@rick wrote:
I am trying to setup HAProxy on a pfSense firewall as a SNI reverse proxy. I was previous using NAT to port forward https to a web server in the DMZ. This set up is currently working and I have a valid Letsencrypt cert. The web GUI generated the following haproxy.cfg:
# Automaticaly generated, dont edit manually. # Generated on: 2018-05-11 20:05 global maxconn 128 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 frontend https_sni bind (My Static WAN IP Address):443 name (My Static WAN IP Address) mode tcp log global maxconn 256 timeout client 30000 tcp-request inspect-delay 5s acl is_webmail req.ssl_sni -m beg -i webmail tcp-request content accept if { req.ssl_hello_type 1 } use_backend backend_webmail_https_ipvANY if is_webmail backend backend_webmail_https_ipvANY mode tcp log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server webmail (My Webserver IP Address):443 check-ssl check inter 1000 verify noneWhen I disable the NAT rules and enable HAproxy, I am unable to connect to my web server and the connection times out with no other error message.
I connected to the firewall and verified
- haproxy is running
- haproxy is listening on WAN IP:443
- I am able to use openssl s_client to connect from the router to the web server in the DMZ
I also used ssllabs.com to verify that the browser I was using (my phone) to test supports SNI.
I would appreciate any help in trouble-shooting this problem.
Thanks,
Rick
Posts: 1
Participants: 1