How To Setup ACME, Let's Encrypt, and HAProxy HTTPS offloading on pfsense

Hi,

Thank you for this great video.
I followed the steps and it work for all my backend except the nextcloud jail that runs in my FreeNAS.
If I go via http://nextcloud.mydomain.com it work but https is not loading anything.
Any ideas?

thank you

Tom, thanks for sharing your knowledge and time. Really appreciated.

After watching and re-watching this video a few times I finally made progress and got to the point of things almost working. I can’t get past the behavior of my pFsense instance though where it appends the management port number to my target URL. For example when I enter https://www.mydomain.com in browser address bar it tries to load https://www.mydomain.com:2053/ because my management GUI is on this port. Naturally I get certificate mismatch and hence security warning.

If I enter my URL with a backslash at the end (/) then the site loads correctly and the padlock is green. I have firewall rule allowing all traffic on port 443 on WAN interface to ‘This Firewall’, no NAT rules as I guess by design this is handled by HAProxy.

What is the last thing I missing here?

Thanks in advance

Navigate to System > Advanced, Admin Access tab and check Disable webConfigurator redirect rule

1 Like

Hello, Tom.

I can’t crack this thing without your expert advice. Following your instructional videos I learned how to set up HAProxy and made a few websites work, dummy, just like your detroityodellingcompany sites, and they work. My need in fact goes beyond that, I need to test deploy iRedMail (www.iredmail.org) behind pFsense. I currently have iRedmail running in production and that server is behind a Sophos UTM firewall and I am carrying out a phased migration from Sophos to pFsense.

IRedMail has several webservices like Roundcube IMAP client, SoGo Groupware, management console, netstats etc. The webserver on the backend is Nginx listening on both ports 80 and 443. The HAPrpoxy backend is set up to listen on port 443 with encryption without certificate check. Frontend is listening on port 443 and linked to the wildcard certificate issued to pFsense.

When iRedMail is accessed in browser I get properly encrypted connection and page with valid Let’s Encrypt certificates, however all pages load with 503 error message stating that there is no server available to handle request.

For the sake of checking whether something is not right with iRedMail I

  1. Disabled frontends
  2. Disabled HA Proxy
  3. Disabled and removed UFW
  4. Issued wildcard certificate to the iRedMail VM for the target domain
  5. Wrote temporary NAT rules to redirect all traffic on HTTP and HTTPS to the iRedMail virtual machine

With these things in place everything works as expected, i.e. when HAProxy is not used I can access iredmail services without any errors. The moment I turn HAPrpoxy back on everything gets back to 503 error. Where else can I look for the culprit?

Thanks in advance

i got mine working but you need to run you nextcloud on ssl for this to work.

for management and web interfaces you need to push it on haproxy the other ports like imap you need to portforward that so that it will be accessable on your wan side :slight_smile: