HAProxy in pfSense as a Reverse Proxy

I run a virtualized Nextcloud server on my home server and it has its own domain that is forwarded to my home IP.  While playing with Nextcloud, I ran across OnlyOffice and setup another virtual server running the OnlyOffice Document Server.  The problem that I ran into is that pfSense redirected incoming traffic to my home IP only to the Nextcloud server and I didn’t have a method for forwarding traffic to the OnlyOffice server on its own subdomain.  Basically I wanted:

myserver.com -> Nextcloud 10.1.10.10

onlyoffice.myserver.com -> OnlyOffice 10.1.10.11

haproxy_pfsense (1).png

Since I’m not really an expert on this, I didn’t know that a reverse proxy is what I needed to make this happen.  After digging a little I found that pfSense has HAProxy and that can take the incoming traffic to the home IP and analyze if it was intended for myserver.com or onlyoffice.myserver.com and forward it to the correct server on my network.

Forwarding Subdomains in 1&1

I use 1&1 for my web hosting and registering my domain names.  They allow 9,999 subdomains which should be enough!  If you use a different service, they probably have similar instructions for creating and forwarding subdomains.

1and1-Domains.png
Log in to 1&1 and select Domains
1and1-Domains-2.png
On the domain you wish to make a subdomain for, click the three dots to the side for more options and select Manage Subdomains
1and1-Subdomains.png
On the right side, click Add subdomain
1and1-Subdomains-2.png
Give your new subdomain a name and click Save
1and1-Subdomains-3.png
In the list of subdomains, click the three dots to the right of your new subdomain for more settings and select Adjust Destination
1and1-DNS.png
Select DNS Settings
1and1-DNS-2.png
In the A Record area select Other IP address and write in your destination IP (this was my home IP that pfSense is the firewall for) and then click Save

Now of you check your DNS at https://www.whatsmydns.net/ you should see the IP you just inputted begin to show.  I’ve found that this takes a few minutes to start showing up and some servers can take a few hours to show the correct IP.

If you have any other subdomains, set them up the same way, all pointing to your home server’s IP.

Setting up HAProxy in pfSense

Now that the subdomains are being routed to your firewall, we need to get pfSense to route them to the correct server.

pfSense-Package-Manager.png
Log into pfSense and select System and Package Manager
pfSense-HAProxy-Install.png
Find the HAProxy package and install it
pfSense-HAProxy-Open.png
After installing you can open it under Services and HAProxy
pfSense-HAProxy-Settings.png
Under Settings check the box to Enable HAProxy
pfSense-HAProxy-Settings-2.png
Scroll down to Stats tab and enter a random port number (I used 444 and that worked fine)

Configuring the Frontend

I defined two Frontends, one for http traffic and one for https traffic.  Anything that comes over http is redirected to https and then to whatever backend is defined.

pfSense-HAProxy-Frontend.png

HTTP Frontend

pfSense-HAProxy-Frontend-http
Create a new frontend and name it Frontend-1-http (or choose something else), have it listen to WAN address on port 80 and set the type to http/https
pfSense-HAProxy-Frontend-http-ACL
For each domain and subdomain you want to accept, name it “httpRedirectACL”, Host matches, and then the domain or subdomain you want
pfSense-HAProxy-Frontend-http-actions
Under Actions, select “http-request redirect” and set the condition to “httpRedirectACL” and under rule type “scheme https” and click Save

HTTPS Frontend

pfSense-HAProxy-Frontend-https
Create another frontend and name it Frontend-2-https (or choose something else), have it listen to WAN address on port 443 and set the type to ssl / https
pfSense-HAProxy-Frontend-https-ACL.png
For each domain and subdomain you want to accept, name it “ServerNameSNI”, “Server Name Indication TLS extension matches:”, and then the domain or subdomain you want
pfSense-HAProxy-Frontend-https-actions.png
Under Actions, select “Use Backend” and set the condition to each ACL server name you made in the step above, and under each backend select the backend server you want (you haven’t made a backend yet so leave this blank and come back to it after the next step) and click Save

Configuring the Backend

Each server will be defined in Backend and will be where traffic is routed to.

pfSense-HAProxy-Backend

pfSense-HAProxy-Backend-Server.png
For each server give it a name with the prefix Backend-1-, and under Server list choose, active, give it the same name minus the prefix, input the local IP and port you want, and select SSL 

After inputting all your servers you can go under the Stats tab and each server should be listed as green and showing UP.  Now go in your browser and try each domain and subdomain and it should take you to each server.

Sources

https://doc.pfsense.org/index.php/Haproxy_package

https://forum.pfsense.org/index.php?topic=103726.0

https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki

https://www.servethehome.com/how-to-haproxy-ha-load-balance-a-web-server-with-a-pfsense-sg-4860/

http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate

6 Comments on “HAProxy in pfSense as a Reverse Proxy

    • It can work for that if you create rules to allow the LE challenges through or set them up to work with the DNS challenges. The other way that I think is better suited (at least keeping it within pfSense) is to install the Acme Certificates package and let it take care of the certificate renewal. Then in your HAProxy frontend, select http/https (offloading) for the Type and choose the new Certificate under the SSL Offloading section. This gives the added benefit of centralizing the certificate management and renewal.

  1. Hello ,
    I ve follow your HOW-to but when i try i have ERR-SSL-CONFI…

    however all my servers have une valide certificate

    i have two server on nextcloud on debian 10
    one HASSIO on raspberry,

    all certificate was generate with CERTBOT.

    WHy i have this error ?

  2. I was wondering if you ever thought of changing the layout of your website?

    Its very well written; I love what youve got to say. But maybe you
    could a little more in the way of content so people could connect with it better.
    Youve got an awful lot of text ffor only having one or two pictures.
    Maybe you could space it out better?

    • Thanks for the feedback! I agree on being too wordy in some of these posts. Sometimes it’s hard to be thorough without being too text heavy. I’ll work on keeping it more succinct!

Leave a Reply