pfSense+ACME+HAProxy Ubuntu Unifi Controller Issues

I can’t seem to get this to work. Trying to get a Unifi Controller publicly available on a single WAN IP connection. I have watched all the videos, and searched all over. But nothing seems to help. I am using 8443 on the frontend, and 8443 on the backend. Backend has SSL w/o check, since Unifi Controller runs with a self signed SSL. If I curl the backend from pfSense I get a 503 error also. But I can get to the Unfi Controller via the local address and port just fine. Any advise would be greatly appreciated.

Just confirming if you have any host based firewall enabled on the Unifi controller that maybe causing this problem.

I have this video on HAPoxy troubleshooting to help.

Yes Tom I have watched all three of your videos, but still can’t get it to work correctly. They got me closer, but still not working correctly.

@LTS_Tom & @reymond070605, Here is what I have configured for HAProxy. With a firewall rule allowing 8443.



You’ve forgotten to confirm if the iptables of your Ubuntu Unfi Controller allows a connection 8443 connection from the pfsense?

@reymond070605 Currently don’t have any iptables or UFW running.
Screen Shot 2022-04-24 at 3.31.03 PM

Nothing really stands out as wrong to me.

@LTS_Tom That is kinda where I am at. I have scoured your videos, and Googled like crazy but can’t seem to figure it out. I can get to the controller internally, just not externally through HA. Feels like I am missing some little thing.

@thekillerb I’ve gone over the pictures you provided. But I have a question for you. In your Frontend screenshot. I see your Port_8443_FE and the backends listed. The backends show as UnifiController if(unifi) and HomeAssistant if(lemonha). But unless this screenshot is cut off at the bottom. I see that you do not have a default backend defined in your Frontends.

If you don’t have a default backend defined you will get a 503 Service Unavailable when trying to get to your Unifi. My question is, under the Default backend, access control lists and actions. At the bottom of this section what do you have checked for Default Backend?

For reference, Tom did the same thing and did not set a default backend which gave him a 503 Service Unavailable error. How To Setup ACME, Let's Encrypt, and HAProxy HTTPS offloading on pfsense - YouTube

@Tmi Yes you are correct. There is no default since the instruction stated “If a backend is selected with actions above or in other shared frontends, no default is needed and this can be left to “None”.” And since there are actions setup to use “Backend” I left this at none. For some reason, if I select either of the two (UnifiController or HomeAssistant) as the default, I get the HAProxy stats page when trying to go to those external assets.

This is with either one of the backends in the default backend section.

The information under Default Backend is a bit confusing and I’m not sure exactly what it means. The wording is confusing to me. But if you watch Tom’s video as I mentioned in my previous post. You’ll see that he has a default selected.

Default Backend: azkaban

Why it’s worded that way, I don’t know. But regardless you need a Default Backend set. Also, note that it doesn’t have to be one that’s in your ACL/Actions for your Frontend. You can select any one of them that is in your Backend tab.

In regards to your Statistics Report, it’s probably due to health checks that you have configured in your Backend. If it’s configured this way and your backend requires authentication to log in, it’s probably reporting this. See this document for more information and troubleshooting Troubleshooting — Troubleshooting the HAProxy Package | pfSense Documentation.

When you add a new backend Health Checks for HTTP is automatically selected. I am assuming this changed from the default None in current versions of pfSense. If you want Health Checks see the documentation link above on how to fix your Statistics Report.

If you don’t care about Health Checks then go into your backend and for the UnifiController and HomeAssistance edit each one and change Health Checks to None.

I don’t know how your servers are setup or configured but I’m guessing because the Unifi Controller needs authentication. This is why you’re getting this page because you have Health Checks configured in your Backend. Also, look at the HAProxy Dashboard Widget. This could also give you a clue. If you don’t have that enabled, I strongly suggest to enable it.

Maybe we are looking this issue incorrectly. I mention this because base on his very first post:

If I curl the backend from pfSense I get a 503 error also

It is not working when he curls it in pfsense. I perform a curl test on my backend inside pfsense and it works for me.

Then that would be an issue with either the FW rules internally or an issue with the server itself. It would not be an HAProxy issue. Currently his issue at hand is how he has Health Check HTTP configured on that backend in HAProxy. Some servers do not like health checks. You could just disable health checks on the server or disable the configuration in the Backend on HAProxy.

@Tmi @reymond070605, I have added a default backend and removed the health check from both. But still, receive the HAProxy Stats page when trying to access those resources externally.

Thank you all for all your help, as I am completely lost as to what is going on.

@reymond070605 Also, now when I curl from pfSense I get the HAProxy Stats page. Not the Unifi Controller page.

@Tmi @reymond070605 @LTS_Tom What would be causing pfSense to not be pulling up the local resource. I even set up a simple port 80 Apache, and still, every curl pulls up the HAProxy stats page. And this is with Health Checking disabled.

I even set up a simple port 80 Apache, and still, every curl pulls up the HAProxy stats page

Is this pointing to the same Ubuntu server or pointing to a different? If you perform a dig to your unifi website or to the new site you have setup from pfsense, does it show the right IP address?

@reymond070605 This is on the same server as the Unifi controller. If I do a dig from the pfSense to the internal address, it responds properly. But if I use the external address or FQDN, it responds with the HAProxy Stats page.

What is the Private IP address of your pfsense and your ubuntu unifi controller?