HA proxy securing open ports

So i set up Ha proxy to be available from outside my network at sub.domain.com using tom and raid owls videos and it opened port 443 on its own to any-any. I tried looking around to see if it could be done this way but i couldnt find any info on it. I would like to secure the port so only traffic coming from sub.domain.com is allowed and its not just out there flapping in the wind for all the bots to see. the host is cloudflare. I created an alias of all the sub(s).domain.com including cloudflare as an FQDN listing but when i go to sub.domain.com i get the wonderful 522 error. Ill show the config below as much as i can.

pfsense port 10443
nas vlan 203 gui port 80 (this is just a test to see if i can get it working)
ha proxy to wan interface
dyn dns through cloudflare to pfsense

any suggestions would be appreciated

thats what i used to set it up initially not helpful in this case

I’m confused. You say that cloudflare is the host. Do you mean you setup a proxy with cloudflare and then are trying to send that traffic to HAproxy?

Cloudflare is hosting the domain(s). haproxy is on the pfsnse which has the dynamic dns service also through cloudflare. When i configured HA proxy on PFsense it opened port 443. i went into the port forwarding rules and added the source addresses using the alias i previously created with the sub(s).domain.com and cloudflare.com so i could only allow traffic through the port from those domains so its not open to the wide world and cant be easiy scanned. This and the DNS resolver override are where i have the questions. For Clarity, i am trying to make these sites/devices accessible publicly and as securely as possible.

Is it possible to secure the port forward in this way to allow traffic through port 443 on the pfsense only if it originates from Sub.domain.com or cloudflare?

in the dns resolver override, it was unclear where i should point it. To back to the pfsense internal ip? all of the clients on my network are configured to get their dns from pfsense either statically or via dhcp where applicable.

This should always point at your internal pfsense IP that you have HAProxy tied to.

I do have a cert & DNS video that explains how they are related when setting this up.

I haven’t finished my first cup of coffee yet, but this doesn’t sound right. Sounds like you have a forward rule created to allow 443 access from your DNS zone file host. Just because DNS points to your proxy IP doesn’t mean traffic will flow that way.

Sounds like you need to either open up that 443 port to the big bad world or setup a VPN (or overlay). Or if you really want to stick to your idea, then setup a VPN server in the cloud as a bridge to your LAN. This would be more secure than setting up the VPN server on your pfsense box directly. The fewer features you enable on pfsense the better.

@satech, maybe just clarify what the broader intentions are here - things aren’t adding up, to my mind at least.

You wan’t to reverse proxy sub.domain.com through HAProxy on your local pfSense, assuming to some service on port 80/443 on a local NAS box. But then only allow traffic to the domain from the exact same domain. Can you see the conundrum here - source and target are the same, proxy would be superfluous here.

There’s a couple ways you can tackle this, but first figure out which services and hosts need to talk to which, and over local/private/public internet? Couple scenarios:

A: Split DNS, no proxy required

  • You just need to access sub.domain.com from behind your local pfsense
  • setup a local DNS host override on pfsense

B: Reverse Proxy

  • You need public access to sub.domain.com, hosted locally behind pfsense
  • HAProxy + Dynamic DNS


  • You need private access to the service hosted locally behind pfsense
  • Pick one of the myriad VPN options available to pfsense, or even host-to-host

You could of course also add pfsense rules to scenario B, such as restricting inbound WAN traffic on 80/443 to an alias of hosts: sub2.domain.com, sub3… That might become unwieldy though, depending on whether you have other services being proxied which do have to be open to the public. You might then want to take a look into pfBlocker-NG. Or you could add HAProxy frontend ACLs by source IP.

In general though, be cautious about exposing services through reverse proxy. Apply the same sanity checks and hardening practices you would for hosting anything else online - that is after all exactly what you’re doing.