SNI HTTPS Reverse Proxy on pfSense Not Working


#1

I am trying to setup HAProxy on a pfSense firewall as a SNI reverse proxy. I was previous using NAT to port forward https to a web server in the DMZ. This set up is currently working and I have a valid Letsencrypt cert. The web GUI generated the following haproxy.cfg:

# Automaticaly generated, dont edit manually.
# Generated on: 2018-05-11 20:05
global
        maxconn                 128
        stats socket /tmp/haproxy.socket level admin
        uid                     80
        gid                     80
        nbproc                  1
        chroot                  /tmp/haproxy_chroot
        daemon
        server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
        bind 127.0.0.1:2200 name localstats
        mode http
        stats enable
        stats admin if TRUE
        stats uri /haproxy/haproxy_stats.php?haproxystats=1
        timeout client 5000

frontend https_sni
        bind                    (My Static WAN IP Address):443 name (My Static WAN IP Address)
        mode                    tcp
        log                     global
        maxconn                 256
        timeout client          30000
        tcp-request inspect-delay       5s
        acl                     is_webmail      req.ssl_sni -m beg -i webmail
        tcp-request content accept if { req.ssl_hello_type 1 }

        use_backend backend_webmail_https_ipvANY  if  is_webmail

backend backend_webmail_https_ipvANY
        mode                    tcp
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  webmail (My Webserver IP Address):443 check-ssl check inter 1000  verify none

When I disable the NAT rules and enable HAproxy, I am unable to connect to my web server and the connection times out with no other error message.

I connected to the firewall and verified

  1. haproxy is running
  2. haproxy is listening on WAN IP:443
  3. I am able to use openssl s_client to connect from the router to the web server in the DMZ

I also used ssllabs.com to verify that the browser I was using (my phone) to test supports SNI.

I would appreciate any help in trouble-shooting this problem.

Thanks,
Rick


#2

First of all, check your logs. If the backend is down (due to the health check not returning success), you will see that there. Trying removing health checks to double-check. With a single backend server, health checks do not make any sense - you can’t fail-over to a different server anyway.

Second of all, try to configure a default_backend directive in your frontend. This is to make sure whether SNI matching works or not.

The important thing is to take a look at your logs.