PfSense: reverse proxy all the things. Part 3: Configure HA-Proxy for SSL traffic


VPN

2 min read

In this part we configure HA-Proxy for SSL traffic
Other Parts in this series:
– PfSense: reverse proxy all the things. Part 1: OpenVPN on tcp port 443
– PfSense: reverse proxy all the things. Part 2: Install HA-Proxy and configure frontend and backend for OpenVPN
PfSense: reverse proxy all the things. Part 4: Install AMCE for automatic SSL certificates
- PfSense: reverse proxy all the things. Part 5: Configure HA-Proxy for SSL-Offloading

Part 3: Configure HA-Proxy for SSL traffic

Configure backend for SSL traffic

we need a backend configured on the localhost to route the SSL traffic.
The name for my backend is '4-PublicSSL' running configure to send SSL request to '127.0.0.1:8444' that's where we configure on next configure our frontend

Configure frontend for SSL traffic

Now we're creating the new frontend to route SSL traffic based on access control list (acl)
Name: Reverse_HTTPS_PROXY_SSL
External Address: localhost(IPv4) port: 8444

in my example there is a acl added to route all traffic from FQDN *.k3s.example.com to a certain backend
that means that any request that comes in for a subdomain of k3s.example.com will be routed to this backend.
feel free to start creating your own rules here to route pure ssl traffic to the backends

example backend for k3s.example.com

here's an example of how the 4-k3s-SSL backend is setup to route traffic to k3s.
Encrypt(SSL) and SSL checks should both be unchecked

In the Loadbalancing option you can configure load balancing.
Mine is usually set for 'Least connections'

If you need persistence you can configure sticky tables for that

that's it, SSL traffic can now nicely being routed to various backend based on what FQDN it has.