I’ve recently gotten HAProxy setup and I can get one of my sites to work with the SSL Let’s Encrypt certificate I’ve setup, but I’m having some issues with other sites as well as other ports that I think need to be SSL encrypted on the same server [ESXi].
The other servers that I’m trying to SSL encrypt are some Webmin servers [default port 10000], some other web servers with ports 8443.
I thought I setup the backend/front end properly, as well as a separate DNS entry on the BIND server that is hosting the internal ENS entries. It wasn’t immediately obvious from watching some video on getting HAProxy setup on pfSense that I needed to have the DNS entry of the server I wanted to point to resolve to the IP address of the pfSense box. I ended up setting up an alternate hostname for the server I wanted to connect to so that it would work with the web aspect of connecting to this server.
I also setup two different frontend/backend entries pointing to two different servers yet when I use either hostname to connect, both different host names connect to the same server?
As for the ESXi server, I got the SSL cert to work with that system, but I’d also like to try to connect through VMRC to the hosts, but it looks like I also need to SSL encrypt port 902 as well? I tried setting that up with the frontend/backend rules and it totally broke the web access to the ESXi server.
I’m terribly new to all of this so I’m not even sure what might be helpful to try and troubleshoot/clarify things.
Any thoughts or advice would be greatly appreciated!
I have a HAProxy troubleshooting guide but I have never used it with VMWare so I am not sure what extra setting might be needed.
Thanks Tom, I watched your other two videos previously, which helped tremendously with the general understanding of how to set up the HAProxy with pfSense.
I did watch the troubleshooting video a few times, and it finally clicked that the dns name for the host I wanted to redirect to needed to be setup to point to the IP address of the pfSense system as well as the changing the pfSense ssl port to 10443 to not get locked out when HAProxy is running [a quick trip to the cli on the pfSense and stopping the service and changing the port fixed this ]
I did set the “NAT Reflection mode for port forwards” to be Pure NAT, “Enable NAT Reflection for 1:1 NAT” is checked, and “Enable automatic outbound NAT for Reflection” is also checked. I think you mentioned that those need to be checked?
Is it required to have as many backend rules as there are hosts that I want to redirect to? Or is that a port specific thing for the backend? Or does it matter?
I am a little annoyed at having to have the pfSense IP address resolving to the hostname of the system I want to connect to. Since I want to reach the systems by their hostnames, I setup a different hostname [hostname-web.domain.name] that points back to the pfSense system and setup the frontend rule to point to that hostname and the backend rule points to the real IP address of the system.
I will try re-adding what I think needs to be added for the other hosts I want to be redirected through HAProxy.