I just installed HAProxy in pfSense following one of Lawrence’s tutorials on YouTube. Everything works fine from outside my network, but inside my network, it’s not working.
I’ve already set the DNS resolver to host overrides my pfsense.xxxxxx.com IP to return the local ip 192.168.1.7, for example. Any ideas on how to resolve this issue would be greatly appreciated?
Internally you don’t route traffic to harpoxy and then back to the firewall. You set the certificate directly on pfsense in System–>Advanced–>Admin Access.
For internal I create local DNS that points to the firewall’s internal LAN IP which will get redirected to HAProxy. I have IPs configured inside HAProx to include internal LAN IPs for access.
I changed the Admin webGUI to port 444 so it wouldn’t conflict with HAProxy.
So this way I can make use of ACME certs for my internal servers.
Below is how I configured the “external address” in HAProxy:
I wouldn’t have done it that way. What I did is created a VIP and assigned that as my front end IP address for internal services. That way I don’t have to mess with changing the port number for pfsense to something else other than 443.
I’m not sure if it will even work if you are trying to reach pfsense through the HAproxy service.
Notice that I have haproxy with the VIP and CNAME’s (alias) for it. In case I want to change the IP I don’t have to change all my entries. I only need to change one.
Because then you don’t have to change the ports for your LAN IP to reach the web interface of pfsense. You’re essential creating a usable IP for your HAProxy to use internally.
You can do what you want. I’m offering a suggestion and a better way to set this up IMO. For me, I don’t want my web interface for pfsense going through haproxy whenever I already can assign the a wildcard certificate directly in the web UI. Then for my other services I use the same wildcard certificate in haproxy. The way you are doing it and changing ports and junk that is completely avoidable just by simply setting up a VIP.
There is nothing wrong with the way you are doing it, unless you are running into issues where pfsense doesn’t allow the web UI to be proxied. For most things there are multiple ways to skin a cat, as they say.
Hi, A bit late to reply but I only just joined forums specifically to see if I could help with HAproxy.
I followed Tom’s 2 x HAproxy vids and also the troubleshoot one but still took 2 + days to get it working for internal serving https sites (unifi, proxmox, truenas, etc). Lots of backend errors.
Some of my hostnames contained “-” like yours appear to do. Resolution came by removing all “-” in my hostnames and their associated backend acl and rules names. Although “-” is valid in DNS it seems that HAproxy does not like it. Maybe treats it as a switch or some regex issue with it.
Anyway redid with hostnames without “-” and worked straight away.
Would be great if anyone else could confirm that this is an issue.
