• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HAProxy & Cloudflare - 526 Invalid SSL

Scheduled Pinned Locked Moved Cache/Proxy
2 Posts 2 Posters 470 Views 2 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Offline
    MrGamecase
    last edited by Jul 3, 2024, 2:13 AM

    Hi All,

    Been having some issues setting up HAProxy as a reverse proxy for my services. What i aim to achieve is use Cloudflare network to access my services securely over the wan. have ha proxy handle my services that are on the same ports [80 / 443] i have a couple i cannot change the port numbers and can not run through the Cloudflare ZTP tunnel service as it would be a breach of service.

    So I have managed to get everything installed and setup [ To the best of my knowledge ] but i receive Cloudflare Error 526 - invalid SSL. Any help ficing this would be apreciated

    Please see my configs and methodology below

    I am aware internal IPs are on show this is a test network that wil be terminated after this posting.

    !!! ALL CONFIGS HAVE BEEN ANONYMISED & GIVE NO REVELLING INFO !!!

    - PFSense

    - GUI Port change

    Going into the system Advance tab I moved the default port for PFSense GUI [443] to a secure port for my admin network [FIG 1].

    - Aliases Creation

    Using the firewall tab I created aliases for the following [FIG 2]...

    • IP Networks[Contains all cloudflares proxy networks] up too date as of 2023
    • Prots required for HAProxy [80 & 443]
    - Port Forwarding

    Again using the firewall tab I created a port forward from WAN to firewall itself [as HAProxy has been installed on the firewall] using the aliases created above, I have limited the source to cloudflare proxy networks as the DNS config on cloudflare will be proxied [FIG 3].

    - Certification

    Using the system tab i uploaded my cloudflare origin certificate, key & cloudflare authorities certificate [FIG 4].

    - HAProxy

    Using the services tab i configured HAProxy, I created a backend [In this example i'm using PLEX], gave it a name server listing & disabled health checking. No SSL was added here as the server does not have any ssl certificates setup [FIG 5].

    I created a shared front end for HTTP:// & HTTPS://. Under External addresses i selected WAN - Ports 80 / 443, click the SSL Offloading next to 443 & confirmed that type was set to http / https (Offloading) [FIIG 6].

    I created an ACL for PLEX & An Action too be taken if the ACL is triggered [FIG 7]

    Under SSL Offloafing I selected my SSL Certificate i uploaded earlier [FIG8].

    From what i can gather i have setup the PFSense box & haProxy to in theory successfully proxy my internal services.

    - Images

    FIG 1
    01 - Gui Port.png

    FIG 2
    02 - Alias Networks.png
    02 - Alias Port.png

    FIG3
    03 - Port Forward.png

    FIG4
    04 - Cloudflare CA.png
    04 - Cloudflare Origin.png

    FIG 5
    05 - HAProxy server list.png 05 - HAProxy no health.png

    FIG 6
    06 - HAProxy Frontent 1.png
    06 - HAProxy Frontend 2.png

    FIG 7
    07 - HAProxy 3.png
    07 - HAProxy 4.png

    FIG 8
    08 - HAProxy SSL.png

    - Cloudflare

    - DDNS Magic

    So i have had do a bit of black magic here as my ISP does not offer static IPs & the DHCP Leases are stupidly short.

    Using my PFSense box i have had to setup a proxied DDNS, so i'm using Cloudflare to do this as-well. PFSense logs into my cloudflare account via a dedicated API Token allowing it to read my Domains DNS & update an A record with my external ip every 30 Mins.

    - DNS Record for HAProxy

    I have created a Cname record for plex pointing towards the A record updated by PFSense DDNS system this to is proxied [FIG 1].

    - Images

    FIG 1
    Screenshot 2024-07-03 at 3.01.44 am.png

    1 Reply Last reply Reply Quote 0
    • L Offline
      lrodia
      last edited by Apr 10, 2025, 9:25 AM

      Did you manage to get it working as I am doing the same thing but have noticed Cloudflare Proxied traffic seems to really be slow......not sure if there is something in Cloudflare that needs tweaking but it is pretty much unusable

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        [[user:consent.lead]]
        [[user:consent.not_received]]