pfSense + HA proxy - Hansson IT template

I’ve been running the Hansson IT OVF template for some years now on my esxi host. This instance has a public IP address, so I don’t have to worry about portforwards etc. This works flawless.

Now I want to re deploy this instance (by setting up a new one) behind a pfSense HAproxy.

However, I cannot get this to work. I’ve searched and read many topics about this, but none of them seem to suit my case.

I am able to login if I use to the local ip address of this new setup.
I am not able to login if I use the HAProxy. I can’t reach the login page. The apache seems to be stuck at the default Hannson IT page:

“Thank you for downloading the Nextcloud VM, you made a good choice! If you see this page, you have run the first setup, and you are now ready to start using Nextcloud on your new server. Congratulations! :)”

It seems that there is no redirect to cloud.mydomain.tld/login.
If I manually enter “cloud.mydomain.tld/login”, I get “Not Found” error in chrome/firefox.

I’m quite stuck for the moment. None of the solutions I’ve found seem to do the trick.

And the backend:

It does not matter if I enable SSL or not at the backend, in this picture the acme certs are configured, but this has no influence.

If you want to continue with the Hansson VM and its built-in Let’s encrypt SSL configuration, I would consider setting up HAproxy in TCP mode, not in https mode. In this way, HAproxy doesn’t interfere at all with the handling and updates of certificates; this is done exclusively by the VM. To this end, you need to choose the TCP type in HAproxy.

Unfortunately, I am not familiar with how exactly to set up HAproxy using the pfsense GUI, but here’s a configuration file that works in my case for two different hosts which both manage their own SSL/TLS termination:

frontend ft_tcp_ssl
	mode tcp
	bind *:443
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }
	use_backend     bk_otherhost_ssl if { req_ssl_sni -i otherhost.yourdomain.tld }
	use_backend     bk_nextcloud_ssl  if { req_ssl_sni -i nextcloud.yourdomain.tld }
	default_backend bk_otherhost_ssl

backend bk_otherhost_ssl
	mode tcp
	# needs to terminate TLS for otherhost.yourdomain.tld
	server otherhost.yourdomain.tld [otherhost-IP]:443

backend bk_nextcloud_ssl
	mode tcp
	# needs to terminate TLS for nextcloud.yourdomain.tld
	server nextcloud.yourdomain.tld [nextcloud-IP]:443

frontend ft_http
	mode tcp
	bind *:80
	use_backend     bk_otherhost  if { hdr(host) -i otherhost.yourdomain.tld }
	use_backend     bk_nextcloud  if { hdr(host) -i nextcloud.yourdomain.tld }
	default_backend bk_otherhost

backend bk_otherhost
	server otherhost.yourdomain.tld [otherhost-IP]:80

backend bk_nextcloud
	server nextcloud.yourdomain.tld [nextcloud-IP]:80

If you can’t import an HAproxy configuration, you could try adjusting the GUI settings until the resulting config file looks like the above. You may need this hint to achieve the desired result:

1 Like