Configuring pfSense & HAProxy with HTTP and HTTPS

This is a quick and dirty guide to configuring HAProxy on pfSense to handle HTTP/HTTPS traffic and redirects. This guide was assembled using pfSense 2.3.X, however the same steps apply to version 2.4 and above.

 

Configuration

  1. First, let’s configure the backend web server that will be referenced by the frontends we’ll create later on.
    • The backend server configuration is pretty straightforward. Create a pool, and add the web server(s) and IPs that will make up that pool. In my case, I am only using 1 web server in each pool, as seen here.

      Backend Configuration
    • I’ll be using SSL offloading as well, so there will be no SSL certificates on the backend web servers.
    • I ran into some issues with health checking, and will need to go back and do some more troubleshooting with that later on. For now, I have health checks disabled.
  2. Now, you’ll need two frontend’s, one for HTTP traffic and one for HTTPS traffic. In this configuration, I am only using HTTP to redirect any requests to HTTPS.

  3. On your HTTP services, you’ll probably want two ACL’s and associated actions to handle TLD and WWW redirects from HTTP to HTTPS (depending on what you are trying to accomplish).
    • In the screenshot below, you’ll see I have a THawes.com-Redirect and THawes.com ACL which match up with the second screenshot showing their actions when hit. The structure of the HAProxy redirect rule is code 301 location https://%[hdr(host)]%[path] in my case, which keeps it universal for any of my other redirect rules.
      HTTP ACL’s
      HTTP Actions

       

  4. Now that the HTTP redirects are configured, we can move on to HTTPS services. Here, I also have two ACL’s configured for this site. THawes.com-Redirect handles redirecting any TLD HTTPS traffic to WWW, and the THawes.com ACL sends all traffic to the associated backend web server.
    • The ACLs here are identical to those on the HTTP side
    • The THawes.com-Redirect redirects all traffic to WWW
    • The THawes.com action uses the THawes.com backend, which we configured earlier.
      HTTPS ACL’s

      HTTPS Actions
    • Under the SSL Offloading section of the frontend configuration, you’ll need to select the certificate you want to use. If you have multiple certificates for other sites that you’ll be hosting, you can add these certificates under the “Additional certificates” option.
    • The default ciphers in use by HAProxy are not very secure, which can be seen by running an SSL Labs test against your site. Currently, these ciphers will improve your site security by not allowing older protocols and insecure ciphers:
      no-sslv3 force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Leave a Comment