Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Haproxy SSL Termination

    Cache/Proxy
    3
    4
    2027
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      m0ntassar last edited by

      Hello,
      I have pfsense 2.2.6, I installed haproxy 1.5 stable version package in the aim to configure an SSL termination

      I configured a virtual WAN IP that I'm going to use to listen to ssl requests
      I created an ssl certificate on pfsense
      I created a backend  with the config shown in backend.png attached image
      I also created a frontend with the config shown in frontend.png attached image
      the apache is properly working and showing the correct page when i browse directly to it using LAN address, In the apache logs, I see it is answering healthchecks with http 200 OK
      I see no traffic blocked in the pfsense logs
      I'm getting , "503 Service Unavailable, No server is available to handle this request" when I try to access the web site using the wan address
      I'm I missing something ?



      1 Reply Last reply Reply Quote 0
      • J
        johnsonp last edited by

        Not sure about haproxy 1.5, but it works fine ike this using haproxy 1.6 which I think is the devel package - maybe try using this?  It's not really a devel package I think - 1.6 has been out for ages.

        Hope this helps

        1 Reply Last reply Reply Quote 0
        • P
          PiBa last edited by

          Is the wan address used in the certificate CN or alternative names? I think the acl does not match the request you send. Which then means no backend is selected, and thus no server is available..

          Simply removing the 'Add ACL for certificate CommonName (host header matches CN of certificate)' checkbox might make it work.

          1 Reply Last reply Reply Quote 0
          • M
            m0ntassar last edited by

            @PiBa:

            Is the wan address used in the certificate CN or alternative names? I think the acl does not match the request you send. Which then means no backend is selected, and thus no server is available..

            Simply removing the 'Add ACL for certificate CommonName (host header matches CN of certificate)' checkbox might make it work.

            Well spotted my friend ! It was as simple as un-checking Add ACL for CN :)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense Plus
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy