Skip to content
PiBa-NL edited this page Dec 10, 2015 · 24 revisions

First draft... Lets see what it looks like..

How to configure haproxy package on pfSense

  1. Configuring the general settings.
  2. Scenario that will be used in below examples.
  3. Single frontend serving multiple different domains using http.
  4. HTTPS for multiple domains using SNI from 1 frontend
  5. HTTPS for multiple backend using offloading from 1 frontend

1. Configuring the general settings.

It is required to enable the package, and configure the total number of connections that haproxy will accept in a single process. I adviced to configure a local stats port, this allows to use the integrated haproxy stats directly from the pfSense webgui.

2. Scenario that will be used in below examples.

In each of the scenarios below i will asume that you have a domain name yourdomain.tld and serveral subdomains pointing to the pfSense wan-ip or perhaps a secondary ipalias or carpip. The examples will asume that the follow subdomains will be used for seperate webapplications running on seperate webservers:

  • www.yourdomain.tld
  • forum.yourdomain.tld
  • support.yourdomain.tld
  • portal.yourdomain.tld
  • ssh.yourdomain.tld

For each of these domains 1 or more servers will be used to serve each website. The exeption is the ssh.yourdomain.tld where only a ssh server is listening on port 22.

3. Single frontend serving multiple different domains using http.

4. HTTPS for multiple domains using SNI from 1 frontend

Haproxy can use SNI to read the requested destination domain from a ssl-handshake, this allows haproxy to direct traffic for different domains to correct backend.

  • Create a backend for each domain you want to be handled by a seperate group of servers.
  • Configure the servers for each of the backends.
  • Create a Frontend new frontend and give it a name (mainsites).
  • Select the interface and port it should listen on wan:ip and 443, leave the SSL checkbox empty here.
  • Select the mode: "SSL/HTTPS (TCP)"
  • Select the default backend (www.yourdomain.tld) to use when the user acls and actions dont select a different backend or operation to use. For the example lets direct users that type http://ssh.yourdomain.tld in their browser they will be directed to the www backend. Instead of getting no valid reply.
  • Add a acl with the name 'forum-acl' for the forum.yourdomain.tld by adding a acl and selecting the 'SNI matches' option for the value fill in the domain
  • Add a action 'use backend' and select the forum backend, also fill in the forum-acl. Repeat above steps for the other domains change the acl name and value accordingly.
  • Save the frontend configuration
  • Apply the configuration.
  • Check on the stats page all servers are shown as 'up'.
  • Ready to test connections from the outside

5. HTTPS for multiple backend using offloading from 1 frontend

Haproxy can offload / decrypt https traffic on the frontend. For this it is required to load the certificates including the psk and intermediate certifcate into pfSense.

Clone this wiki locally