Confused about differentiating subdomains and destinations - PfSense & HAProxy


First of all, allow me to admit that I’m a total noob - Do forgive me for my (perhaps) very silly questions.

I’m running PfSense and FreePBX on a homelab for testing and learning.

I’ve followed the great LTS HaProxy, Pfsense, acme and letsencrypt guide and everything is wroking great. I can access, for example, and my browser will report a secure connection with the correct cert being delivered.

However, there is a fundamental thing that I don’t understand:

Both of my subdomains, let’s say: freepbx.myjokeokfadomain .com & home.myjokeofadomain .com (PfSense gui, just for testing, limited to a single remote IP I own) point to the same WAN IP.

I was under the impression that simply going to each subdomain will have haproxy send them to the correct port, but that’s not the case.

For example: going to freepbx, will reach pfsense. It will give a cert error, but it will get there.

Am I doing something wrong or is it actually a normal behavior? I’m willing to learn!

Thanks a lot,


The idea of a reverse proxy is for it to be the single endpoint for multiple websites. A client only needs to be able to connect to the reverse proxy and the reverse proxy needs to be able to connect to the upstream services. While it’s certainly possible that a reverse proxy listens on multiple different sets of ports, that’s not a common case. So you wouldn’t usually add ports like you did with the 10443 example.

All the domain names handled by the reverse proxy should point to its IP address. Note that this can be different addresses depending on the network a client is in: If a client connects from the internet, it needs to know the public (i.e. “WAN”) address of the server. However, for example, in an IPv4 NAT scenario (which is just about every domestic and office network), a client would need to the private address of the reverse proxy. So, depending on where the client is, DNS needs to return different addresses. This is known as split horizon DNS.

That is, in essence, what should happen if by “correct port” you mean the correct upstream service (which may or may not be on the same machine as the reverse proxy). The reverse proxy will make a request to the upstream service and forward the response to the client. This is transparent to the client; the client doesn’t necessarily know this is happening. It’s not like there is a redirect happening and the url in the address bar changes.

Hey Paolo, thank you for the detailed explanation. I appreciate it, it sure clears things up a bit.

I’ve cleaned things up and configured HAproxy from scratch, and now I face different problems, which I can’t figure out (Hey, just like my life!). Here’s what I did so far:

  1. I made sure that my DNS records for my domain points at my public IPv4 WAN address.

  2. I created a firewall rule to allow internet access to haproxy on 443 (Later limited to a single IP source):

  3. I set up two backends, one for the pfsense gui and the other for the freepbx gui (Again, just for testing, this will obviously never happen in a live environment) and set each of them to point to the appropriate server ip and port (pbx is shown in this example):

  4. I’ve created a frontend which binds to my WAN public ip address and port 443:

  5. I set up the proper ACL, actions and certs (not shown):

  6. I drank some water.

Here’s the thing: Now, when I browse to:

  • https:// trp. mydomain. com, instead of arriving at the pfsense gui (If I’m not mistaken), I get a 503 error, but as I have the backend properly configured (I hope) and pointing at the pfsense gui, why am I getting that?

  • https:// rocket. mydomain. com, it adds the port number of the pbx gui (1443 - should this even happen? I understand not…) and even adds the /admin direction to the url, but it ends with an error. This attempt gets blocked by pfsense (Source: Remote wan ip → Dest: haproxy wan ip:1443), which makes sense, I guess, as it shouldn’t even try to access it like that, but should be handled through haproxy, correct?

BTW 1, “rocket” and “trp” are just easy nicknames that makes things a bit easier on me, I do apologize if it adds to the confusion.

BTW 2, this reply had a lot more screenshots which, I believe, made it easier for me to explain what I did, but I can’t embed as a new user and also can’t link very much, so…

I’ve started this day confused, and I’m ending it confused. And sweaty. Wow, these are a lot of screenshots.

Thanks again and sorry for that looong reply :slight_smile:

Oddly enough, I did manage to make my “” to fully work, by disabling the health check on its backend. The same did not do anything for "

It’s hard to diagnose this remotely, especially since I have no experience with HAProxy. A couple of things to try / verify:

  • From the firewall itself (e.g. using SSH), use curl to verify that the firewall can reach the backend. Make sure you use the same connection parameters (address, port, protocol) as specified in your HAProxy configuration.

  • Is 1443 the correct port to use for freepbx? The documentation states that the control panel port ist 4443 by default. This could explain the redirect you are getting.

  • Try getting it to work without optional configuration like health checks and TLS first. You can worry about this later once the proxying functionality works.

No problem! I’m just thinking out loud here, appreciate your input so far…

I will check all of that when I have some additional free time on my hands.

Thanks again :smiley: