pfSense + HAProxy + Multiple IP addresses from ISP

Networking & Firewalls
1

I am trying to setup HAProxy for the first time. I am trying to utilize HAProxy/LetsEncrypt Certs on a number of websites that are only http at the moment. I have a /29 block of IP’s from my ISP and have a few servers using them for various services. I have an Exchange Server using a SSL cert (loaded on the server) using a standard NAT and corresponding rules.

Are there any instructions on how to setup the rules for using HAProxy/LetsEncrypt on one of the available provided IP’s, while leaving the static NAT and cert as is? I have searched, but so far come up empty.

Thanks

2

I bound the HAProxy to the WAN IP, but you can bind it to any IP that you have attached to the WAN. As for the rules, you can either use port 80/443 for NAT or HAProxy on any given IP, but not both.

3

Thanks for responding Tom!

OK, I see where I can specify one of my WAN VIPs in the front-end configuration. Perfect!

Can you use a wildcard cert or should you use a cert for each site your going to expose?

Thanks Again!

4

I would use wildcard certs

5

OK, still not having success. I think I’m close, but still not working.

Here are the settings I have set (Anonymized).

HTTP Rule
HTTP Rule1275×3300 208 KB

6

HTTPS Rule
HTTPS Rule1275×3300 206 KB

7

HAProxy Settings
HAProxy Settings1275×6600 540 KB

8

Frontend (http to https)
Frontend (http to https)1275×4950 476 KB

9

HTTPS Frontend
HTTPS Frontend1275×8250 758 KB

10

HTTPS Backend
HTTPS Backend1275×2968 342 KB

Sorry about the multiple posts, it is limiting me to one image per post (per design).

:grimacing:

11

Your rule for WAN destination should be the VIP address that you bind HAProxy to.

12

It’s only giving me these options:

Rule Options
Rule Options915×946 121 KB

13

Like this?

WAN Rule #2
WAN Rule #2871×841 112 KB

14

yes, you should have the IP there.

15

I got HAProxy working finally! I was able to get my inside/outside servers working following the first video. Works great! Originally I was trying to use a wildcard cert instead of creating a cert for each URL (thought it was going to save me time, It didn’t). I’m not sure if using a wildcard cert for public facing services is good practice or even works, so in the end I reverted to a cert for each thing I wanted to expose.

When following the second video to get a wildcard cert working internally, at the 8:00 minute mark of the video (configuring the backend) I had to fill in the Certificate information in the Server List to get the Wildcard cert to work for me (you skipped it).

Mine looks like this:

Services_ HAProxy_ Backend_ Edit
Services_ HAProxy_ Backend_ Edit1713×502 22.8 KB

I’m not sure why it wouldn’t work without including it, but it works, so I’m happy.

Thanks again, I appreciate the hints here on the forums and love the content you put up on YouTube.

Kyle

1 Like