<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://wiki.deathbybandaid.net/index.php?action=history&amp;feed=atom&amp;title=Pfsense_HAProxy</id>
	<title>Pfsense HAProxy - Revision history</title>
	<link rel="self" type="application/atom+xml" href="https://wiki.deathbybandaid.net/index.php?action=history&amp;feed=atom&amp;title=Pfsense_HAProxy"/>
	<link rel="alternate" type="text/html" href="https://wiki.deathbybandaid.net/index.php?title=Pfsense_HAProxy&amp;action=history"/>
	<updated>2026-07-05T18:26:54Z</updated>
	<subtitle>Revision history for this page on the wiki</subtitle>
	<generator>MediaWiki 1.41.1</generator>
	<entry>
		<id>https://wiki.deathbybandaid.net/index.php?title=Pfsense_HAProxy&amp;diff=14&amp;oldid=prev</id>
		<title>Deathbybandaid: Created page with &quot; =HAProxy ports 80/443= ==pfsense admin port change== Step one here is to change pfsense admin interface port from 443. pfsense Admin Port Change ==Adjust Firewall Rules== In order for HAProxy to be used, we need to change some firewall rules to pass traffic for 80/443 ===If you previously NATted 80/443=== You will want to disable these NAT rules.  File:pfsense-removenat.png ===Adjust WAN rules to allow access=== Add these rules to allow access to HAProxy  File...&quot;</title>
		<link rel="alternate" type="text/html" href="https://wiki.deathbybandaid.net/index.php?title=Pfsense_HAProxy&amp;diff=14&amp;oldid=prev"/>
		<updated>2021-12-08T20:16:23Z</updated>

		<summary type="html">&lt;p&gt;Created page with &amp;quot; =HAProxy ports 80/443= ==pfsense admin port change== Step one here is to change pfsense admin interface port from 443. &lt;a href=&quot;/index.php/Pfsense_Admin_Port_Change&quot; title=&quot;Pfsense Admin Port Change&quot;&gt;pfsense Admin Port Change&lt;/a&gt; ==Adjust Firewall Rules== In order for HAProxy to be used, we need to change some firewall rules to pass traffic for 80/443 ===If you previously NATted 80/443=== You will want to disable these NAT rules.  &lt;a href=&quot;/index.php/File:Pfsense-removenat.png&quot; title=&quot;File:Pfsense-removenat.png&quot;&gt;File:pfsense-removenat.png&lt;/a&gt; ===Adjust WAN rules to allow access=== Add these rules to allow access to HAProxy  File...&amp;quot;&lt;/p&gt;
&lt;p&gt;&lt;b&gt;New page&lt;/b&gt;&lt;/p&gt;&lt;div&gt;&lt;br /&gt;
=HAProxy ports 80/443=&lt;br /&gt;
==pfsense admin port change==&lt;br /&gt;
Step one here is to change pfsense admin interface port from 443. [[pfsense Admin Port Change]]&lt;br /&gt;
==Adjust Firewall Rules==&lt;br /&gt;
In order for HAProxy to be used, we need to change some firewall rules to pass traffic for 80/443&lt;br /&gt;
===If you previously NATted 80/443===&lt;br /&gt;
You will want to disable these NAT rules.&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-removenat.png]]&lt;br /&gt;
===Adjust WAN rules to allow access===&lt;br /&gt;
Add these rules to allow access to HAProxy&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-haproxy_rules.jpg]]&lt;br /&gt;
=HAProxy setup=&lt;br /&gt;
Go to your package manager and download and install HAproxy.&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-ha_pre_settings.png]]&lt;br /&gt;
&lt;br /&gt;
Make sure the above settings are set.&lt;br /&gt;
=Create Basic HTTP site=&lt;br /&gt;
Below, we will demonstrate a simple Port 80 access to a dummy webpage. I&amp;#039;d recommend a dummy nginx setup on another device.&lt;br /&gt;
==Create First Backend==&lt;br /&gt;
Here, we will create a Backend that goes to a dummy webpage (set this up on a seperate device)&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-backend-default.jpg]]&lt;br /&gt;
==Create Shared HTTP Frontend==&lt;br /&gt;
There are only a few settings to change here:&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-shared-front-http-a.jpg]]&lt;br /&gt;
&lt;br /&gt;
Then scroll to the bottom and change the following:&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-shared-front-http-b.jpg]]&lt;br /&gt;
==Create a host matching frontend==&lt;br /&gt;
We will now utilize the shared frontend to match a requested host name and direct that traffic to the backend that we setup.&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-shared-front-hostmatch-a.jpg]]&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-shared-front-hostmatch-b.jpg]]&lt;br /&gt;
==Test==&lt;br /&gt;
Assuming you&amp;#039;ve already directed the A Record for your domain name to you external IP, opening your domain name in a browser should now show your test webpage.&lt;br /&gt;
=Upgrade Basic HTTP site to HTTPS=&lt;br /&gt;
Now that we have a basic HTTP site functioning, we will add a certificate to HAProxy and allow HTTPS traffic on port 443.&lt;br /&gt;
==Obtain Certificate==&lt;br /&gt;
For this setup I will focus on using Acme Letsencrypt to obtain a certificate. There are other ways to add a cert to your haproxy setup.&lt;br /&gt;
&lt;br /&gt;
See     https://docs.netgate.com/pfsense/en/latest/certificates/certificate-management.html&lt;br /&gt;
==Create Acme cert Backend==&lt;br /&gt;
[[File:pfsense-acme-backend.jpg]]&lt;br /&gt;
&lt;br /&gt;
MAKE SURE HEALTH CHECKS ARE DISABLED&lt;br /&gt;
==Create Frontend Rule to use Acme Backend==&lt;br /&gt;
For ease of copy-paste,&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt; /.well-known/acme-challenge/ &amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-acme-frontend-a.jpg]]&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-acme-frontend-b.jpg]]&lt;br /&gt;
==Use The Acme package to get a cert==&lt;br /&gt;
===Install and prepare Acme===&lt;br /&gt;
[[pfsense acme]]&lt;br /&gt;
===Restart HAProxy===&lt;br /&gt;
==Create Shared HTTPS Frontend==&lt;br /&gt;
Now that we have a working Certificate, we&amp;#039;ll add a shared fronend similar to the HTTP one before.&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-shared-front-https-a.jpg]]&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-shared-front-http-b.jpg]]&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-shared-front-https-b.jpg]]&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-shared-front-https-c.jpg]]&lt;br /&gt;
==Copy Acme ACL from HTTP to HTTPS==&lt;br /&gt;
For good measure, we&amp;#039;ll copy the acme rule to the shared HTTPS frontend&lt;br /&gt;
&lt;br /&gt;
(The rectangle icon is the copy button)&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-acme-copy-https-a.jpg]]&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-acme-copy-https-b.jpg]]&lt;br /&gt;
==Create an ACL for the shared HTTP frontend to permanently redirect traffic from 80 to 443==&lt;br /&gt;
Now we will want all HTTP traffic to use HTTPS on port 443:&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-http-to-https-a.jpg]]&lt;br /&gt;
&lt;br /&gt;
[[File:pfsense-http-to-https-b.jpg]]&lt;br /&gt;
==Move Domain Matched ACL to HTTP==&lt;br /&gt;
Go to edit the previously created Frontend for your dummy webserver.&lt;br /&gt;
&lt;br /&gt;
Change the &amp;quot;Primary Frontend&amp;quot; from &amp;quot;Shared-HTTP&amp;quot; to &amp;quot;Shared-HTTPS&amp;quot;&lt;br /&gt;
==Test==&lt;br /&gt;
You should now be able to open your domain in a browser to see your dummy webpage with HTTPS.&lt;br /&gt;
=Frontend ACL Tricks=&lt;br /&gt;
These ACLs can be applied to both HTTP and HTTPS frontends&lt;br /&gt;
==Blocks==&lt;br /&gt;
===Block access by IP Address===&lt;br /&gt;
Using Host-Regex matching with http-request-deny 403:&lt;br /&gt;
&lt;br /&gt;
IPv4&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt; ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$ &amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
IPv6&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt; (([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])) &amp;lt;/code&amp;gt;&lt;br /&gt;
===Block access by Charter Spectrum Address===&lt;br /&gt;
Using Host-Regex matching with http-request-deny 403:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt; .spectrum.com &amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt; .charter.com &amp;lt;/code&amp;gt;&lt;br /&gt;
===Block access by Hurricane Electric Address===&lt;br /&gt;
Using Host-Regex matching with http-request-deny 403:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt; .ipv6.he.net &amp;lt;/code&amp;gt;&lt;br /&gt;
===Set a robots.txt globally===&lt;br /&gt;
====Lua Script====&lt;br /&gt;
Under the &amp;quot;Files&amp;quot; tab of HAProxy, create a filename &amp;quot;robots&amp;quot; with the type &amp;quot;Lua script&amp;quot; with the following content&lt;br /&gt;
 &amp;lt;nowiki&amp;gt;&lt;br /&gt;
 robots = function(applet) &lt;br /&gt;
 local response = &amp;quot;User-agent: *\nDisallow: /&amp;quot;&lt;br /&gt;
 applet:add_header(&amp;quot;Content-Length&amp;quot;, string.len(response)) &lt;br /&gt;
 applet:add_header(&amp;quot;Content-Type&amp;quot;, &amp;quot;text/plain&amp;quot;) &lt;br /&gt;
 applet:set_status(200) &lt;br /&gt;
 applet:start_response() &lt;br /&gt;
 applet:send(response) &lt;br /&gt;
 end &lt;br /&gt;
 &lt;br /&gt;
 core.register_service(&amp;quot;robots&amp;quot;, &amp;quot;http&amp;quot;, robots)&lt;br /&gt;
 &amp;lt;/nowiki&amp;gt;&lt;br /&gt;
====Frontend ACL====&lt;br /&gt;
[[File:pfsense-robotstxt.jpg]]&lt;br /&gt;
==Other==&lt;br /&gt;
===Redirect Naked Domains to www.domain.net===&lt;br /&gt;
Use a Custom-acl with &amp;quot;Not&amp;quot; checked with a value of:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt; hdr_reg(host) -i .*\..*\..* : &amp;lt;/code&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Then use http-request-redirect&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt; prefix https://www.%[hdr(host)] code 301 &amp;lt;/code&amp;gt;&lt;br /&gt;
=Backend ACL Tricks=&lt;br /&gt;
==Rewrite / to /somethingelse/==&lt;br /&gt;
Use Path-Matches to http-request-redirect&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt; prefix https://%[hdr(host)]/somethingelse/ code 301 &amp;lt;/code&amp;gt;&lt;/div&gt;</summary>
		<author><name>Deathbybandaid</name></author>
	</entry>
</feed>