HAProxy in pfSense as a Reverse Proxy
I run a virtualized Nextcloud server on my home server and it has its own domain that is forwarded to my home IP. While playing with Nextcloud, I ran across OnlyOffice and setup another virtual server running the OnlyOffice Document Server. The problem that I ran into is that pfSense redirected incoming traffic to my home IP only to the Nextcloud server and I didn’t have a method for forwarding traffic to the OnlyOffice server on its own subdomain. Basically I wanted:
myserver.com -> Nextcloud 10.1.10.10
onlyoffice.myserver.com -> OnlyOffice 10.1.10.11
Since I’m not really an expert on this, I didn’t know that a reverse proxy is what I needed to make this happen. After digging a little I found that pfSense has HAProxy and that can take the incoming traffic to the home IP and analyze if it was intended for myserver.com or onlyoffice.myserver.com and forward it to the correct server on my network.
Forwarding Subdomains in 1&1
I use 1&1 for my web hosting and registering my domain names. They allow 9,999 subdomains which should be enough! If you use a different service, they probably have similar instructions for creating and forwarding subdomains.
Now of you check your DNS at https://www.whatsmydns.net/ you should see the IP you just inputted begin to show. I’ve found that this takes a few minutes to start showing up and some servers can take a few hours to show the correct IP.
If you have any other subdomains, set them up the same way, all pointing to your home server’s IP.
Setting up HAProxy in pfSense
Now that the subdomains are being routed to your firewall, we need to get pfSense to route them to the correct server.
Configuring the Frontend
I defined two Frontends, one for http traffic and one for https traffic. Anything that comes over http is redirected to https and then to whatever backend is defined.
HTTP Frontend
HTTPS Frontend
Configuring the Backend
Each server will be defined in Backend and will be where traffic is routed to.
After inputting all your servers you can go under the Stats tab and each server should be listed as green and showing UP. Now go in your browser and try each domain and subdomain and it should take you to each server.
Sources
https://doc.pfsense.org/index.php/Haproxy_package
https://forum.pfsense.org/index.php?topic=103726.0
https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki
https://www.servethehome.com/how-to-haproxy-ha-load-balance-a-web-server-with-a-pfsense-sg-4860/
http://loredo.me/post/116633549315/geeking-out-with-haproxy-on-pfsense-the-ultimate
Does this work with each host having individual letsencrypt certs?
It can work for that if you create rules to allow the LE challenges through or set them up to work with the DNS challenges. The other way that I think is better suited (at least keeping it within pfSense) is to install the Acme Certificates package and let it take care of the certificate renewal. Then in your HAProxy frontend, select http/https (offloading) for the Type and choose the new Certificate under the SSL Offloading section. This gives the added benefit of centralizing the certificate management and renewal.
Hello ,
I ve follow your HOW-to but when i try i have ERR-SSL-CONFI…
however all my servers have une valide certificate
i have two server on nextcloud on debian 10
one HASSIO on raspberry,
all certificate was generate with CERTBOT.
WHy i have this error ?
I’m afraid I can’t answer based on what you’ve written…
I was wondering if you ever thought of changing the layout of your website?
Its very well written; I love what youve got to say. But maybe you
could a little more in the way of content so people could connect with it better.
Youve got an awful lot of text ffor only having one or two pictures.
Maybe you could space it out better?
Thanks for the feedback! I agree on being too wordy in some of these posts. Sometimes it’s hard to be thorough without being too text heavy. I’ll work on keeping it more succinct!