HAProxy in pfSense as a Reverse Proxy

I run a virtualized Nextcloud server on my home server and it has its own domain that is forwarded to my home IP.  While playing with Nextcloud, I ran across OnlyOffice and setup another virtual server running the OnlyOffice Document Server.  The problem that I ran into is that pfSense redirected incoming traffic to my home IP only to the Nextcloud server and I didn’t have a method for forwarding traffic to the OnlyOffice server on its own subdomain.  Basically I wanted:

myserver.com -> Nextcloud

onlyoffice.myserver.com -> OnlyOffice

haproxy_pfsense (1).png

Since I’m not really an expert on this, I didn’t know that a reverse proxy is what I needed to make this happen.  After digging a little I found that pfSense has HAProxy and that can take the incoming traffic to the home IP and analyze if it was intended for myserver.com or onlyoffice.myserver.com and forward it to the correct server on my network.

Forwarding Subdomains in 1&1

I use 1&1 for my web hosting and registering my domain names.  They allow 9,999 subdomains which should be enough!  If you use a different service, they probably have similar instructions for creating and forwarding subdomains.


Log in to 1&1 and select Domains


On the domain you wish to make a subdomain for, click the three dots to the side for more options and select Manage Subdomains


On the right side, click Add subdomain


Give your new subdomain a name and click Save


In the list of subdomains, click the three dots to the right of your new subdomain for more settings and select Adjust Destination


Select DNS Settings


In the A Record area select Other IP address and write in your destination IP (this was my home IP that pfSense is the firewall for) and then click Save

Now of you check your DNS at https://www.whatsmydns.net/ you should see the IP you just inputted begin to show.  I’ve found that this takes a few minutes to start showing up and some servers can take a few hours to show the correct IP.

If you have any other subdomains, set them up the same way, all pointing to your home server’s IP.

Setting up HAProxy in pfSense

Now that the subdomains are being routed to your firewall, we need to get pfSense to route them to the correct server.


Log into pfSense and select System and Package Manager


Find the HAProxy package and install it


After installing you can open it under Services and HAProxy


Under Settings check the box to Enable HAProxy


Scroll down to Stats tab and enter a random port number (I used 444 and that worked fine)

Configuring the Frontend

I defined two Frontends, one for http traffic and one for https traffic.  Anything that comes over http is redirected to https and then to whatever backend is defined.


HTTP Frontend


Create a new frontend and name it Frontend-1-http (or choose something else), have it listen to WAN address on port 80 and set the type to http/https


For each domain and subdomain you want to accept, name it “httpRedirectACL”, Host matches, and then the domain or subdomain you want


Under Actions, select “http-request redirect” and set the condition to “httpRedirectACL” and under rule type “scheme https” and click Save

HTTPS Frontend


Create another frontend and name it Frontend-2-https (or choose something else), have it listen to WAN address on port 443 and set the type to ssl / https


For each domain and subdomain you want to accept, name it “ServerNameSNI”, “Server Name Indication TLS extension matches:”, and then the domain or subdomain you want


Under Actions, select “Use Backend” and set the condition to each ACL server name you made in the step above, and under each backend select the backend server you want (you haven’t made a backend yet so leave this blank and come back to it after the next step) and click Save

Configuring the Backend

Each server will be defined in Backend and will be where traffic is routed to.



For each server give it a name with the prefix Backend-1-, and under Server list choose, active, give it the same name minus the prefix, input the local IP and port you want, and select SSL 

After inputting all your servers you can go under the Stats tab and each server should be listed as green and showing UP.  Now go in your browser and try each domain and subdomain and it should take you to each server.







Posted in pfSense

Leave a Reply

Your email address will not be published. Required fields are marked *


17 − 6 =