A brief-ish tutorial on how to configure HAProxy on pfsense & use Let's Encrypt certificates. This tutorial assumes you're using Cloudflare as your DNS provider
I mean seriously. Ive been pulling my hair out trying to get this to work using the more common traditional way of setting this up on HAproxy and THIS is the only way that worked for me. I literally could die with the amount of sleepless nights I've spent trying to get this thing working. Thank you, I think you save my life. Only issue I have now is potentially setting up multiple internal servers using this method because you only showed one (what if I had more than one internal server, in other words). If you could expand on doing that, that would be be great. Another hurdle I cant get past is setting this up for NextCloud, any videos on that would be cool (maybe giving you some video ideas). Thanks again!
Wow. Many thanks. I tried many tutorials. This is the only one that worked. The virtual IP did the trick! Also, I needed to create to individual backends for each app, slightly annoying but I'm happy it's at least serving internal https
If anybody gets stuck with an internal server on a different subnet not responding. Consider changing the front end's to listen to any address. Then if you want to scope it down for DMZ or tighter control of cross LAN traffic, work through NAT'ing and VIP. This first step at least shows you that it is working and the issue is with your NAT/VIP. HAppy PROXYing!
This is great and it definitely gets asked weekly if not daily in the subreddit. I would like to add two things for the next video, show people how to add a second domain and point it to web server B on a second backend. Also how to use a wildcard instead of having to enter multiple subdomains . Cheers.
That's a fine suggestion. Thanks for that. I'll most certainly get a follow-up video done soon. I've been asked a few questions, so will clear those up. Along with covering what you suggest.
How we can add second server with different ports like 8000 and 9443? Do we need another virtual IP or one virtual IP can handle everything? I have first one working with standard ports 80 & 443 but any other server with different ports either can't be reached or trows error 522. Any help wold be appreciated.
I was hoping this video would solve my problems, but when I click the [Issue/Renew] button for the cert, I get that block of green text, but towards the bottom it says "invalid domain" and doesn't create the cert. It suggests I check the log, but for the life of me I can't find any way to access the logs for ACME. Any ideas?
Great video. You deserve way more subscribers. I have an issue however. If I run the backend on the standard http ports, 80 or 443 everything works great. If I use a non-standard http, haproxy say "No server is available to handle this request.". The server is definitely running because I can access directly from browser, but haproxy thinks it is not available. Are there restrictions on what port haproxy can use? Anyone encountered this error?
There is a lot of great info in this video, thanks. Though I still don't understand what the virtual IP is for. What is the point of a VIP pointing at another address on the same subnet? Why can't you just put the actual server IP(.43) instead of your VIP(.130)? I'm not grasping this part. Just setting the front end to WAN address would eliminate the .130.
I actually explain that in a follow up video I put up last week. But in a nutshell, it gives options. If you wish to learn more on why I did that, please watch the pfsense + HAProxy + Self-signed CA video. Also, you can't point it to the IP of the actual server. The server doesn't have the LE cert on it. HAProxy has the cert and offloads that to .43. Setting the frontend to WAN would work, but only reliably for external connections. You would have to use hairpinning/doglegging/trmboning (whatever you want to call it) and that's clumsy and not for me.
Hi.. thank you for a great video. Everything makes sense bu when I tried this, I am getting “503 Service UnavailableNo server is available to handle this request.” Though it’s loading correct certificate. I am not sure what I doing incorrectly. Any help would be greatly appreciated.
A 503 error would indicate that the backend cannot talk to the service you require. Either you're pointing to the wrong port, or the service is using SSL ands the backend needs to be set as such, and to ignore TLS errors.
Just one thing to add in terms of setting up NAT. Set "filter rule association" either to "Pass" or "Create new associated filter rule" (for additional routing and if you want future edits to apply to routing rules). Not configuring this option prevented my HAProxy configuration from working.
@@BorisJohnsonMayor You can. If you setup the NAT rules correctly it's just going to create the same rules you mention creating manually in your Firewall/Rules/WAN tab.
It depends a lot on what the backend is. Some of the ones I use will only work with basic or none too. I cover it a bit more in this video th-cam.com/video/KkL3QyYlNUI/w-d-xo.html
Just the video I've been looking for!! Fantastic - finally got it all working - many, many thanks!
I mean seriously. Ive been pulling my hair out trying to get this to work using the more common traditional way of setting this up on HAproxy and THIS is the only way that worked for me. I literally could die with the amount of sleepless nights I've spent trying to get this thing working. Thank you, I think you save my life.
Only issue I have now is potentially setting up multiple internal servers using this method because you only showed one (what if I had more than one internal server, in other words). If you could expand on doing that, that would be be great.
Another hurdle I cant get past is setting this up for NextCloud, any videos on that would be cool (maybe giving you some video ideas). Thanks again!
thank you so much! great video, well explained and easy to follow :)
Wow. Many thanks. I tried many tutorials. This is the only one that worked. The virtual IP did the trick! Also, I needed to create to individual backends for each app, slightly annoying but I'm happy it's at least serving internal https
Thanks. Great video, finally got mine working.
Wow, great video, thank you! Gonna test this myself!
If anybody gets stuck with an internal server on a different subnet not responding. Consider changing the front end's to listen to any address. Then if you want to scope it down for DMZ or tighter control of cross LAN traffic, work through NAT'ing and VIP. This first step at least shows you that it is working and the issue is with your NAT/VIP. HAppy PROXYing!
my man thank you for this guide. it worked for me. the virtual ip was the sulution probably. now im just stuck a bit on how to add a 2nd one
Lovely voice and great explanation:)
well explained, good job.
Thanks! Using a virtual IP solved my problems!
This is great and it definitely gets asked weekly if not daily in the subreddit. I would like to add two things for the next video, show people how to add a second domain and point it to web server B on a second backend. Also how to use a wildcard instead of having to enter multiple subdomains . Cheers.
That's a fine suggestion. Thanks for that.
I'll most certainly get a follow-up video done soon. I've been asked a few questions, so will clear those up. Along with covering what you suggest.
8 subs?
you got 9 now.
How we can add second server with different ports like 8000 and 9443? Do we need another virtual IP or one virtual IP can handle everything? I have first one working with standard ports 80 & 443 but any other server with different ports either can't be reached or trows error 522. Any help wold be appreciated.
I was hoping this video would solve my problems, but when I click the [Issue/Renew] button for the cert, I get that block of green text, but towards the bottom it says "invalid domain" and doesn't create the cert. It suggests I check the log, but for the life of me I can't find any way to access the logs for ACME. Any ideas?
Thanks for the video. Please consider scaling down you screen as it would be easier to read on smaller screens.
Thanks for the feedback. Most helpful. I'll see what I can do when I get around to recording the next video.
@SystemaD, please post more - read the comments here...
Great video. You deserve way more subscribers. I have an issue however. If I run the backend on the standard http ports, 80 or 443 everything works great. If I use a non-standard http, haproxy say "No server is available to handle this request.". The server is definitely running because I can access directly from browser, but haproxy thinks it is not available. Are there restrictions on what port haproxy can use? Anyone encountered this error?
There is a lot of great info in this video, thanks. Though I still don't understand what the virtual IP is for. What is the point of a VIP pointing at another address on the same subnet? Why can't you just put the actual server IP(.43) instead of your VIP(.130)? I'm not grasping this part. Just setting the front end to WAN address would eliminate the .130.
I actually explain that in a follow up video I put up last week. But in a nutshell, it gives options. If you wish to learn more on why I did that, please watch the pfsense + HAProxy + Self-signed CA video.
Also, you can't point it to the IP of the actual server. The server doesn't have the LE cert on it. HAProxy has the cert and offloads that to .43. Setting the frontend to WAN would work, but only reliably for external connections. You would have to use hairpinning/doglegging/trmboning (whatever you want to call it) and that's clumsy and not for me.
@@Psybernoid Makes sense, thanks!
@@Psybernoid I was thinking the same, why the virtual IP? This is a great explanation!
Hi.. thank you for a great video. Everything makes sense bu when I tried this, I am getting “503 Service UnavailableNo server is available to handle this request.” Though it’s loading correct certificate. I am not sure what I doing incorrectly. Any help would be greatly appreciated.
A 503 error would indicate that the backend cannot talk to the service you require. Either you're pointing to the wrong port, or the service is using SSL ands the backend needs to be set as such, and to ignore TLS errors.
@@SystemaD thank you for the reply. I followed you other video and changed the monitoring from http to basic and now all ok.
Just one thing to add in terms of setting up NAT.
Set "filter rule association" either to "Pass" or "Create new associated filter rule" (for additional routing and if you want future edits to apply to routing rules).
Not configuring this option prevented my HAProxy configuration from working.
Or could you just create a rule manually allowing traffic in from the WAN to that VIP?
@@BorisJohnsonMayor You can. If you setup the NAT rules correctly it's just going to create the same rules you mention creating manually in your Firewall/Rules/WAN tab.
FOR THE LOVE OF SCIENCE!!! THANK YOU!
Although, I had to set Health checking to none on my backend for it to work. Do you happen to know why?
It depends a lot on what the backend is. Some of the ones I use will only work with basic or none too. I cover it a bit more in this video th-cam.com/video/KkL3QyYlNUI/w-d-xo.html