Haproxy PFsense CE

Regarding the functionality of HAProxy in version 2.8.0 of PFsense, I am currently investigating the possibility of a malfunction.

Over the past two weeks, I have been attempting to configure HAProxy for proper reflection.

I have meticulously followed the instructions provided in Tom’s YouTube tutorials.

Despite these efforts, the system is not forwarding traffic as expected.

Initially, I believed I had achieved a successful configuration, only to discover that HAProxy was, in fact, disabled, and traffic was being directed to my server via PFsense NAT functionality.

This raises a secondary question: Does the use of Cloudflare’s proxy service potentially impact HAProxy’s operation?

I have previously utilized HAProxy with moderate success; however, its current behavior is inconsistent.

Furthermore, I recall a statement from Tom’s video suggesting that HAProxy negates the need for firewall configuration. Could I have misinterpreted this information?

I think we’ll need more information about what behavior you’re seeing. I’m not sure what you mean about no firewall configuration, but if you’re hosting public sites, you definitely need to allow traffic to tcp/80 and tcp/443 via the WAN interface (unless they’ve changed something recently).

My preference is always to have HAProxy listen on a different address from the firewall. I would create a virtual IP (under Interfaces > Assignments), set HAProxy to listen on that IP, and then create a NAT rule forwarding the needed ports on the WAN interface to your new HAProxy IP. If you’re using the Cloudflare proxy (via their DNS panel and not Cloudflare tunnels), then you can even limit the firewall rules to only the Cloudflare IPs. If you’re using Cloudflare tunnels, you don’t need any HAProxy setup at all, so maybe that’s where some of the confusion is.

Ill post screenshots of my config as is was and see what you think

Screenshot_20250828_1901371311×881 80.8 KB

Screenshot_20250828_1856041251×863 99.9 KB

Screenshot_20250828_1851181256×490 40.7 KB

Screenshot_20250828_1854011281×860 79.1 KB

Screenshot_20250828_1854551250×861 85.6 KB

Screenshot_20250828_1905101290×793 71.6 KB

Let me be clear, i think i had it setup properly before but i could have been totally off, if you have some pointers or as you have mentioned the virtual ip scenario to share i will gladly upgrade my understanding to produce a better setup as i am very new to haproxy

Oh yeah. Do not use cloudflare to proxy and then try to proxy again with HAproxy. You only need DNS for cloudflare.

You situation is a little different from mine (I use HAProxy on a server separate from pfSense these days, so I don’t have a model to check against), but I’ve got a couple ideas for you. Here are a couple places I’d start looking.

1. If you’re binding HAProxy to all interfaces on pfSense (which is the default), I don’t think you need a NAT rule. Let’s say you have a service, nc.example.com. Clients query DNS and get back your IP and HAProxy deals with the traffic. There’s no separate network address to translate the traffic to (which is what NAT does). Instead, a simple rule on the needed interfaces would do the trick. What I’ll usually do in this instance is use a floating rule with the “quick” setting checked and choose all the interfaces I’m after with a destination of “This Firewall.”
   (If you try the virtual IP method, you’d need a NAT rule pointing tcp/80 and tcp/443 to the virtual IP.)
2. I’m not sure if it matters, but why the two front ends on port 80? I don’t recall Tom’s videos suggesting that and on my own installation I have a single front end for :443 and another for :80, which just redirects to port 443. Instead, the individual services are part of the HTTPS frontend with ACLs directing them to the appropriate backends.
3. Since HAProxy is using ports 80 and 443 on the same address as pfSense’s web UI, have you switched the web UI to a separate port? Only one service can listen on a port.
   (This is the reason I like the virtual IP method.)
4. The last thing to look at is DNS. It sounds like you might already have this figured, but just in case: if you have your service nc.example.com and you want to access it both from the WAN and from the LAN, you’ll want to have DNS entries in two different places. You’ll need your domain’s DNS server to advertise the WAN address (I think you said you’re on Cloudflare), and you’ll want your pfSense DNS server to resolve that domain to the LAN address of HAProxy.

In case it helps for reference, here’s my HAProxy configs for my own Nextcloud server. It’s the raw config, but might be good enough for extrapolation:

# Front Ends
frontend HTTP
	bind			0.0.0.0:80 name 0.0.0.0:80
	mode			http
	log			global
	option			httplog
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	acl			example	var(txn.txnhost) -m reg -i  [A-Za-z0-9\.]+\.example\.com
	http-request set-var(txn.txnhost) hdr(host)
	http-request redirect code 301 location https://%[hdr(host)]%[path]  if  ktvcr



frontend HTTPS
	bind			0.0.0.0:443 name 0.0.0.0:443   ssl crt-list /etc/haproxy/HTTPS.crt_list
	mode			http
	log			global
	option			httplog
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000

	acl			aclcrt_HTTPS	var(txn.txnhost) -m reg -i ^([^\.]*)\.example\.com(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)

	# Nextcloud
	acl			house-nextcloud	var(txn.txnhost) -m str -i cloud.example.com
	acl			aclcrt_HTTPS	var(txn.txnhost) -m reg -i ^cloud\.example\.com(:([0-9]){1,5})?$
	use_backend house-nextcloud_ipvANY  if  house-nextcloud aclcrt_HTTPS


# Backend

backend house-nextcloud_ipvANY
	id 1016
	mode	http
	log	global
	timeout connect	30000
	timeout server	30000
	retries	3
	load-server-state-from-file	global
	server	nextcloud 192.168.1.62:11000 id 100 check

All right so here’s the thing I finally got it working

But I also don’t have it working allow me to explain

I have the reverse proxy working via HA proxy on PF sense and it works flawlessly when I use it to contact my Asus NAS

Where I am still experiencing issues is when I try to use it to contact the individual apps on my trueness scale server.

Specifically nextcloud.

I’m currently researching how to get this done but I thought it would be as simple as plugging in the NASA’s IP address and port number

But I’m reading the other people are having issues with this as well so I’m not really sure how I’m going to tackle this

# Automaticaly generated, dont edit manually.
# Generated on: 2025-08-31 05:56
global
	maxconn			1000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbthread			2
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

frontend http_80
	bind			192.168.88.3:80 name 192.168.88.3:80   
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	http-request redirect scheme https 

frontend https_443-merged
	bind			192.168.88.3:443 name 192.168.88.3:443   ssl crt-list /var/etc/haproxy/https_443.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			aclcrt_https_443	var(txn.txnhost) -m reg -i ^([^\.]*)\.com(:([0-9]){1,5})?$
	acl			nextcloud	var(txn.txnhost) -m sub -i nextcloud.com
	acl			soulnas	var(txn.txnhost) -m beg -i soulnas.com
	acl			tn	var(txn.txnhost) -m beg -i truenas.com
	http-request set-var(txn.txnhost) hdr(host)
	use_backend Nextcloud_ipvANY  if  nextcloud 
	use_backend soulnas_ipvANY  if  soulnas 
	use_backend truenas_ipvANY  if  tn 

backend Nextcloud_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			nextcloud 0.0.0.0:30027 id 101 ssl  verify none 

backend soulnas_ipvANY
	mode			http
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			soulnas 192.168.2.11:8005 id 103 ssl  verify none 

backend truenas_ipvANY
	mode			http
	id			104
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	load-server-state-from-file	global
	server			truenas 192.168.2.3:443 id 105 ssl  verify none

It looks like your issue is with the Nextcloud backend. You’ve got the host set to 0.0.0.0 instead of the Nextcloud IP address. That’s the equivalent of black-holing the traffic. See if updating that backend gets you sorted.

No I only did that for this post I have the real data in my config.

Have things changed dramatically in your set up since the initial question? If so, would you let us know how? And why change the nextcloud backend IP, but not the others? Is that a public address?

Here are the things that would be useful to know:

• What are the IP addresses of the nodes involves? Even redacted versions would help see the relationships (i.e. pfsense is at x.x.0.1, haproxy is at x.x.0.3, nextcloud is at x.x.2.33, etc.)
• What firewall/NAT rules are currently in play?
• Is Nextcloud on the same network as HAProxy?
• Are both Nginx Proxy Manager and HAProxy trying to proxy connections on the same IP address?

Hi there,

Apologies for the delayed update.

I wa unsuccessful with HAProxy, opting for the attached solution of Cloudflare with TrueNAS SCALE dirctly, which allows Nextcloud to function effectively via the TrueNAS Nextcloud app.

I still plan to explore a direct HAProxy integration with a second Nextcloud instance, but the current method provides a secure and comprehensive solution.

Of course if i manage to strike gold i will update.

That video can be found here: