Hi im using HAProxy version 3.0.8-6036c31 on opnsense as a proxy for several servers. ACME server is configured also.
this is server config:
#
# Automatically generated configuration.
# Do not edit this file manually.
#
#
# NOTE: HAProxy is currently DISABLED
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 800
ocsp-update.mindelay 300
ocsp-update.maxdelay 3600
httpclient.resolvers.prefer ipv4
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log 192.168.0.90 syslog
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 1200
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr libc,last
default-server maxconn 8000
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_frontend (Escucha en 0.0.0.0:80 , 0.0.0.0:443)
frontend 0_SNI_frontend
bind 0.0.0.0:443 name 0.0.0.0:443
bind 0.0.0.0:80 name 0.0.0.0:80
mode tcp
default_backend SSL_Backend
# logging options
# Frontend: 1_HTTP_frontend (Escucha en 127.4.4.3:80)
frontend 1_HTTP_frontend
bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: NoSSL_condition
acl acl_67dc7229f0ca87.12416952 ssl_fc
# ACTION: HTTPtoHTTPS_rule
http-request redirect scheme https code 301 if !acl_67dc7229f0ca87.12416952
# Frontend: 1_HTTPS_frontend (Escucha en 127.4.4.3:443)
frontend 1_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/67dd4f48dc7790.48843150.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
option dontlognull
option dontlog-normal
option log-separate-errors
option httplog
# ACTION: PUBLIC_SUBDOMAINS_rule
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/67dc72bb167027.30626723.txt)]
# Backend (DISABLED): acme_challenge_backend (Added by ACME Client plugin)
# Backend: SSL_Backend ()
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_Server 127.4.4.3 send-proxy-v2 check-send-proxy
# Backend: EEST1_backend (Backend de server eest1/moodle)
backend EEST1_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server EEST1 10.10.10.101:443 send-proxy-v2 check-send-proxy
Whole proccess was made with this https://blog.holtzweb.com/posts/opnsense-with-haproxy-and-lets-encrypt/
It seems partially working despite bad gateway error
these are some of the logs to syslog:
xxx.xxx.xxx.xxxx:43160 [26/Mar/2025:15:28:14.196] 1_HTTPS_frontend~ EEST1_backend/EEST1 0/0/0/-1/1 502 209 - - SH-- 8/3/0/0/0 0/0 \"GET https://eest.tecnica1vl.org/favicon.ico HTTP/2.0\"
xxx.xxx.xxx.xxx:43160 [26/Mar/2025:15:28:13.787] 1_HTTPS_frontend~ EEST1_backend/EEST1 0/0/0/-1/1 502 209 - - SH-- 6/2/0/0/0 0/0 \"GET https://eest.tecnica1vl.org/tecmood/ HTTP/2.0\"
internal server is working actually with letsencrypt client and port forwarding with opnsense. (disabled when HAproxy is active)
Thanks in advance!