my SSL Certificate i uploaded earlier [FIG8].
From what i can gather i have setup the PFSense box & haProxy to in theory successfully proxy my internal services.
- Images
FIG 1
FIG 2
FIG3
FIG4
FIG 5
FIG 6
FIG 7
FIG 8
- Cloudflare
- DDNS Magic
So i have had do a bit of black magic here as my ISP does not offer static IPs & the DHCP Leases are stupidly short.
Using my PFSense box i have had to setup a proxied DDNS, so i'm using Cloudflare to do this as-well. PFSense logs into my cloudflare account via a dedicated API Token allowing it to read my Domains DNS & update an A record with my external ip every 30 Mins.
- DNS Record for HAProxy
I have created a Cname record for plex pointing towards the A record updated by PFSense DDNS system this to is proxied [FIG 1].
- Images
FIG 1