pfSense+ACME+HAProxy Ubuntu Unifi Controller Issues

@reymond070605
pfSense: 10.0.13.254
Unifi Controller: 10.0.13.7

I assume on the backend server config for the unifi controller is set to 10.0.137.7? Is that correct?

Also is your pfsense using port 8443 as its own default https port?

Is your Ubuntu Unfi Controller VM or physical machine? I asked this because if your using a VM I’ll ask you take to create duplicate of your Ubuntu Unifi Controller and move it into a different network (as long as it is not on the same segment of the pfsense admin interface) just to test a theory that I was thinking.

Yes, the backend is set to the 10.0.13.7 IP address of the Unifi Controller.

No, pfSense does not use 8443 it uses 8181.

This is a VM. But the lemonha I previously mentioned is a physical RaspberryPi. Which exhibits the same results.

Is the lemonha sitting on the same IP address segment which is 10.0.13.x?

Yes, everything is on the 10.0.13.0/24 subnet.

I don’t know all the steps you went through in setting it up. That includes what you used for setting up the Unifi Controller. I have questions so I can get a mental picture of how everything is setup.

  1. Are you using a Linux or Windows server for the controller?
  2. What is your DNS for your domain pointing to, including port?
  3. What does the HAProxy dashboard report?
  4. What do the logs report?
  5. For your external what rules and ports do you have for your HAProxy on the WAN side?

Also, keep in mind that your HAProxy is using port 8443 and the WebGui for the controller uses 8443. I don’t believe this is an issue but I don’t know what port your lemonha is using either. But to eliminate possibilities you could change your HAProxy to 443.

Here’s another idea for troubleshooting. Create a new Frontend so some random port like 21443 and set the default backend to UnifiController, set your cert to the controller and save. For reference use the YT link I have in this post pfSense+ACME+HAProxy Ubuntu Unifi Controller Issues - #10 by Tmi to create your second Frontend.

If you’re getting the same thing, then it’s time to dig through the logs for HAProxy and see what’s going on there.

Okay, here is what I know.

Is your HomeAssistant server is in the same IP range as your pfsense and Unfi Controller?

Okay, so I’m going to attempt to replicate your set up in my environment. It will take some time so that I can set up and configure things. My controller is sitting on a Windows host but I do have it on my list to move it to Ubuntu 20.04 LTS. But give me some time to see if I can replicate.

Yes it is in the same range.

Is it possible for you to either for you to move your Home Assistant or create duplicate of Unifi Controller and move either Home Assistant or the duplicate Unifi Controller into a different IP subnet.

I have just run another test. I spun up a python3 -m http.server on my mac. Created a backend pointing to the 10.0.13.9:8000 (no health check), with a port 80 front end. AGAIN when I attempt to access it from externally, It pulls up the HAProxy Stats page. Its almost like HAProxy isn’t working at all as far as the backends are concerned.

Do you have a host override set in the dns resolver for the unifi.domainname.com?

Yes, I have tried this. All with the same results.

@Tmi @LTS_Tom What’s not making any sense to me right now is, that it appears everything is functioning except for it returning the pages I actually have configured. I can only ever get the HAProxy Stats page to display. The SSL offloading and everything appears to be functioning properly. Even a simple port 80 webserver on another host returns the HAProxy Stats page. This is even with all the suggestions of health checks on and off.

SSL Offload:

Okay, so I was able to make some progress. Here is what I have done.

At this point, I am able to get Unifi Controller accessible from external via HAProxy. But I am a little concerned about disabling some of the Cloudflare suggested protection. Any suggestions?

Having double proxy is not really good idea. I have tried this as well but no success. You should have pointed this out earlier and we could have easily pointed this out that it would be probable cause your issue.

My apologies, wasn’t trying to was your time. Didn’t even cross my mind, as Cloudflare was setup that way by default. Happened to find a similar issue posted with that as a resolution.

All good mate, everyone makes mistake no one is perfect.

Glad to hear you have made progress. Now that you have narrowed the problem down to Cloudflare. My suggestion to you is to research on the Cloudflare Community site. Start by either searching or posting on the Cloudflare Community. There is this post on the Community Cloudflare, Community Tip - Fixing Error: 503 Service Unavailable / Service Temporarily Unavailable. The community tip does provide some useful tips.

The closes issue I have found that may be related to your issue is, 503 Server Unavailable when proxied. However, I doubt that might help since the user never mentioned that they were using an HAProxy. Nevertheless, it is something to look into.

My second suggestion and please do not take this as a negative. But as a helpful tip in the future. Try and provide as much information about a problem. How it’s setup (diagrams would be good), how it’s connected, relevant firewall rules in place, what OSes are being used, and any external setups. Your initial post never mentioned about using Cloudlfare. So the focus was only on 67% of the issue, pfSense and HAProxy but not Cloudflare.

Again this is just helpful advice for the future and not meant to be negative or reprimanding. I can understand why it didn’t cross your mind. But now that you’ve narrowed the issue down. You know what and where to search for potential answers. Searching in this forum can help. But I do strongly suggest searching on the Cloudflare Community forum. As the issue is related to Cloudflare and not directly related to pfSense or HAProxy.

I would however, be curious to know if you do find answers / solutions with Cloudflare. Because posting in this forum could help someone in the future.