Configure HAProxy on pfSense

Updated 2020-09-12

The goal in this example is to provide HTTPS for external traffic while the internal traffic is HTTP.

Prereqs

Basic Configuration

In pfSense go to Services | HAProxy. The HAProxy page will display. The first thing to do is to set the Max SSL Diffie-Hellman size to 2048 under the Tuning section.

image

Backend

Select Backend and select Add. Now we are setting up the frontend and backend HAProxy for a blog running at blog.mydomain.com. As Mr. Karlton states below, coming up with names is hard. What makes sense in one context does not in another. Let’s just name this backend blog and see how this works out.

There are only two hard things in Computer Science: cache invalidation and naming things.

– Phil Karlton

image

Clicking on the little green arrow below mode allows the backend server information to be added. image

Again, we have to come up with a name. This website will run in Kubernetes so I will prefix this backend with k8s followed by the namespace and then followed by the service name.

Setting the healthcheck to basic or none will insure the backend will work for the initial test. We will explore other healthcheck methods in later posts. image

Frontend

Select Add to create a new frontend. We have yet another name to think up. Let’s use mydomain.com for this one.
image

Give it a description and set it to active. The external address in this case is just set to the WAN address. The actual address can be found in Interfaces | WAN IPv4 Address The port should be set to 443 since we are accessing via HTTPS' and select HTTP Offloading. The type setting below is left at the http/https(offloading) default.

image

The combination of an Access Control List and an Action is how HAProxy determines where to send the inbound request. We define an ACL, in this example when the inbound host matches blob.mydomain.com use the blog backend.
image

Below is how I configured the certificate section.
image

The name blog is fine for the backend but what happens when you want to host another blog? Naming the backend blog.mydomain.com is verbose but more helpful.