pfSense + HAProxy + Multiple IP addresses from ISP

I am trying to setup HAProxy for the first time. I am trying to utilize HAProxy/LetsEncrypt Certs on a number of websites that are only http at the moment. I have a /29 block of IP’s from my ISP and have a few servers using them for various services. I have an Exchange Server using a SSL cert (loaded on the server) using a standard NAT and corresponding rules.

Are there any instructions on how to setup the rules for using HAProxy/LetsEncrypt on one of the available provided IP’s, while leaving the static NAT and cert as is? I have searched, but so far come up empty.


I bound the HAProxy to the WAN IP, but you can bind it to any IP that you have attached to the WAN. As for the rules, you can either use port 80/443 for NAT or HAProxy on any given IP, but not both.

Thanks for responding Tom!

OK, I see where I can specify one of my WAN VIPs in the front-end configuration. Perfect!

Can you use a wildcard cert or should you use a cert for each site your going to expose?

Thanks Again!

I would use wildcard certs

OK, still not having success. I think I’m close, but still not working.

Here are the settings I have set (Anonymized).

Sorry about the multiple posts, it is limiting me to one image per post (per design).


Your rule for WAN destination should be the VIP address that you bind HAProxy to.

It’s only giving me these options:

Like this?

yes, you should have the IP there.

I got HAProxy working finally! I was able to get my inside/outside servers working following the first video. Works great! Originally I was trying to use a wildcard cert instead of creating a cert for each URL (thought it was going to save me time, It didn’t). I’m not sure if using a wildcard cert for public facing services is good practice or even works, so in the end I reverted to a cert for each thing I wanted to expose.

When following the second video to get a wildcard cert working internally, at the 8:00 minute mark of the video (configuring the backend) I had to fill in the Certificate information in the Server List to get the Wildcard cert to work for me (you skipped it).

Mine looks like this:

I’m not sure why it wouldn’t work without including it, but it works, so I’m happy.

Thanks again, I appreciate the hints here on the forums and love the content you put up on YouTube.


1 Like