Hi,
Sorry for the delay. The stats page shows the backend server is down but in fact the server is running. Also, One of the backend server runs smoothly and the web server gives the private address. I am lost…
You’ll want to just change the health check method to Basic (or disable it altogether) for the backend if the stats page shows it down and you’re certain the configuration is correct.
1 Like
Actually I had the same problem and switching to basic solved my issue of the backend beeing down and the 503 error! thanks !!
Oups, but I now have another issue, I can’t access pfsense anymore, when I try my router ip I’m now getting 503 error :-\
If you are connected to the LAN side of your firewall and you can’t access the GUI, then you inadvertently created your firewall rule for HAProxy on the LAN interface (and put it above the anti-lockout rule) - it needs to be on the WAN interface. You can temporarily disable the filters to regain GUI access by connecting to the pfSense system via SSH → pressing 8 to access the shell → executing pfctl -d to disable. Fix the rules, then run pfctl -e in the shell to reenable the filters.
1 Like
Hi I’ve followed the guide and after having ran into the same 503 error (resolved by switch health check to basic from http) I’m now getting “Client sent an HTTP request to an HTTPS server.” likey caused by the redirect. Do the web servers need to have valid ssl certs for each of them or are they being served by pfsense? Cause right now the web server in question doesn’t have a valid cert and is running on port 5105 (which is open).
Thanks in advance
Actually I figured out the resolution. I had to enable ssl check and encrypt with ssl for the backend.
The problem is exactly as the error describes. You have either incorrectly configured the shared frontend or pointed the backend to an HTTPS port. This guide is for SSL offloading with HAProxy, which means the external connections to HAProxy are SSL-encrypted, and the communication between HAProxy and the backend servers are not. When using the shared SSL-offloading frontend, ports you specify in the backend server definition must be HTTP, not HTTPS. Enabling encryption on the backend will resolve the issue (caused by misconfiguration) and increase backend server load but that’s about it.
I don’t know if I am writing in the right place (sorry!), But since for me this is the most understandable guide on the web on this topic (thanks indeed!), I would just like to ask if it is possible to use HAProxy + ACME on pfSense both to have Reverse Proxy to the Http server that to one or more SSH / SFTP servers so as not to expose port 22 directly to the web.
Thanks in advance!
Hey, so this is feasible, but requires quite a bit of extra config (on the balancer as well as on the clients) that the GUI config would really only hamper, and it doesn’t really provide much of a tangible benefit. Simply enforce the use of key-based auth and you’re good, add a simple rate limit with iptables’ recent module if you’d like.
If you must go the SSL/TLS wrapper route, here’s the guide on how to do so.
I did everything per the guide but plex is still not working for me. I am getting " 503 Service Unavailable"
It would have worked without doing the Extras. All was needed was to change * Health check method: Basic. I had the same issue and the change solved it.
This was fixed by changing * Health check method: Basic
Sorta like this I’d assume 
1 Like
Correct. Just make sure your configuration is correct and your connection is secure…
Which is already setup for you by plex
this error pops up after I make an HTTPS enforcement rule. Listing on port 80. Does anyone have some idea how to solve this?
https_redirect, https enforcement, haproxy, shared frontend
I finally got this to work where I can connect to my emby server externally by adding port forwards to the lan network instead of WAN. The problem now is when I try to access the PFSense portal it gets redirected to the Emby login portal. How do I get back into the PFSense GUI to fix what I messed up?
ssh or login directly at the console.
When SSH’d in is it best practice to suspend the firewall temporarily using pfctl -d and then go in and fix what I messed up?