503 Service Unavailable - No serveris available

Dear all,

I’m using HAProxy plugin for OPNSense and I followed few online tutorials and all of these ended up in the same way:

503 Service Unavailable
No server is available to handle this request.

I want to ue the reverse proxy for home hosted web apps on apache server listening on port 80/443

For the below setting I followed this tutorial using the LAN network rather the WAN

Below the actual setup:

# Automatically generated configuration.
# Do not edit this file manually.

    uid                         80
    gid                         80
    chroot                      /var/haproxy
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 warning
    lua-prepend-path            /tmp/haproxy/lua/?.lua

    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats

# Frontend: 0_SNI_Frontend (listening on LAN address port 80/443)
frontend 0_SNI_Frontend
    bind lan_ip:80 name lan_ip:80 
    bind lan_ip:443 name lan_ip:443 
    mode tcp
    default_backend SSL_Backend

    # logging options

# Frontend: 1_HTTP_frontend (Listening on lo_ip:80)
frontend 1_HTTP_frontend
    bind lo_ip:80 name lo_ip:80 accept-proxy 
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    option dontlognull
    option log-separate-errors
    option httplog
    # ACL: NoSSL_condition
    acl acl_6462b25dd3fc08.98092716 ssl_fc

    http-request redirect scheme https code 301 if !acl_6462b25dd3fc08.98092716

# Frontend: 2_HTTPS_frontend (Listening on lo_ip:443)
frontend 2_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind lo_ip:443 name lo_ip:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6463bbbf543239.59805119.certlist 
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options
    option dontlognull
    option log-separate-errors
    option httplog

    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/645151c9cb3ae5.07476878.txt)] 

# Backend: s1_backend (s1 server backend)
backend s1_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server s1_server server_ip 

# Backend: SSL_Backend (SNI backend)
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    server SSL_Server lo_ip send-proxy-v2 check-send-proxy

# statistics are DISABLED

I’m new to reverse proxy and HAProxy which thoretically seams straight forward but the amount of options make it difficult but flexible.

I also tried a more simple setup:
LAN_User ->LAN FW IP (Frontend) → DMZ Server IP
ending agin to same lending error 503

Trying to reduce to the bare minimum setup I tried also to use the reverse proxy only on port 80 but same error.

Can someone pass some hint from where I can start to investigate?
Anybody with opnsense experience to help?


Missing acl in frontend 2_HTTPS_frontend

@rayj00 : this is an automatig generated file from the firewall webGUI. I try to figure out if it is something I missed out or a plugin issue

Only part of the haproxy.cfg is automatic when you install haproxy. You need to add acls yourself.

Hi @rayj00

Thanks for ur reply and apologize I haven’t add any comment.

I tried few more tutorial and tried to integrate also with ur help with little progress.

Best result so far I achieved was following this tutorial:

Setting up HAproxy and Let's Encrypt on OPNsense - YouTube

As backend I used a clean server machine with apache and 1 virtualhost (site1)

With this configuration the reverse proxy did work.

From this point I created a second virtualhost (site2), new condition+rule and add the rule to the frontend on opnsense

With this configuration only site1 (default) did work.changing the name of the .conf file of the virtualhost to have site2 as defualt, site 2 did work but not site1

When I say doesnt work I mean I receive the usual error 503

At this point I’m trying to understand if there is an issue on the apache config or there is something wrong I assume in the condition level…

Considering my final result will be a webserver like:


What is the best condition to use?
Any comment about apache setup?

In few days I’ll be able to work on it again and post the configuration file.

Feedback at this stage will give something new to work on before reverting


Hello gipsea,

I am not familiar with OPNsense.

But what I am doing is port forwarding my ports 80/443 from my server to my haproxy server. Then the haproxy server looks at the url and routes it via acl’s to the proper IP. Pretty simple stuff. I have Letsencrypt running on the haproxy server to handle SSL traffic. Works pretty good.


By any chance, did you test your haproxy.cfg file?

Try this: haproxy -c -V -f /etc/haproxy/haproxy.cfg

Hi @rayj00

it is working right now…

All good at the end :slight_smile: