Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy & Cloudflare - 526 Invalid SSL

    Scheduled Pinned Locked Moved Cache/Proxy
    2 Posts 2 Posters 470 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • MrGamecaseM Offline
      MrGamecase
      last edited by

      Hi All,

      Been having some issues setting up HAProxy as a reverse proxy for my services. What i aim to achieve is use Cloudflare network to access my services securely over the wan. have ha proxy handle my services that are on the same ports [80 / 443] i have a couple i cannot change the port numbers and can not run through the Cloudflare ZTP tunnel service as it would be a breach of service.

      So I have managed to get everything installed and setup [ To the best of my knowledge ] but i receive Cloudflare Error 526 - invalid SSL. Any help ficing this would be apreciated

      Please see my configs and methodology below

      I am aware internal IPs are on show this is a test network that wil be terminated after this posting.

      !!! ALL CONFIGS HAVE BEEN ANONYMISED & GIVE NO REVELLING INFO !!!

      - PFSense

      - GUI Port change

      Going into the system Advance tab I moved the default port for PFSense GUI [443] to a secure port for my admin network [FIG 1].

      - Aliases Creation

      Using the firewall tab I created aliases for the following [FIG 2]...

      • IP Networks[Contains all cloudflares proxy networks] up too date as of 2023
      • Prots required for HAProxy [80 & 443]
      - Port Forwarding

      Again using the firewall tab I created a port forward from WAN to firewall itself [as HAProxy has been installed on the firewall] using the aliases created above, I have limited the source to cloudflare proxy networks as the DNS config on cloudflare will be proxied [FIG 3].

      - Certification

      Using the system tab i uploaded my cloudflare origin certificate, key & cloudflare authorities certificate [FIG 4].

      - HAProxy

      Using the services tab i configured HAProxy, I created a backend [In this example i'm using PLEX], gave it a name server listing & disabled health checking. No SSL was added here as the server does not have any ssl certificates setup [FIG 5].

      I created a shared front end for HTTP:// & HTTPS://. Under External addresses i selected WAN - Ports 80 / 443, click the SSL Offloading next to 443 & confirmed that type was set to http / https (Offloading) [FIIG 6].

      I created an ACL for PLEX & An Action too be taken if the ACL is triggered [FIG 7]

      Under SSL Offloafing I selected my SSL Certificate i uploaded earlier [FIG8].

      From what i can gather i have setup the PFSense box & haProxy to in theory successfully proxy my internal services.

      - Images

      FIG 1
      01 - Gui Port.png

      FIG 2
      02 - Alias Networks.png
      02 - Alias Port.png

      FIG3
      03 - Port Forward.png

      FIG4
      04 - Cloudflare CA.png
      04 - Cloudflare Origin.png

      FIG 5
      05 - HAProxy server list.png 05 - HAProxy no health.png

      FIG 6
      06 - HAProxy Frontent 1.png
      06 - HAProxy Frontend 2.png

      FIG 7
      07 - HAProxy 3.png
      07 - HAProxy 4.png

      FIG 8
      08 - HAProxy SSL.png

      - Cloudflare

      - DDNS Magic

      So i have had do a bit of black magic here as my ISP does not offer static IPs & the DHCP Leases are stupidly short.

      Using my PFSense box i have had to setup a proxied DDNS, so i'm using Cloudflare to do this as-well. PFSense logs into my cloudflare account via a dedicated API Token allowing it to read my Domains DNS & update an A record with my external ip every 30 Mins.

      - DNS Record for HAProxy

      I have created a Cname record for plex pointing towards the A record updated by PFSense DDNS system this to is proxied [FIG 1].

      - Images

      FIG 1
      Screenshot 2024-07-03 at 3.01.44 am.png

      1 Reply Last reply Reply Quote 0
      • L Offline
        lrodia
        last edited by

        Did you manage to get it working as I am doing the same thing but have noticed Cloudflare Proxied traffic seems to really be slow......not sure if there is something in Cloudflare that needs tweaking but it is pretty much unusable

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.