Tips for setting up HAProxy on pfsense with Cloudflare

I’m trying to setup HAProxy as a reverse proxy for SSL offloading to access an internal web server.

HAProxy is being run on pfsense (developmental version) and I’m using cloudflare as my DNS Provider.

I have SSL certs for my domain which I’ve installed on pfsense with the ACME plugin.

I’m having difficulty setting up the firewall rules for the reverse proxy.
The reverse proxy is supposed to listen on WAN port 80/443 (80 will redirected to port 443), do the SSL offloading, and the forward the http requests to an internal web server at 10.0.1.158:80.

Cloudflare complicates things since they are already running a reverse proxy. Does this reverse proxy need access to the HA proxy machine or the actual web server?

I’m really confused and so far no one at cloudflare forums can really help.

Did you ever figure this out? I’m currently getting 525 - SSL Handshake errors on Cloudflares end.

Yikes – I did have it working at somepoint but I unfortunately ending up ditching HA proxy and just ran an nginx reverse proxy instead.

I don’t remember exactly but I believe I had to add Cloudflare reverse proxy domains as possible sources.

I made an alias for CloudflareReverseProxyNetworks and added these as values: 173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17

I added firewall rules to allow these to have access to HA:


I don’t exactly remember what I did after this to be honest. I remember I found a post on Google about this of possibly it was on the Cloudflare forums.

My problem was HA kept having problems with intermittently saying it couldn’t find my backend servers. Because of this I just ended up using nginx as the proxy.

Sorry I couldn’t be of more help. Hopefully that’s enough to get started with

Thanks for the reply. I have those IPs as an alias already and I can get it working over HTTP. I think my problem is something with the acme cert and one of the Cloudflare API keys. The cert generates fine, but I feel like I’m missing something on Cloudflares end.

I may have a working solution if you are still doing this

Please send it along! Preferably with screenshots.

Hi…can you do a full write up on this set up… please.

On my homelab set up…I have a pfsense (double NAT) with HAProxy… Google domain with cloudflare DNS… I have configured with letsencrypt certs with ACME… seems fine generating certs with cloudflare APIs…

My dynamic DNS is regularly updated at cloudflare end.

I get 522 error…on my site… can’t figure out what am Idoing wrong…

Help needed.

I am wishing to get HAProxy to work with Cloudflare for secure websites. I started off by watching several different video tutorials and thought I had things working but getting either 522 errors or 526 errors. I had created my ACME Account Key and then created a certificate for my primary domain name. It appears that the certificate is valid. Do I need to create a different certificate for each sub-domain? When I create sub-domains using the primary domain name certificate, I get either 522 errors or 526 errors, depending on my settings on Cloudflare. If I set “SSL/TLS encryption mode” to “Full” or “Full (strict)” and I set the HAProxy Frontend to secure (port 443) I get timeout errors (522). If I go into the Edge Certificate portion and select “Always Use HTTPS”, I will get 526 errors. So far, the ONLY thing I’ve been successful about setting up is creating an insecure Frontend (port 80) and sending incoming web requests to an insecure server, when I obviously change the “SSL/TLS encryption mode” to “Flexible” or “Off”.

I feel as if I’m on the verge of figuring this out but have one hurdle that I can’t see in my way. I would really like to stop seeing those annoying self-signed certificate warnings in my browser when logging into different personal servers and maybe even a couple I’d like to access from outside my home network.