Please help with HAProxy

Networking & Firewalls
1

Hi Guys,

I have been struggling with this issue for about 3 days now and its driving me nuts, I trying to get HAProxy to talk to an Ubuntu server on port 443 done a lot of research and on trying to resolve the issue and I know its probably something small that I’m not setting.

So I created a VIP for HAProxy and set all correct parameters around DNS resolver IP inside HAProxy backend configuration is correct verified it quite a few times, then in the frontend when I set it to port 443 and ssl offloading set the acl and actions correctly, set my ACME cert and additional internal cert which has a Root CA and Intermediate CA, I am not able to get to the site internally since I want it transverse my internal network first for testing before setting up Cloudflare and this is from any device even incognito window in chrome as well as different browsers, the moment I set the port to ‘80’ untick ssl offloading and refresh the site works everywhere loads correctly, tried setting it to port 443 without ssl offloading it stops working changes certificates around to use only internal cert and to use only acme cert still doesn’t work. I then went further digging around to adjust settings and a LAN Firewall rule to the VIP of HAProxy for port 443 adjusted health check from none to basic to http and vice versa on the STATS FS I continually get L7OK200, whether it is on port 80 or port 443 checked the logs I can see my machine IP going to the VIP on port 80 but there is no log information for port 443 when I refresh, I took it another step further I have a TrueNAS server running with NPM(nginx proxy manager) which also has the internal cert issued by pfSense that works fine I then disabled it in NPM and pointed everything to the VIP of HAProxy including adding the ACME cert and the internal cert port 443 with ssl offloading that works, but the Ubuntu Server doesn’t changed it back to port 80 with ssl offloading Ubuntu server works and TrueNAS server doesn’t work. I am literally at a loss and I know it might be something so small that I’m overlooking

Please if anyone has a solution it would be greatly appreciated, I can drop screenshots if requested don’t want to just drop images of everything if it isn’t needed

Kind Regards

2

I have this guide here that goes over all the setting for HAProxy but I have not tried it using a VIP, I just used an IP assigned to the pfsense. Also be sure to change the port that the pfense web interface is on.

I also have this guide covering how SSL and DNS work together.

3

Hi Tom,

Thanks for your response I went through the content again as before and still coming up short I have attached screenshots maybe I’m missing something that is not jump out at me which could be the cause, once again thank you for the assistance.

image
image1912×920 53.2 KB
dig media02.gtcnet.co.za

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> media02.gtcnet.co.za
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9095
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1424
;; QUESTION SECTION:
;media02.gtcnet.co.za. IN A

;; ANSWER SECTION:
media02.gtcnet.co.za. 3600 IN A 192.168.1.99

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Wed Feb 11 12:47:55 SAST 2026
;; MSG SIZE rcvd: 65

image
image1919×1011 265 KB

image
image1211×485 33 KB

image
image1242×938 57.3 KB

image
image1237×925 64.1 KB

image
image1902×744 60.1 KB

image
image1171×267 22.9 KB

4

apologies forgot to mention when I change it to port 80 with ssl offloading on it fails as well but then at least I get logs removing ssl offloading as stated then I can get to the site again internally

image
image1133×531 84.9 KB

image
image1803×983 96.9 KB

5

I don’t get why are you binding to 0.0.0.0 as that is not how I do it in the video.

6

so its ipv4any, even if I bind it to the VIP it doesn’t work either

7

Does it work if you bind it to a LAN IP?

8

no doesn’t work if I bind to lan either

9

even if I bind to 127.0.0.1:443 with ssl offloading doesn’t work either only works on port 80 with any selection I make

10

okay so I created a new vm with ubuntu and haproxy is on there I done the config it works on port 80 but getting proper errors now 503 when trying to access via http installed my self signed cert, root and inter ca so it should work on https since my pc trust the root and inter ca

2026-02-11T18:47:46.749935+00:00 haproxy01 haproxy[8745]: [NOTICE] (8745) : Loading success.
2026-02-11T18:47:55.747699+00:00 haproxy01 haproxy[8747]: 192.168.1.112:55630 [11/Feb/2026:18:47:55.746] http-in http-in/ -1/-1/-1/-1/0 503 216 - - SC-- 2/2/0/0/0 0/0 “GET / HTTP/1.1”
2026-02-11T18:47:56.083140+00:00 haproxy01 haproxy[8747]: 192.168.1.112:50215 [11/Feb/2026:18:47:56.082] http-in http-in/ -1/-1/-1/-1/0 503 216 - - SC-- 1/1/0/0/0 0/0 “GET /favicon.ico HTTP/1.1”

image
image1912×980 60.7 KB

I rebooted both servers and I am now able to curl from the media server to haproxy and getting a valid cert back

root@media02:~# telnet 192.168.1.18 443
Trying 192.168.1.18…
Connected to 192.168.1.18.
Escape character is ‘^]’.
^]
telnet> q
Connection closed.
root@media02:~# nc -zv 192.168.1.18 443
Connection to 192.168.1.18 443 port [tcp/https] succeeded!
root@media02:~# curl -v https://192.168.1.18

  • Trying 192.168.1.18:443…
  • Connected to 192.168.1.18 (192.168.1.18) port 443
  • ALPN: curl offers h2,http/1.1
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / RSASSA-PSS
  • ALPN: server accepted h2
  • Server certificate:
  • subject: CN=media02.gtcnet.co.za; C=ZA; ST=Western Cape; L=Stellenbosch; O=Home Network
  • start date: Feb 10 10:08:11 2026 GMT
  • expire date: Feb 10 10:08:11 2027 GMT
  • subjectAltName does not match 192.168.1.18
  • SSL: no alternative certificate subject name matches target host name ‘192.168.1.18’
  • Closing connection
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • old SSL session ID is stale, removing
  • TLSv1.3 (OUT), TLS alert, close notify (256):
    curl: (60) SSL: no alternative certificate subject name matches target host name ‘192.168.1.18’
    More details here: curl - SSL CA Certificates
11

curl https://media02.gtcnet.co.za

Security Warning: Script Execution Risk
Invoke-WebRequest parses the content of the web page. Script code in the web page might be run when the page is
parsed.
RECOMMENDED ACTION:
Use the -UseBasicParsing switch to avoid script code execution.

  Do you want to continue?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “N”): a

StatusCode : 200
StatusDescription : OK
Content : <meta name=“viewport” co
ntent="width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1,user-scalable=no,viewport
-f…
RawContent : HTTP/1.1 200 OK
x-response-time-ms: 52.3035
Accept-Ranges: bytes
Content-Length: 5331
Cache-Control: no-cache
Content-Type: text/html
Date: Wed, 11 Feb 2026 19:23:10 GMT
ETag: “1dc88dfb761cd53”…
Forms : {}
Headers : {[x-response-time-ms, 52.3035], [Accept-Ranges, bytes], [Content-Length, 5331], [Cache-Control,
no-cache]…}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 5331

I’m getting this back from my local machine when doing a curl

12

image
image1557×754 39.7 KB

fixed the problem tunes out there was a caching issue on the browsers I was using cleared all cache and its working thanks Tom for the support and assistance

1 Like