Migrating from Synology Reverse Proxy to pfSense HA-Proxy

I am self-hosting a bitwarden server. It is running within a docker container using the vaultwarden image on my Synology device via port 3080. The Synology physically connects to a Unifi switch, which physically connects to a pfsense firewall. My ISP uses DHCP and my domain is/was hosted by google. Using the Dynamic DNS service within pfsense, it keeps my “WAN IP” address in sync as needed for all of my subdomains. For the past two years, this setup has worked for me by having 2 NAT Port Forward/Firewall rules on the pfsense that take any HTTP/80 and HTTPS/443 hits on the “WAN” and forward them to the internal IP of my Synology. Obviously, if the subdomain “bitwarden” is requested, the Reverse Proxy built into the Synology will forward to localhost:3080 and get access to my hosted bitwarden server. Additionally, a Let’s Encrypt Certificate has been created from within the Synology for this subdomain (and a couple others).

I now want to make some changes to my network. I want to add some services like nextcloud, but I do not want to host it on the Synology machine. I no longer want the Synology to handle the Reverse Proxy for my network at all, nor do I want to host bitwarden on the Synology anymore. I want the pfsense to “handle” all my certificate needs for my domain (ACME Certificates) and also the Reverse Proxy duties (HA Proxy). The Synology will be relegated to more “backup” or storage duties where more capable hardware will handle the services hosting going forward.

All this background information brings me to my question: How do I do it? I gave it a whirl a few days back by setting up a new bitwarden server on a new subdomain, doing ACME/HA, but I was never able to connect to it from outside my network. I was relegated to putting it all back the way it was such that my extended family could still get to their passwords. I am tempted to believe I missed a step (yes I have watched the videos, but confess I never cli tested it) or there is some order of operations that I am missing.

I am proposing trying the following, next time out:

  1. Setup new bitwarden (or other) server on new hardware. Verify local IP connection ability.
  2. Setup new subdomain at cloudflare.
  3. Setup Dynamic DNS within pfsense. Verify IP updates.
  4. Setup new Certificates within ACME Certificates. (referencing videos)
  5. Setup HA Proxy. (1 backend, 1 frontend) (referencing videos)
  6. Disable original 2 NAT Port Forwards. Reload.
  7. Test connection and hope for success.

Is there anything I am missing? Suggestions? Gotchas? I will wait until the weekend to try again, and I hope to see some replies before my next attempt. Thanks in advance.

My videos on HAProxy cover all the steps, good luck.

I made the proxy and cert changes, but had a few issues to navigate. First being is that my HAProxy was not properly reloading. I assumed it would auto reload, but the service never really restarted. Second thing is that in some videos I have seen, the firewall rules would be auto created. Mine did not. No biggie, just a quick add. Everything appears to be working. Thanks again for all you do, @LTS_Tom

1 Like