Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to configure ssl offloading with haproxy and pfsense

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kulpreet
      last edited by

      Hello guys ,

      I would like to know how to configure ssl offloading with pf-sense and  haproxy . How this setup will work .Do i need to put backend server on 443 as well instead of port 80. I have confusion here  as my first page work fine but rest of the pages on my site it comes with normal 80 port instead of 443 . Any idea how to configure this setup properly?

      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        Hi Kulpreet,

        Problem is likely that your website is using 'absolute' urls, and because the backend is configured to use 'http' it will generate links to```
        page2

        
        To 'fix' this the backend should preferable use 'relative' urls which will automatically pick up the scheme and domain that where used to make the request:
        

        page2

        
        This is part of the 'body' of a reply and that is not something haproxy can 'rewrite'.. Haproxy could 'hint' to the backend that the connection is secure by adding a " X-Forwarded-Proto: HTTPS" in the request, but then still the web application needs to generate the appropriate urls..
        
        Easy 'solution' could indeed be to put the backend on 443 with ssl.. But that does come with a slight performance penalty because traffic needs to be re-encrypted and decrypt ed again. Other option is to not offload at all, but then you have less acl's / options available..
        
        Sorry there is no easy&perfect solution to this issue..
        
        Regards,
        PiBa-NL
        1 Reply Last reply Reply Quote 0
        • K
          kulpreet
          last edited by

          thanks PiBa-NL for your reply and suggestions.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.