pfsense HA Proxy Troubleshooting

Should troubleshooting for ha proxy not include enable and analyzing logs?

Only used ha proxy via terminal, need to checkout this pfsense app.
Currently using nginx proxy manger for all web, ssl needs.

I have DuckDNS setup to resolve to my external IP and use Lets Encrypt with DuckDNS domain to get valid certs for use in HAProxy. HAProxy listens on WAN, but I dont portforward 443 to the Internet. So if I'm on my internal network, the DuckDNS domain resolves and hits my HAProxy. I can then add any backend to proxy all my services from pfsense itself, to plex to grafana. It's great for homelab to not remember IPs and dismiss self-signed warnings. Ever since lets encrypt supports wildcard certs its been great 1 cert to rule them all.

Right on time I've borked my install 🥺, many times

one thing i missed was i needed to set the dns entries to the pfsense and not to the servers themselves

Great video as always. I had no issues, but still missed the first step with the redirect rule checkbox. Thnx Lawrence!

I always have to laugh, Tom starts his videos saying 'Tom here from Lawrence Systems', yet he still gets called by his last name. lol....

Hi lawrence can i access my pfsense server outside the network without port forwarding? example tunneling. because my ISP doesn't provide bridge modem or port forwarding

Hi Lawrence, i am struggling with setup of 2 pfsense one is Master and second beck up node with CARP and HA Sync. Everything is sync with backup node like firewall rules, HA proxy fronted and backend, user except ACME certificates. I have create create ACME certificate on Master after successful creation i can't see or didn't sync newly successful created cert on backup node. Both nodes have HaProxy and ACME package installed. I have tried to copy files /conf/acme to backup node but on web GUI i can't see certificate listed.

Have you ever configured a production nginx reverse proxy?

Good video but I was expected something about backend down... like one is up and the others down!

I don't know why but it works only when I'm inside my network. Maybe a wrong configuration.

Thank you for wonderfully video, i am facing issue i want to use my domain without 'www' i tried but not resolved and shows (503 Service Unavailable
No server is available to handle this request.) i need help in this with Haproxy and domain configuration, once again thank you

you already encounter a watchdog error in pfsense?

Did you have an advise how to fix that?

Thank you

haha, may skip some steps...

Hi, I have a pfsense with haproxy and I've experienced some times and in a random way that, when I make a change in some ACL, haproxy configuration has broken when i apply it. Apparently the configuration is applied normally, but if I check backend status, the backend servers disappear. I can see that in haproxy config file the lines are missing, but in pfsense gui I have the related entries properly configured. It happens also in backends not related to ACL modified. Do you have any ideas about this bug ? Thanks!

Great video, It helped me with the issue that once HAproxy is enabled and the front end configured, the webconfig page is not accessable any more. It's because of port conflication.

I spent an entire weekend troubleshooting. When I figured out that my firewall wasn't working as expected, I called up my ISP. I was actually behind a CGNAT.
it wasn't until I opted out of this that my firewall rules actually worked correctly and suddenly HAProxy was working perfectly.

Thanks for the video. I was trying to point to a Nextcloud instance on 80 without SSL but as soon as I changed it to 443 and ticked the encrypt box it worked.

Still having issues. When I point the FrontEnd to my LAN address , everything works fine. Once I switch it to my DMZ address everything breaks. LAN to DMZ rules are open permitting anything. DNS entry has been modified to have everything point to my DMZ address. Its not a FW rules issue or DNS. Suggestions?

OMG thank you so much! Literally 10 seconds in and you solved my problem :) (web redirect checkbox!) ❤❤❤

Forgot: make sure HAProxy is enabled. Just spent 2 days troubleshooting that one... doh!

I need a more simplified video cause I'm doing something wrong. Don't explain, just do x + y = z

In summary - WTFV

(and in other situations, RTFM)

This is a great reference video for trouble shooting. Help me solved many issues. They included:

- my internal URL/DNS entry was pointing to the server rather than HA proxy
- tools (dig and openssl) to verify what certificate is being returned

Thanks for that - but how do you get your server Ips to resolve to HAProxy IP?

Thanks for this video. It helped find some things I had wrong, but I'm still not there. I'm using CloudFlare, and I set up the DNS records on their site, but when I run 'dig' (from Windows WSL), I get two records for an answer, and neither of them match my home IP. I don't know where to go from there. I also got lost toward the end of the video because it shows what you should see when the certificate is set up correctly, but I just got two messages: "...No route to host:../crypto/bio/b_sock2.c:110:" and "...BIO_connect:connect error:../crypto/bio/b_sock2.c:111:" The last line says "connect:errno=113".

Hello,
I have an issue with HAproxy, the service stops each 15-20 min and I have to start it manually each time ??
any Idea?

DNS got me - wasn't pointed to HAProxy. Thanks for this.

Yeah this helped me out. The part I missed was I tuned out when you got to the DNS part for the back end servers. I have the names assigned when I give them assign them static ip addresses in the DHCP part. So I thought I was done. Obviously I missed the part where you have to have the name point to the HAProxy instead...

One other thing - make sure haproxy is enabled! I had to enter the number of connections for the process manually for some reason.

Thank you for making this video it fixed baisally every issue i had and mistake I made from watching the first 2 videos

Hi Lawrence! Any idea how to set PFSense's HA_Proxy to send email notification alerts when Backend is down for example ? I know it can be done with .lua scripts but do you know the exact order how things need to be configured? Looking forward hearing from you.

Tom, I've followed the guide but I keep getting my self signed cert? If I do the openssl test with the correct it I get the right one though?

Can someone help me? I wasn't able to fix the dns part. I have configured DNS Resolver and added the ip of the domain's IP for the local server but when I dig into dns on the pfsense box it does not show the local ip. It shows public IP.

Besides DNS, I have configured backend and front end the front ends passed the traffic to back end however backend gives 404 on the domain.

Thank you.