I have created a virtual enviroment to test the HaProxy with PfSense inside a VmWare Workstation Version 16.
I created two IIS servers with test sites the can be accessed from remote hosts and are public with working certs on HTTPS behind PfSense, i configured the NAT rules to check that the sites worked properly before trying out the HaProxy, i created a NAT rule for one server on 443 to check that i can reach it and then changed the IP in the NAT rule to the other and both sites are working and can be accessed remotely VIA HTTPS.
After checking that all the sites working and PfSense does forward to the proper IIS server i moved to follow the instruction in the following videos :
I created two certs for my test domains then changed the webConfigurator to port 10443 and HTTPS and enabled WebGUI redirect, Then created a Backend to the internal IP + port with SSL and chose CA plus Client certificate for test site number 1 and then created a Frontend with listen address from WAN on port 443 plus SSL offloading and added ACL with path contains we the site address without WWW and added a Action to go to my backend rule (both acl name plus Condition acl names are matching), under SSL offloaing i chose the Test1 site cert and add in the Additional certificates all the cert i created for the websites and created a rule for port 443 but i cant reach the test website but traffic does show incoming connection from 443 to the firewall
Thank you for the replay, what are the firewall rules in pfsense when HaProxy is enabled and i have two different Lan’s for example Lan 192.168.2.10 with IIS running a HTTPS Test.example.com site and a second Lan 192.168.3.10 with IIS russing a second HTTPS site with a different domain test.example2.com?
because from the errors i am encoutering it looks like a firewall rules/NAT misconfiguration.
I have checked using the troubleshooting guide video and saw that i am reaching the proper A record but not being served any certificate.
If the the HAProxy frontend is bound to 192.168.2.1:443 then on the 192.168.3.0/24 if you have a block rule for the two networks you could have a rule above that block rule to allow for port 443 to get to 192.168.2.1:443
My Frontend is bound to the WAN and not to the 192.168.2.1 but after looking at the logs i used the easyrule function to add the rule in the firewall and i saw that first the site is trying to load in port 80 so i started adding the https to the website query. Now when i reach the site i get the proper wildcard certificate that i created in pfsense but it leads to a “503 Service Unavailable No server is available to handle this request.” error in the browser. (i doubled checked that the website are running properly without the haproxy and they are reachable remotely and locally).
Could it be that the haproxy not forwarding the request to the backend?
