Tips for setting up HAProxy on pfsense with Cloudflare

I’m trying to setup HAProxy as a reverse proxy for SSL offloading to access an internal web server.

HAProxy is being run on pfsense (developmental version) and I’m using cloudflare as my DNS Provider.

I have SSL certs for my domain which I’ve installed on pfsense with the ACME plugin.

I’m having difficulty setting up the firewall rules for the reverse proxy.
The reverse proxy is supposed to listen on WAN port 80/443 (80 will redirected to port 443), do the SSL offloading, and the forward the http requests to an internal web server at 10.0.1.158:80.

Cloudflare complicates things since they are already running a reverse proxy. Does this reverse proxy need access to the HA proxy machine or the actual web server?

I’m really confused and so far no one at cloudflare forums can really help.

Did you ever figure this out? I’m currently getting 525 - SSL Handshake errors on Cloudflares end.

Yikes – I did have it working at somepoint but I unfortunately ending up ditching HA proxy and just ran an nginx reverse proxy instead.

I don’t remember exactly but I believe I had to add Cloudflare reverse proxy domains as possible sources.

I made an alias for CloudflareReverseProxyNetworks and added these as values: 173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17

I added firewall rules to allow these to have access to HA:


I don’t exactly remember what I did after this to be honest. I remember I found a post on Google about this of possibly it was on the Cloudflare forums.

My problem was HA kept having problems with intermittently saying it couldn’t find my backend servers. Because of this I just ended up using nginx as the proxy.

Sorry I couldn’t be of more help. Hopefully that’s enough to get started with

Thanks for the reply. I have those IPs as an alias already and I can get it working over HTTP. I think my problem is something with the acme cert and one of the Cloudflare API keys. The cert generates fine, but I feel like I’m missing something on Cloudflares end.

I may have a working solution if you are still doing this

Please send it along! Preferably with screenshots.