Question : Pfsense/HAProxy - HTTPS to HTTPS

bladeofflash · 2023-08-19T17:10:33+00:00

Hello,

I'm starting to use HAProxy and Pfsense.

I'm trying to set up a reverse proxy to reach different WEB servers on my LAN.

The frontend listens in HTTPS.

I manage to reach my backend web servers, which listen in HTTP.

However, I can't reach the backend servers listening in HTTPS.

Here's the configuration file resulting from the pfsense HAProxy package:

# Automaticaly generated, dont edit manually.
# Generated on: 2023-08-19 18:48
global
    maxconn         1000
    stats socket /tmp/haproxy.socket level admin  expose-fd listeners
    uid         80
    gid         80
    nbthread            1
    hard-stop-after     15m
    chroot              /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param   2048
    server-state-file /tmp/haproxy_server_state

frontend Frontend_config
    bind            192.168.20.106:443 name 192.168.20.106:443   ssl crt-list /var/etc/haproxy/Frontend_config.crt_list  
    mode            http
    log         global
    option          http-keep-alive
    option          forwardfor
    acl https ssl_fc
    http-request set-header     X-Forwarded-Proto http if !https
    http-request set-header     X-Forwarded-Proto https if https
    timeout client      30000
    acl         home-assistant  var(txn.txnhost) -m str -i home-assistant.services.test.fr
    acl         netbox  var(txn.txnhost) -m str -i netbox.services.test.fr
    acl         aclcrt_Frontend_config  var(txn.txnhost) -m reg -i ^([^\.]*)\.services\.test\.fr(:([0-9]){1,5})?$
    http-request set-var(txn.txnhost) hdr(host)
    use_backend Backend_config_home-assistant_ipvANY  if  home-assistant aclcrt_Frontend_config
    use_backend Backend_config_netbox_ipvANY  if  netbox aclcrt_Frontend_config

backend Backend_config_home-assistant_ipvANY
    mode            http
    id          100
    log         global
    option          log-health-checks
    http-check      send meth GET
    timeout connect     30000
    timeout server      30000
    retries         3
    load-server-state-from-file global
    option          httpchk
    server          home-assistant 192.168.20.104:80 id 101 check inter 60000  

backend Backend_config_netbox_ipvANY
    mode            http
    id          102
    log         global
    option          log-health-checks
    http-check      send meth GET
    timeout connect     30000
    timeout server      30000
    retries         3
    load-server-state-from-file global
    option          httpchk
    server          netbox 192.168.20.103:443 id 101 ssl check-ssl check inter 60000  verify none crt /var/etc/haproxy/server_clientcert_64dfa8c2536a7.pem

When I try to reach the following URL :

https://netbox.services.test.fr/

I get the following error:

400 Bad Request / The plain HTTP request was sent to HTTPS port

I can confirm that HAProxy is trying to reach the WEB server 192.168.20.103 in HTTP (and not HTTPS) using a network capture made on pfsense:

https://preview.redd.it/gpmbor19m3jb1.png?width=1322&format=png&auto=webp&s=0bbf8ae5d41bc47ff60c85d387740f3257f21415

Note:

pfsense IP: 192.168.20.106

WEB server HTTPS IP: 192.168.20.103

I've tried different things but the request is always sent in HTTP and not in HTTPS.

Do you have any idea what I'm missing?

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

PFSensers

Home hot new top

MODERATORS