HAProxy as SSL Reverse Proxy Behind Single IP

PiBa

Haproxy does not need the CA for sending it to the client, the client should already have the ca stored in the trusted certificate store.

1. HSTS is a security measure which makes browsers verify that a valid and trusted certificate is used for the connection. So if CN does not match, intermediate certificate is missing, or the CA that signed the certs is not already trusted the browser will refuse to connect.

2. adding 'your' ca to the trusted list is important for getting the certificate checked as valid.

3. yes using alternate names is possible, or create a wildcard cert.

Config)
-The acl currently does nothing, it needs a use_backend action (this 'recently' changed in the package..)

Webserver shows up in green on the stats page?

Q1) use shared frontends, or simply configure multiple acl's  and use_backend actions.
Q2) if the backend needs the client-ip and cannot use the x-forward-for header, but im not sure what issue your referring to exactly.? It does come with its own set of problems…
Q3) every server haproxy will use needs to be defined in a backend, aliases wont do much for this purpose.
Q4) if the servercert loaded into haproxy was signed by a intermediateca then that does need to be loaded into the pfSense certificate manager.

Brailyn

Thank you for the concise answers. I'm glad I have been numbering my convoluted rambles :)

Before I attempt some of these things, I would like to clarify a few things and respond to what you asked.

"Webserver shows up in green on the stats page?" Yes, it is green. Port 10.0.0.254:444 does not work for some reason though.

1. Any tips on making a wildcard cert? Or is it simply *.domain.ca for the CN?

2. How/where do I add "use_backend" to the config? via SSH?

3. I think I've sorted out the transparent IP thing enough. I am aware that it does come with it's own set of problems. Discussion for later maybe.

4. (Q3) so once HAProxy works for the WAN, the LAN will work for the entries as well? It sort of seemed to work last night without horrible loopback issues, but I didn't test it thoroughly.

PiBa

The 444 port that is confgured for HAProxyLocalStats can only be accessed by pfSense itself, and is used 'internally' by the stats tab and Status/haproxy-stats of the haproxy package.

1. yes just put "*.domain.ca" as the CN, and perhaps also "domain.ca" as an alternative name.

2. below the 'acl' on the frontend you can add a 'action' that should allow to choose use_backend

3. yup later 8)

4. yes the haproxy wan-ip frontends can be accessed by lan users and it should work properly.

However if you then enable 'transparent-client-ip' the horrible loopback issues will happen if client and server are on the same subnet. Server will try to reply directly to client, while haproxy waits for response but doesnt get it, and client expects response from haproxy..

Brailyn

Hello again,

Took a break from this for a while.

Been having trouble getting a single frontend to point to multiple backends. Any request gets forwarded to the first default in any case.

Here's my config:

/var/etc/haproxy.cfg file contents:
global
	stats socket /tmp/haproxy.socket level admin
	gid			80
	nbproc			1
	chroot			/tmp/haproxy_chroot
	daemon

listen HAProxyLocalStats
	bind 127.0.0.1:444 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats uri /haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend websites
	bind			192.168.1.100:443 name 192.168.1.100:443 ssl  crt /var/etc/haproxy/websites.pem  
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			dsm	hdr(host) -i dsm.my-domain.ca
	acl			pfsense	hdr(host) -i pfsense.my-domain.ca
	acl			webroot	hdr(host) -i my-domain.ca
	default_backend dsm_http_ipv4
	default_backend webroot_http_ipv4
	default_backend pfsense_http_ipv4
	default_backend dsm_http_ipv4

backend dsm_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			dsm 10.0.0.1:5001 ssl check inter 1000  weight 1 verify none 

backend webroot_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			webroot 10.0.0.1:443 ssl check inter 1000  weight 1 verify none 

backend pfsense_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			pfsense 10.0.0.254:443 ssl check inter 1000  weight 1 verify none

I created a *.my-domain.ca CA (with my-domain.ca as a alternate name) and cert and I keep getting HSTS errors on a lot of browsers. Seems as though I have not created the SSL stuff correctly. I also cannot add the CA to my trusted CA list without a "password" in my OSX keychain–that is not a parameter in PfSense cert configurator... Haven't tried adding the CA to windows machines yet.

Thanks for the help!

PiBa

Looks like in each frontend you configured the 'default backend' so you ended up with 4 defaults.

Please set it to 'none' on 3 and add a 'action' to look like this:

action: Use Backend
parameter backend: dsm
condition acl name: dsm

action: Use Backend
parameter backend: pfsense
condition acl name: pfsense

PiBa

p.s. the 'Templates' tab contains a link for creating a example for "Serving multiple domains from 1 frontend."
If you checkout the configuration that link creates maybe it helps a little..

Brailyn

Okay,

I finally got a few backend servers running via one front end from the outside :)

1. Most of my servers have their own SSL settings… Would this explain the HSTS error from some browsers? I don't mind removing LAN SSL from them, it just takes a bit of time... I hate to see efforts wasted if I know they wouldn't help.

2.1) Is it normal for servers to be bound to their specific backend from the WAN? Once I create the "dsm" subdomain for my synology, I can no longer access it via its old port (5001). Is this normal?

2.2) If you use synology products at all... I will also include that I am having trouble getting mobile applications to work through the rProxy on 443 from outside my LAN or "on-the-road". This doesn't surprise me, but I am also positive it did work for me in the early stages... Maybe it is just a cert based issue that will be solved by proceeding with (1).

PiBa

That you got a few running is great :)

1. HSTS is a header send by the server, and is cached for X amount of time (1 year is the usual setting..) , and can even be persisted if submitted to a online list, then you might never get rid of it…

Its actually good to have, as it 'forces' all future connections from clients to be over https with a VALID certificate for the url they request in the address bar. (You will need to get a valid certificate, this means installing the CA you used to sign the certificate on all client computers, or get a certificate from a real CA like LetsEncrypt or buy one..)

If you already have a valid certificate then perhaps you forgot to load the intermediate certificate into pfSense that could cause issues.. Check with for example https://www.ssllabs.com/ssltest/ if indeed the chain not complete.?.

2.1) This is due to the setting "transparent client ip", sadly the implementation is not 'perfect' all reply traffic is 'captured' from the server and send to haproxy.. Even if the inital request did not go through haproxy.. (The webgui does warn for this effect, sorry..)

Workaround is possible by making the server listen on a second port or a second ip, but depending on the machine running the website that might be difficult to configure on that side..

2.2) not using synology myself.. But yes if the certificates are not 'valid' that could cause issues..

Brailyn

Before I let you go for now,

Is there any way to do HTTPS redirects using HAProxy?

PiBa

Depending what you intend to do exactly my first thought is, yes it can.

Use either a 'action' or put this into advanced passthrough:

redirect scheme https if !{ ssl_fc }

And make the frontend listen on :80 as well as the current :443 with offloading.

Brailyn

1. I believe that works! (Edit: jk, tried IE and no luck…) I used the advanced option and am listening on :80, not sure how to do the 'action' one... I know the advanced statement includes "if", but does this allow HTTP traffic through when I have some eventually, or does it force redirect any urls to HTTPS?

2. Is there any way to have a single frontend do SSL offloading as well as HTTPS where the SSL Handshake is done by the specific servers (SNI I believe)?

I setup two front ends on :443 and it shut everything down...

PiBa

1. The "!{ ssl_fc }"matches all traffic that was not offloaded by haproxy. So effectively makes it impossible to perform a plain http request without redirecting to https..

It is of course possible to make the criteria more selective..

acl MyPlainHttpHost hdr(Host) www.plain.http.example.com
acl issecure ssl_fc

redirect scheme https if !issecure !MyPlainHttpHost

2. Its not possible to have two frontends listen on the same port and get consistent results..
   It is possible to first use sni for a few domains, and then forward some other traffic to a second frontend.

Frontend1 wanip:443 (using SNI)

• backend1: webserver 192.168.10.10:443
• backend2: (forward to frontend2 over unix socket)

Frontend2 localhost:10443 with certificate offloading

• backend3 : webserver 192.168.10.30:80
• backend4 : webserver 192.168.10.40:80

Brailyn

"(forward to frontend2 over unix socket)" would that just be 127.0.0.1:10443 or localhost:10443? Do I have to config anything else to use this port?

PiBa

That would work to.
But i prefer the for the field "Forwardto" of the server definition to not set it to "adress+port" but to "Frontend2"

Brailyn

Okay, now this is starting to get out of hand… :o

1. Is the new frontend1 shared with frontend2-- with frontend1 being the primary?
   1.1) If so, the backend2 "forwarder" only sees frontend1, rather than frontend2...so I'm stuck with that case. OR,
   1.2) If not, do I set frontend2 to listen on 10443 only and frontend1 to be the main :443 :80 listener? When I tried this, at it allows SNI to work, but the forwarding to SSLfrontend2 does not work.
   1.25) In the backend that forwards to the frontend2, does the SSL box have to be checked to the right of the "Forwardto" box? It seems to make everything not work when it is checked.

1.3) It's just a chain in my small mind...      outside-https-request -> SNIfrontend1 -> backend "forwarder"  -> SSLfrontend2 -> server (not working after 1.2, or 1.25)
or the non-offloading scenario, still HTTPS... outside-https-request -> SNIfrontend1 -> server (working after 1.2, not after 1.25)

Is that the correct way of looking at it?

Second issue
2.1) When attempting to make an HTTP request, it says "Server Hangup" which leads me to believe that my Frontend2 is sort of working and your advanced config code is doing something.

2.2) This may resolve itself once the first mess is fixed up. We can work on issue one first… cause it seems like a doozie :)

2.3) Again, I really appreciate all the help with my complex desires ;D This is probably the most ridiculious thing that it's been used for ;)

My config after 1.2)

Worked before changes to allow SNI and SSL offloading
https://my-domain.ca:443 -> 10.0.0.6:443 (TransparentIP)
https://dsm.my-domain.ca:443 -> 10.0.0.6:5001 (TransparentIP)
https://pfsense.my-domain.ca:443 -> 127.0.0.1:443
these are in frontend2 (called rProxy)

Worked after changes to allow SNI and SSL offloading
https://ubnt.my-domain.ca:443 -> 10.1.1.40:443
http://photo.my-domain.ca:80 -> 10.0.0.3:8080  (non-ssl)
These are in frontend1.
No requests appear to make it to frontend2, all http requests show server hangup.

/var/etc/haproxy/haproxy.cfg file contents:
global
	stats socket /tmp/haproxy.socket level admin
	gid			80
	nbproc			1
	chroot			/tmp/haproxy_chroot
	daemon

listen HAProxyLocalStats
	bind 127.0.0.1:444 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats uri /haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend rProxy
	bind			192.168.1.100:10443 name 192.168.1.100:10443 ssl  crt /var/etc/haproxy/rProxy.pem  
	bind /tmp/haproxy_chroot/rProxy.socket name unixsocket accept-proxy ssl  crt /var/etc/haproxy/rProxy.pem 
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl photo hdr(Host) ubnt.my-domain.ca
	acl issecure ssl_fc

	redirect scheme https if !issecure !photo
	acl			dsm	hdr(host) -i dsm.my-domain.ca
	acl			webroot	hdr(host) -i my-domain.ca
	acl			pfsense	hdr(host) -i pfsense.my-domain.ca
	acl			photo	hdr(host) -i photo.my-domain.ca
	use_backend dsm_http_ipv4  if  dsm 
	use_backend webroot_http_ipv4  if  webroot 
	use_backend pfsense_http_ipv4  if  pfsense 
	use_backend photo_http_ipv4  if  photo 

frontend Frontend1
	bind			192.168.1.100:443 name 192.168.1.100:443   
	bind			192.168.1.100:80 name 192.168.1.100:80   
	mode			tcp
	log			global
	maxconn			10
	timeout client		30000
	tcp-request inspect-delay	5s
	acl			ubnt	req.ssl_sni -i ubnt.my-domain.ca
	tcp-request content accept if { req.ssl_hello_type 1 }

	use_backend ubnt_https_ipvANY  if  ubnt 
	default_backend forward2rProxy_https_ipvANY

backend dsm_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			dsm 10.0.0.6:5001 ssl check inter 1000  weight 1 verify none 

backend webroot_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			webroot 10.0.0.6:443 ssl check inter 1000  weight 1 verify none 

backend pfsense_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			pfsense 127.0.0.1:443 ssl check inter 1000  weight 1 verify none 

backend photo_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			photo 10.0.0.3:8080 check inter 1000  weight 1 

backend ubnt_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			ubnt 10.1.1.40:443 check-ssl check inter 1000  weight 1 verify none 

backend forward2rProxy_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			forward-to-rProxy /rProxy.socket send-proxy-v2-ssl-cn check inter 1000

PiBa

1. All 3 frontends should be 'primary'.
   Using 1 frontend for both 80 and 443, while using them both in TCP mode, means the backend will receive mixed connections.. Some with plain http other with ssl traffic.. That wont work..
   1.1/1.2 checkout my new wiki page :)
   1.3) its indeed a chain.

2.1) When requesting a HTTP page, it will first wait 5 seconds in the first fronted for the SSL 'hello'.. Then its forwarded to the second frontend, which also waits for the client to send the 'SSL-HELLO'.. The client never sends this, and the haproxy cannot 'decrypt' the traffic.. caused by 1)

2.3) you are not the first to attempt this ;)
Because it is kinda complicated ive added a page to my 'wiki', based on 2.3 but same principles.. maybe it helps a bit:
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki/pfsense_2_3_haproxy_sni_plus_offloading_backends

Brailyn

I greatly appreciate that wiki page :) Hopefully others discover it soon!

It does exactly what I want it to, but I couldn't quite make mine do it. Very close though!

SSL and SNI works. HTTP does not.

1. If I make a request on a fresh browser (say pfsense.my-domain.com) it does not forward to https, but rather the 503 service not available page.

2. I cannot get one of my servers to UP. photo.my-domain.com. That is my http test server. I think it has to do with what frontends it is in.
   You kept your www (http) page as the default in the  http-frontend1 and for the SSL-offloading-Frontend3… My default www page (called webroot) is HTTPS, so I wasn't quite sure how to implement the HTTP page into the frontends without making it default... regardless it needs to be UP first.

3. I am okay with abandoning HTTP if it is easier...  8)

4. Where did you get the theme from in your wiki??

My config:

/var/etc/haproxy/haproxy.cfg file contents:
global
	stats socket /tmp/haproxy.socket level admin
	gid			80
	nbproc			1
	chroot			/tmp/haproxy_chroot
	daemon

listen HAProxyLocalStats
	bind 127.0.0.1:444 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats uri /haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend Frontend3-offload
	bind			127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/Frontend3-offload.pem  
	bind /tmp/haproxy_chroot/Frontend3-offload.socket name unixsocket accept-proxy ssl  crt /var/etc/haproxy/Frontend3-offload.pem 
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			dsm-ssl	        hdr(host) -i dsm.my-domain.ca
	acl			webroot-ssl	hdr(host) -i my-domain.ca
	acl			pfsense-ssl	hdr(host) -i pfsense.my-domain.ca
	acl			photo-nonssl	hdr(host) -i photo.my-domain.ca
	use_backend dsm_http_ipv4  if  dsm-ssl 
	use_backend webroot_http_ipv4  if  webroot-ssl 
	use_backend pfsense_http_ipv4  if  pfsense-ssl 
	use_backend photo-http_http_ipv4  if  photo-nonssl 
	default_backend webroot_http_ipv4

frontend Frontend2-SNI
	bind			192.168.1.100:443 name 192.168.1.100:443   
	mode			tcp
	log			global
	maxconn			10
	timeout client		30000
	tcp-request inspect-delay	5s
	acl			ubntsni1	req.ssl_sni -i ubnt.my-domain.ca
	tcp-request content accept if { req.ssl_hello_type 1 }

	use_backend ubnt_https_ipvANY  if  ubntsni1 
	default_backend Frontend3offload_https_ipvANY

frontend Frontend1-http
	bind			192.168.1.100:80 name 192.168.1.100:80   
	mode			http
	log			global
	option			http-keep-alive
	maxconn			10
	timeout client		30000
	acl			httpRedirectACL	hdr(host) -i photo.my-domain.ca
	http-request redirect scheme https  if  httpRedirectACL 
	default_backend photo-http_http_ipvANY

backend dsm_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			dsm 10.0.0.6:5001 ssl check inter 1000  weight 1 verify none 

backend webroot_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			webroot 10.0.0.6:443 ssl check inter 1000  weight 1 verify none 

backend pfsense_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			pfsense 127.0.0.1:443 ssl check inter 1000  weight 1 verify none 

backend photo-http_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			photo-http 10.0.0.3:8080 check inter 1000  weight 1 

backend ubnt_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			ubnt 10.1.1.40:443 check-ssl check inter 1000  weight 1 verify none 

backend Frontend3offload_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			Frontend3-srv /Frontend3-offload.socket send-proxy-v2-ssl-cn check inter 5  

backend photo-http_http_ipvANY
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			photo-http 10.0.0.3:8080 check inter 1000  weight 1

PiBa

1. only photo.my-domain.ca is redirected to https, all other requests go to backend photo-http_http_ipvANY
   which doesnt seem logical to me.

Perhaps you should add a ! before the aclname?
http-request redirect scheme https  if  !httpRedirectACL
So that 'photo' can be retrieved over http and everything else like pfsense.my-domain.com causes the redirect.?

2. The frontend should not matter for getting a backend 'up'.
   What you could try is changing the check method to "GET" and send a version+host header. Or if that fails try the "basic" check..
   https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki#troubleshooting

3. http should be the easier part :)

4. It seems to be the default layout for a github based wiki.. I didnt choose anything special.

Brailyn

1. I put a "!" before "httpRedirectACL" under Condition acl names (in Frontend1-http) and now they all seem to be redirecting to https… which is better than before as the majority of my servers are https only.

2. Changing to GET didn't help, although I didn't understand what you mean by "send a version+host header"... so I changed to "basic" check and that makes the server turn green. To get to it I had to remove the recently added "!" in 1). But now it seems to be stuck as HTTPS again.

....hold on... after getting the server UP (with basic health check) and keeping the "!" everything seems to be working!!!!  ;D though I haven't tested fully yet.

3. It was about the same amount of difficulty as I started with HTTPS.

4. The PfSense theme, not the Git theme. Oops... I want that theme.

5. You've been too much help! Is there anything I can help you with?

My config "as-is" working FYI.

/var/etc/haproxy/haproxy.cfg file contents:
global
	stats socket /tmp/haproxy.socket level admin
	gid			80
	nbproc			1
	chroot			/tmp/haproxy_chroot
	daemon

listen HAProxyLocalStats
	bind 127.0.0.1:444 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats uri /haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend Frontend3-offload
	bind			127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/Frontend3-offload.pem  
	bind /tmp/haproxy_chroot/Frontend3-offload.socket name unixsocket accept-proxy ssl  crt /var/etc/haproxy/Frontend3-offload.pem 
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			dsm-ssl	hdr(host) -i dsm.my-domain.ca
	acl			webroot-ssl	hdr(host) -i my-domain.ca
	acl			pfsense-ssl	hdr(host) -i pfsense.my-domain.ca
	acl			photo-nonssl	hdr(host) -i photo.my-domain.ca
	use_backend dsm_http_ipv4  if  dsm-ssl 
	use_backend webroot_http_ipv4  if  webroot-ssl 
	use_backend pfsense_http_ipv4  if  pfsense-ssl 
	use_backend photo-http_http_ipv4  if  photo-nonssl 
	default_backend webroot_http_ipv4

frontend Frontend2-SNI
	bind			192.168.1.100:443 name 192.168.1.100:443   
	mode			tcp
	log			global
	maxconn			10
	timeout client		30000
	tcp-request inspect-delay	5s
	acl			ubntsni1	req.ssl_sni -i ubnt.my-domain.ca
	tcp-request content accept if { req.ssl_hello_type 1 }

	use_backend ubnt_https_ipvANY  if  ubntsni1 
	default_backend Frontend3offload_https_ipvANY

frontend Frontend1-http
	bind			192.168.1.100:80 name 192.168.1.100:80   
	mode			http
	log			global
	option			http-keep-alive
	maxconn			10
	timeout client		30000
	acl			httpRedirectACL	hdr(host) -i photo.my-domain.ca
	http-request redirect scheme https  if  !httpRedirectACL 
	default_backend photo-http_http_ipvANY

backend dsm_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			dsm 10.0.0.6:5001 ssl check inter 1000  weight 1 verify none 

backend webroot_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			webroot 10.0.0.6:443 ssl check inter 1000  weight 1 verify none 

backend pfsense_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			pfsense 127.0.0.1:443 ssl check inter 1000  weight 1 verify none 

backend photo-http_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			photo-http 10.0.0.3:8080 check inter 1000  weight 1 

backend ubnt_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			ubnt 10.1.1.40:443 check-ssl check inter 1000  weight 1 verify none 

backend Frontend3offload_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			Frontend3-srv /Frontend3-offload.socket send-proxy-v2-ssl-cn check inter 5  

backend photo-http_http_ipvANY
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			photo-http 10.0.0.3:8080 check inter 1000  weight 1

PiBa

1. with current config photo.my-domain.ca should be reachable over http:// without being redirected by haproxy. Maybe the backend itself also sends a https redirect?

2. in the healthcheck field "Http check version" try it with the following value

HTTP/1.1\r\nHost:\ www.yourdomain.com\r\nAccept:\ */*

Also do check what the chkresult in the stats is. It should tell if a unexpected response is retrieved or maybe it just takes more than 2 seconds to check the server response?

Perhaps its a 'permission denied' response? Workaround for that could be checking a different url or accepting 404 as a 'valid' response.. http-check expect status 404 http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#4.2-http-check%20expect

3. ok

4. its the default theme of pfSense 2.3 beta snapshots. Ive converted haproxy to bootstrap for usage on 2.3 only recently..

5. if you have some time install pfSense 2.3 on a virtual machine, add haproxy package and report any issues that might still exist in the package :).

p.s. The the 5 millisecond on the offloading backend i intended to be a 5000 millisecond timeout.. It might currently be eating some more cpu than needed.. (going to change my wiki screenshot as well..)