pfSense, HAProxy, ACME, NAT? With two servers

Hello,

I have a system created that of course has evolved over the years but this is what it looks like right now…

Physical server with pfSense which has 2 Ethernet ports, 1 for WAN, 1 for connection to switch for LAN.
Inside LAN I have a Physical Server with multiple virtual servers put two important ones that both need to be accessed from outside.

Virtual Server #1: Houses main web page and CRM software (Ubuntu)
Virtual Server #2: Houses Nextcloud (Ubuntu)

They have to be on separate machines because they require different software that clashes when on the same machine.

I want to use HAProxy & ACME to allow this to work because I want to have both using Certificates. I have never fully understood how to fully allow this to work. I currently have the CRM using port forwarding feature from pfSense since I need that secure. I would like to allow pfSense to handle the certs. Does anyone have advice for this?

In the past I used only a webpage on one server and just did port forwarding. Do I still need port Forwarding with HAProxy? It seems like there should be something that can read the packets and say “https://nextcloud.mydomain.com” should redirect traffic to VM #2, and “https://www.mydomain.com” points to VM #1.

I hope this makes sense I really appreciate any light someone can shed on my brain that seems to be running the little wheel right now.

I cover how to do that in my HA Proxy video https://youtu.be/gVOEdt-BHDY

And I have one on using wildcard certificates https://youtu.be/jpyUm53we-Y

Your exactly describing what a reverse proxy offers – the ability to forward connections from a common frontend to a different backends based on http address. (HA proxy also does tcp reverse proxy). A reverse proxy oftentimes functions to offload the TLS connection which then forwards the connection upstream (or to the backend) in an unencrypted manner. If desired the reverse proxy can re-encrypt to the upstream component however this also brings a more complex setup now with SSL certs installed at the reverse proxy and upstream.

HA proxy is one reverse proxy, others have used Traefik, Caddy, or nginx. I’ve never had the greatest of luck with HA proxy personally, so I just port forward to a VM running in the DMZ that runs nginx and I do the reverse proxy from this machine along with the certificate management. Others have used docker instances for the reverse proxy. There are a lot of different ways to attack your problem, but unfortunately you just need to start somewhere. I believe I started using Nginx mostly since at the time I was using this as a reverse proxy for Nextcloud and the Nextcloud has very good documentation on how to setup an nginx or apache reverse proxy. From there I just kind of expanded my knowledge.

@LTS_Tom Thanks for your response. I can get this to work if the sub-domains are on different servers with different IP addresses. However, I have a machine that has docker and the sites are on different ports on the same IP. I can’t get this to work like the first way however.