HAProxy & Cloudflare - 526 Invalid SSL

MrGamecase · July 3, 2024, 5:32pm

Hi All,

Firstly HI! im new here an i apoligise if this is in the wrong location…

Been having some issues setting up HAProxy as a reverse proxy for my services. What i aim to achieve is use Cloudflare network to access my services securely over the wan. have ha proxy handle my services that are on the same ports [80 / 443] i have a couple i cannot change the port numbers and can not run through the Cloudflare ZTP tunnel service as it would be a breach of service.

So I have managed to get everything installed and setup [ To the best of my knowledge ] but i receive Cloudflare Error 526 - invalid SSL. Any help fixing this error would be greatly appreciated

Please see my configs and methodology below

I am aware internal IPs are on show this is a test network that will be terminated after this posting.

!!! ALL CONFIGS HAVE BEEN ANONYMISED & GIVE NO REVELLING INFO !!!

- PFSense

- GUI Port change

Going into the system Advance tab I moved the default port for PFSense GUI [443] to a secure port for my admin network [FIG 1].

- Aliases Creation

Using the firewall tab I created aliases for the following [FIG 2]…

IP Networks[Contains all cloudflares proxy networks] up too date as of 2023
Prots required for HAProxy [80 & 443]

- Port Forwarding

Again using the firewall tab I created a port forward from WAN to firewall itself [as HAProxy has been installed on the firewall] using the aliases created above, I have limited the source to cloudflare proxy networks as the DNS config on cloudflare will be proxied [FIG 3].

- Certification

Using the system tab i uploaded my cloudflare origin certificate, key & cloudflare authorities certificate [FIG 4].

- HAProxy

Using the services tab i configured HAProxy, I created a backend [In this example i’m using PLEX], gave it a name server listing & disabled health checking. No SSL was added here as the server does not have any ssl certificates setup [FIG 5].

I created a shared front end for HTTP:// & HTTPS://. Under External addresses i selected WAN - Ports 80 / 443, click the SSL Offloading next to 443 & confirmed that type was set to http / https (Offloading) [FIIG 6].

I created an ACL for PLEX & An Action too be taken if the ACL is triggered [FIG 7]

Under SSL Offloading I selected my SSL Certificate i uploaded earlier [FIG8].

From what i can gather i have setup the PFSense box & haProxy to in theory successfully proxy my internal services.

Images

FIG 1

FIG 2

FIG 3

FIG 4

FIG 5

FIG 6

FIG 7

FIG 8

- Cloudflare

- DDNS Magic

So i have had do a bit of black magic here as my ISP does not offer static IPs & the DHCP Leases are stupidly short.

Using my PFSense box i have had to setup a proxied DDNS, so i’m using Cloudflare to do this as-well. PFSense logs into my cloudflare account via a dedicated API Token allowing it to read my Domains DNS & update an A record with my external ip every 30 Mins.

- DNS Record for HAProxy

I have created a Cname record for plex pointing towards the A record updated by PFSense DDNS system this to is proxied [FIG 1].