I’m getting a too long to respond ERR_CONNECTION_TIMED_OUT from mobile phone browser.
Hey thanks for pointing me in the right direction of telling me it was a firewall issue. The firewall rules were set up correctly, but I had a left over NAT that was forwarding connections from port 80/443 to the backend webserver. So basically it seemed like I had a race condition between HA proxy and the NAT table.
After deactivating the NAT statements, traffic now passes. I went ahead and then quickly made changes adding back in the SSL statements back into the proxy config and things also worked.
I’m posting my settings here for historical reasons and for those they may have similar problems in the future (including me).
pfsense WAN firewall rules:
pfsense Aliases to Define Cloudflare Networks
Make sure you do not have or have deactivated any NAT redirection on ports 80/443 for the firewall. Picture below shows the NAT rules deactivated (greyed out)
Haproxy.cfg (This is applicable to only one backend. Very possible to add more)
Please note my LAN network is on the 10.0.1.0/24 subnet. Adjust accordingly to your needs:
# Automaticaly generated, dont edit manually.
# Generated on: 2020-01-21 18:54
global
maxconn 1000
log /var/run/log local0 debug
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000
frontend shared-frontend-WAN-and-LAN-merged
bind 69.xxx.xxx.xxx.xxx:443 name 69.xxx.xxx.xxx.xxx:443 ssl crt-list /var/etc/haproxy/shared-frontend-WAN-and-LAN.crt_list
bind 10.0.1.1:443 name 10.0.1.1:443 ssl crt-list /var/etc/haproxy/shared-frontend-WAN-and-LAN.crt_list
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl ACL1 var(txn.txnhost) -m str -i domain.com
acl ACL2 var(txn.txnhost) -m str -i www.domain.com
http-request set-var(txn.txnhost) hdr(host)
use_backend domain.com_ipvANY if ACL1
use_backend domain.com_ipvANY if ACL2
frontend http-to-https
bind 69.xxx.xxx.xxx.xxx:80 name 69.xxx.xxx.xxx.xxx:80
mode http
log global
option http-keep-alive
timeout client 30000
redirect scheme https code 301 if !{ ssl_fc }
backend domain.com_ipvANY
mode http
id 102
log global
option log-health-checks
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server domain.com 10.0.1.158:80 id 103 check inter 600000
Lastly @lukastribus – Thanks a lot for your help. Helping beginners really stinks sometimes since they are oftentimes uninformed and don’t give you all the information needed. Thanks for your patience. If you could mark the thread solved – or edit the title of the thread to include SOLVED that would be great. Thanks.