I am trying to setup HAProxy on a pfSense firewall as a SNI reverse proxy. I was previous using NAT to port forward https to a web server in the DMZ. This set up is currently working and I have a valid Letsencrypt cert. The web GUI generated the following haproxy.cfg:
# Automaticaly generated, dont edit manually.
# Generated on: 2018-05-11 20:05
global
maxconn 128
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
chroot /tmp/haproxy_chroot
daemon
server-state-file /tmp/haproxy_server_state
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
frontend https_sni
bind (My Static WAN IP Address):443 name (My Static WAN IP Address)
mode tcp
log global
maxconn 256
timeout client 30000
tcp-request inspect-delay 5s
acl is_webmail req.ssl_sni -m beg -i webmail
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend backend_webmail_https_ipvANY if is_webmail
backend backend_webmail_https_ipvANY
mode tcp
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server webmail (My Webserver IP Address):443 check-ssl check inter 1000 verify none
When I disable the NAT rules and enable HAproxy, I am unable to connect to my web server and the connection times out with no other error message.
I connected to the firewall and verified
- haproxy is running
- haproxy is listening on WAN IP:443
- I am able to use openssl s_client to connect from the router to the web server in the DMZ
I also used ssllabs.com to verify that the browser I was using (my phone) to test supports SNI.
I would appreciate any help in trouble-shooting this problem.
Thanks,
Rick