SNI HTTPS Reverse Proxy on pfSense Not Working


I am trying to setup HAProxy on a pfSense firewall as a SNI reverse proxy. I was previous using NAT to port forward https to a web server in the DMZ. This set up is currently working and I have a valid Letsencrypt cert. The web GUI generated the following haproxy.cfg:

# Automaticaly generated, dont edit manually.
# Generated on: 2018-05-11 20:05
        maxconn                 128
        stats socket /tmp/haproxy.socket level admin
        uid                     80
        gid                     80
        nbproc                  1
        chroot                  /tmp/haproxy_chroot
        server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
        bind name localstats
        mode http
        stats enable
        stats admin if TRUE
        stats uri /haproxy/haproxy_stats.php?haproxystats=1
        timeout client 5000

frontend https_sni
        bind                    (My Static WAN IP Address):443 name (My Static WAN IP Address)
        mode                    tcp
        log                     global
        maxconn                 256
        timeout client          30000
        tcp-request inspect-delay       5s
        acl                     is_webmail      req.ssl_sni -m beg -i webmail
        tcp-request content accept if { req.ssl_hello_type 1 }

        use_backend backend_webmail_https_ipvANY  if  is_webmail

backend backend_webmail_https_ipvANY
        mode                    tcp
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  webmail (My Webserver IP Address):443 check-ssl check inter 1000  verify none

When I disable the NAT rules and enable HAproxy, I am unable to connect to my web server and the connection times out with no other error message.

I connected to the firewall and verified

  1. haproxy is running
  2. haproxy is listening on WAN IP:443
  3. I am able to use openssl s_client to connect from the router to the web server in the DMZ

I also used to verify that the browser I was using (my phone) to test supports SNI.

I would appreciate any help in trouble-shooting this problem.



First of all, check your logs. If the backend is down (due to the health check not returning success), you will see that there. Trying removing health checks to double-check. With a single backend server, health checks do not make any sense - you can’t fail-over to a different server anyway.

Second of all, try to configure a default_backend directive in your frontend. This is to make sure whether SNI matching works or not.

The important thing is to take a look at your logs.