pfSense and HAProxy - ACL for SNI host-name matching does not work

Photo by Compare Fibre / Unsplash

Hi i tried to publish the syncthing WebGUIs from my DMZ systems to my internaly accessible haproxy VIP on my pfSense firewall and couldn't figure out WHY I can't connect to the service, it seems to have error "503 Server not found" until I choose to use the default backend.

I was stuck for half an hour, this moment as I write this blog entry. I figured out:

HAProxy refers to the first match of the acl per IP in the frontends, NOT WITH THE PORTs in mind. I had to use a different ACL check that matches only this frontend I wanted.

Piere Woehl

Piere Woehl

Lingen