Configure HAProxy on pfSense

Updated 2020-09-12

The goal in this example is to provide HTTPS for external traffic while the internal traffic is HTTP.


Basic Configuration

In pfSense go to Services | HAProxy. The HAProxy page will display. The first thing to do is to set the Max SSL Diffie-Hellman size to 2048 under the Tuning section.



Select Backend and select Add. Now we are setting up the frontend and backend HAProxy for a blog running at As Mr. Karlton states below, coming up with names is hard. What makes sense in one context does not in another. Let’s just name this backend blog and see how this works out.

There are only two hard things in Computer Science: cache invalidation and naming things.

– Phil Karlton


Clicking on the little green arrow below mode allows the backend server information to be added. image

Again, we have to come up with a name. This website will run in Kubernetes so I will prefix this backend with k8s followed by the namespace and then followed by the service name.

Setting the healthcheck to basic or none will insure the backend will work for the initial test. We will explore other healthcheck methods in later posts. image


Select Add to create a new frontend. We have yet another name to think up. Let’s use for this one.

Give it a description and set it to active. The external address in this case is just set to the WAN address. The actual address can be found in Interfaces | WAN IPv4 Address The port should be set to 443 since we are accessing via HTTPS' and select HTTP Offloading. The type setting below is left at the http/https(offloading) default.


The combination of an Access Control List and an Action is how HAProxy determines where to send the inbound request. We define an ACL, in this example when the inbound host matches use the blog backend.

Below is how I configured the certificate section.

The name blog is fine for the backend but what happens when you want to host another blog? Naming the backend is verbose but more helpful.