(Updated Video In Description) How To Setup ACME, Let's Encrypt, and HAProxy HTTPS on pfsense

Updated Video here
ruclips.net/video/bU85dgHSb2E/видео.html

I’ve spent so many hours getting this running. This is a long overdue video. Thanks for making it!

Good help, thanks. PLT: Disable any existing NAT rules that may exist from previous efforts. Lost about half a day for I 'twigged on to that one. Once NAT was out of the way, this worked perfectly. Thanks!

3 years later and this is still great! Thanks a lot!

You know the one bad thing about tutorials that start with things already set up? .... Me not checking the HAProxy "Settings" panel to see if it's even enabled.

Aside from pointing out the one config issue (maybe), Thanks for the video, this was absolutely useful and awesome and I love to not have to port forward and open up 80 just to let letsencrypt verify my cert. This is much more secure method and I really appreciate it

Instead of only using a default backend, you'd just create the ACL > action. Prevents people from just hitting your IP:PORT and successfully getting the service without the FQDN. Generally I would avoid a default backend going to a valid service. An example of a use case, is I'm currently using the default to redirect to a backend that redirects to a TCP frontend for non web-services. TCP front has its own ACL to match against, but you get the idea.

This video provided that "ah-ha" moment that I needed for my wildcard cert to work in haproxy. Now I can move away from my other load balancer / reverse proxy tool that I have been using and centralize on pfSense.
Thank you!

great video, head still spinning a little. slick as snot when it gets up and runs. thank you again for taking the time to make your videos. learned so much.

This is perfect. Been looking for a video like this

This video is AWESOME! It totally helped me out with redirecting multiple subdomains to different ports on a single server. Thank you so much for showing me how to do this!

Didn't see your usual outro where you "and thank you for making it to the end of the video" :) thanks for this video

This video was super helpful but I really wish you had covered the firewall rules in some more depth.
I was having a ton of trouble until I thought to change the firewall rule to allow access to LAN Net instead of to the firewall itself.
Maybe this is super obvious to everyone else but I completely missed it for hours.

This, Jen, is the Internet.

33:05 Don't you need to copy the "restart" at the end as well?

Great video. I was under the impression that this didn't expose port 443 to the internet. But it does. Still more secure than exposing an server I'm suspecting.

Many thanks for many years of contributing to shape a generation of professionals and enthusiasts like me. Pls. do you mind if I make a humble request? IPv6 setups, same videos you made before but emphasizing IPv6 in many forms SLAAC, DHCPv6. Reckon you will be supporting this transition and untangle this complicated setup. I believe many people is avoiding afraid not be able to deliver with quality as the y do in IPv4. Much appreciated.

Such a cool video, Tom. It's taken me more than a few views to digest it all, and now I am trying it on my server. We'll see how it goes! :)

16:30 The certs in Backend / Server list are not required to get frontend HTTPS offloading to work. I beleive this is for validating backend SSL certs instead.

love the hl2 reference with nova prospekt

I've used this on pfSense for years!!! Works great!!!👍

Thx, the additional certificates (frontend) was key in my search! Thank you

Literally working on this last night using cloudflare with dns mode.... Ty

Thanks! I've been wanting to do this for a long time and now it's all working on my Netgate/pfSense. My biggest mistake in the process was not moving pfSense from 443 before enabling things. Doh.

fuuuuuuuuuuuu...ck. will i ever understand certificates? why am i so facinated with this mess lol. Awesome content sir!

Hi Lawerance, Hope your well. Thanks for the video. I have a NAS box which I would like to keep local. Would you mind doing another similar video but only for a local network (Private) Thanks

This was an amazing video however I would like to see more advanced topics such as load balancing. I would also be interested in seeing if HA Proxy can do pre authentication using local passwords on PF or against Active Directory.

Thank you so much!

I've just setup Nginx Proxy Manager (NPM) in a docker container, have it all working, and am in the process of copying the hosts from my HAProxy config (provided by pfsense) to NPM. I'm finding NPM a lot faster to add and manage the configuration. Hopefully I don't find issues or loss in functionality (I'll run the concurrently at least for a while).

Great video Lawrence, I always wanted to setup something like this on my pfsense server as I was annoyed with the certificate message popping up all the time. Now using your guide I will try to set it up and make mi network a bit better.

Who gives a thumb down for this video? It's a very infomative video and nice structured!

Are you going to do a video on how to setup Dynamic DNS with digitalOcean and pfSense?

Great video 👍 I would suggest to turn on xforwardedfor as well to reveal real ips to backends

PLEASE make a video how to setup pfsense with haproxy and synology behind with all the services working.

Great video!

If you are using cloudflair you need to make sure you set Your SSL/TLS encryption mode to "Full". this is under Domian > SSL/TLS > Overview

what about backend machines that need to generate valid certs

Awesome video, I was able to get it working for WAN connections. But for some reason when I try to connect from the LAN side, it redirects me to the pfSense login page. An thoughts on why this is happening?

I wasn't able to get through the entire video yet. Is there any mention of how to stop people from outside your network accessing certain proxies? Basically, I don't want to let people outside my local network access TrueNAS.

Great timing ... thanks for this info. Now, if pfsense would unify the Captive Portal login/logout window like Opnsense instead of using an archaic method of popup windows that most browsers disable by default due to security issues, then I might actually purchase a licensed Netgate box from them when I upgrade for hardware AES support.

That was so helpfull. Thanks a lot for this great video!

Hi Lawrense system.
Great Video - Although I want to use this before our Company Webserver - but how about getting the tracking information. I located a option under frontend - "Use forwardfor" option, for statestic etc on websites - But this guide works fine, and adding this option stills shows the client IP as 192.168.1.1 (PFsense) - so how can I make my marketingguy happy :-)
Keep them Videos Coming - like the late evenings with those!

awsome vid, thanks. small nitpicking, you don HAVE TO have a default backend as stated in the fw "If a backend is selected with actions above or in other shared frontends, no default is needed and this can be left to "None"." I prefer not having a default backend in case of scanners etc, that way you don't "leak" info via certificated and such, it just seems better to me :)

ive finally got this working on two domains. Cloud and Web Server behind two domains i now have to setup mail. but there is some differences in my lab than in this video. You didnt mention about VIP/Virtual IPs it will work without it just wont be able to have this setup internally only externally but yeah it works took some setting up to do. Web Servers requires some tweaking for http to https redirection Wordpress Servers on the other hand requires a lot of tweaking or web site is broken i.e layout.

I Have followed the video but I am having one problem whenever I try to access the sites I get redirected to the HAProxy stats page on all the domains

Great, thank you.

I've got to be honest here. The only thing I know for sure that I've learned is, that your speech is way faster than my brain can process. I've replayed segments over and over, til I'm just worn out. I hope I don't lose interest before it all sinks in! :-)

man, thanks a lot for that

KEY item missing: to do this on the LAN side, in System->Advanced, set a different TCP port, AND check "Disable webConfigurator redirect rule" Then HAproxy can listen to 443 on the LAN side of pfSense.

What software are you using at the beginning with the image of the network?

Would a wildcard domain certificate using ACME DNS auth, work in these case as seen in your video?

... hi hi.
I have my pfSense setup current to work with CloudFlare and using a lets encrypt cert.
due to various reasons I need to change my domain. I already bought the new domain from Google and already created/added it to my CF profile and updated the domain on google's side to use the CF NS's.
know this is prob a bit of the beaten track, but any chance you can do a video... showing whats additional to be added or changed to accommodate this use case.

About the Pure NAT it is not working with me, I did the same configuration but the internal IP does not open the WAN IP, where is the problem in your opinion? Best Regards

really helpfull video man ;)

Hey, it looks like the correct command would be /usr/local/etc/rc.d/haproxy.sh restart which I think you left out. Just want to confirm that

Great Video, I have been searching for a video like this forever as i was trying to set this up for myself.
i have been watching your videos for a long time and am a huge fan.
I do have a comment about the flow of the video, while i was able to understand what you were talking about since i spent a long time reading up on this topic, i feel compared to your previous video on other topics (which are excellent as a follow along and very well structured even for someone completely new) I feel this was not as well structured.
I mean the content excellent, it just need a bit more introduction and preface before you got into the meat of things.
More along the lines, why one would need this, what alternatives are available out there.
Most of your videos before you get started with the topic you explain what the topic is, what alternatives are available (which i love because then i can go out and read up on those topics as well and is a great way of learning new things.
Maybe do another video just talking about those points before we start watching this video.
Nonetheless this is an excellent video. keep it up.

Can I set reverse proxy but only for local use not open to internet with haproxy ?

thank you

Great tutorial, thank you. I followed it and HA Proxy works in my PfSense but unfortunately only if I disable pfBlockerNG and DNSBL. Maybe this is caused by the two NAT rules created by pfBlockerNG that forward ports 80 and 443 to 8081 and 8443, respectively. Is there any way to get HA Proxy working with pfBlockerNG enabled? Or should I replace pfBlockerNG with Pinhole?

is this the same process we could use if we wanted multiple web servers with only one public IP address?

Was wondering if you could elaborate on doing a redirect rule from http to https?

Thank you for wonderfully video, i am facing issue i want to use my domain without 'www' i tried but not resolved and shows (503 Service Unavailable
No server is available to handle this request.) i need help in this with Haproxy and domain configuration, once again thank you

Would this work for those origin certs that cloudflare trys like heck to get its people to use?

Hi Lawrence, great video as always. Yours videos inspired me to build my Pfsense router. Now I migrated my Nginx to HAproxy. Question: is there a way to do some basic authentication to some back end services?

How the hell did you get your terminal looking like that? Thx for the great tutorials :)

Are there firewall rules that need to be setup?
I have a mail server on the LAN and tried to follow this to add a cert so I could have it behind an ssl but port 80 still works fine but when I go to 443 I get PR_CONNECT_RESET_ERROR
When I run the terminal command, it shows it sending the cert for my domain set up in acme
Any Ideas?

what that all domain is private network ? or public

How to setup cloudflare localdns? I received constant an ssl error.

hi Lawrence, how to setup snort protection for each sub domain or acl

thanks for the video, as ur a professional for unifi products, u can maybe tell me, how to make unifi nvr get working through haproxy. the ui is running on port 7443, but it also needs port 7446 for the video stream. i am not able to get it running. maybe u have an advice.

i need help in this with Haproxy redirect non-www domains to their www variant once again thank you

I'm getting DNS rebinding attack detected after setting up the HA-Proxy Part then testing the domain I registered. (EDIT) I ended up solving this by enabling HA Proxy. Sorry for this comment awesome video. You rock! Also do you need open vpn still if you use HA Proxy?

Hi Tom i hope you are having a great Saturday. The question i have is do you have have to do port forwarding to the backend server or just added to the proxy backend?

Hi there just wondering if there is something you need to add in your nginx conf file to make this work. It works fine when running apache but I get error 503 Service Unavailable when running nginx. Thank you.

Great tutorial, sometimes its a little bit over my head.. im not really an IT guy, but i wanted to achieve this. So some stuff you just assume you should know :D but i dont

Hi Lawrence. Please could you make a video showing how to use haproxy (HTTPS) for local only servers. E.g. FreeNAS. I have several local only servers and each are configured using certbot to obtain their own certificates (cloudflare dns challenge). I know that you hinted at NAT reflection / Pure NAT but I simply cannot get this to work. Thanks

One of the best out there how you should enplane for a newbie that have hard time to see the connections for functions. you doing well for add extra information in some impotent points. I have a wish do. Certificate is a brain eater for me to get everything together what exactly every type of file doing and are fore.
Some common words when talking certificate.
Ca ?
Root ?
Public cert ?
chain ?
Generate self sign cert?
x509?
Validation ?
Best way to storing Certificate, root,cert,ca or what they are?
Key ?? This is weird thing to understand. sometimes there is Key file with certificate.
Dose the Country Code,location,Email Address, city...... importen/or dangerous in some way?

Tnx man!

I've got my front end set to listen on LAN address. Prefer to get that working before I open up the WAN ports. pfsense has a valid ACME wildcard cert and the subdomain resolves and that's all working great. But whenever I try to turn on HAProxy and route to a different internal server, I lose access to the pfsense webGUI.

I swear... every PFSense video

If you are using certs locally on the host do you still need SSL Offloading? How can that be done without needing 2 certs? Aka cert from PFSense and locally issused cert from Lets Encrypt on local server?
I basically just want HAProxy to pass whatever cert is already assigned on the server its self. I don't want HAProxy to manage any certs.

Instead of skipping SSL checks for self-signed certs on backends it would be nice to make HAProxy honor their self-signed CA.

I appreciate the tutorial, butwish you could do it step by step from start to finish. So lost right now.

Hi~
How to configure synology + directadmin same port 443? I tried but it only run synology.

what do I have to put in my txt record on the dns server?

Bonjour ,,, Great

Great video. All of yours are great. I want to make sure WAN traffic to my pfSense login and a couple other web servers gets blocked so access is only local/VPN. Can you point me in the right direction?

Just making sure, can this be used to provide a let's encrypt certificate to an internal PBX server such as FreePBX?

Hi Tom, which of digitalocean solutions supports let's encrypt?

why exactly is it a bad idea to expose your NAS? wouldn't this be one of the applications as it lets me access my files from anywhere? and since the NAS has its own login, there shouldn't be any way to access data if you aren't authorized right?

it is possible deploy with openvpn?

Where can I find a tutorial for this but with cloudflare and without exposing to public internet?

How are you able to passthrough your public IP to the WAN interface? What I see on the front end is the same public IP that you set in Digital Ocean. For me I only see the IP assigned by my cable modem. Is there an option to set that or pass it through?

I have followed this step by step, but none of my web servers are working...

Any chance you have or could make a video showing how to do this with tls / https mode, to route to servers depending on the certificates sni over tls/https and not the http/https you have there. Best regards!

No Join button on this channel?

my haProxy has stopped working as soon as i configured LAGG - haproxy sites now only work via WAN and not on the LAN.. WOuld anyone be able to point me in the right direction?

Hey Lawrence. Is there a way for me to edit the haproxy config file? My nginx is failing to start because the ssl certificate is not where it expects it although hapxy/acme is issuing it successfully.

Hi Lawrence, I have a standalone PFSENSE in the cloud with one wan interface, one OPENVPN interface and One IPSEC interface, can you confirm from which interface is used by HA proxy to proxy the request ?

If I’m using a UniFi router, would this still work for me if I set up a pfsense box internally? Or would there be a better solution for that scenario?