If the 'Flexible' encryption mode in Cloudflare isn't working for you, try 'Full (strict)'.

Thanks for posting. I had this setup once and never left home since pandemic. Running pfsence for a couple years now trouble free, it's so stable.

This Channel is FANTASTIC! I found your channel a week ago, and after watching a few of your videos I can confidently say that your channel is now my main go to channel for Home-lab related how-to information. I subscribe to many other similar channels and more often than not, the host(s) simply mention a *key step (saying that you need to go x and y and do Z first) while NEVER showing you how*. They assume you already know how, and then spend the rest of the video showing the easy steps (which most of us already know how to do). Thank you for being the source that actually shows the key steps, that most (or at least me) seem to get confused about. Subscribed!!!!

Keep up the amazing work! Your channel is quickly becoming my go to for how to when it comes to setting up my home lab

Went through this process and was able to succesfully setup my HAProxy. Thanks!!!

Your tutorials have been an incredible resource for me. Thank you so much.

Saving this for later. I'm running OPNsense, but it also has HAProxy plugin, so the steps are pretty similar. Love your channel.

Excellent! This is really what I wanted to setup. I have all my services running locally on k8s, it'll be great to expose some of them on the internet.

dude thank you i've been trying to setup my media server like this for months switching from ngix to caddy and still nothing one watch from your guide and i got it working so again thanks and you've more then earned a subscribe from me

After almost two years on to do list I had finally did it

Exactly what I need. Thank you for the outstanding video.

Great Video thank you I have been wondering about this topic. Excellent job sir!

Amaaaaazing tutorial! Thanks for this vídeo! Fantastic channel.

For people testing, stick with the staging certs because if it does not work and you try it using production certs, you will not be able to renew/change a cert because you will be rate limited. Once the testing stuf works then push a production cert

Thanks for your video. This helped me out.

Great video as usual.. thank you again! I'm going to set this up this week. I've been looking at so many videos on pfsense, ha proxy and acme that I'm a bit unsure. Using this method do we need change the pfsense web configuration port from 443 to something else? And then setup NAT Firewall rules to pass ports 443 and 80 to ha proxy or, is there no need to do that with this method? Tia

I appreciate the walkthrough. I'm having some difficulty getting everything to work. I'm currently getting a 'connection timed out error code 522'. I've got multiple vlans, I'm curious if that could somehow be causing issues. Do you have your setup with multiple vlans or do you have a flat network?

Thank you for this and the other related videos. Very helpful. Can LetsEncrypt be used instead of Acme? Thanks.

very good. But did you set anything on your ISP device, such as opening a port or a NAT to your pfsense server ? How the traffic arrives in your pfsense machine ? Because the DNS record points to your public IP, not to the reverseproxy/pfsense one. Thks

Awesome! I had pfsense virtualized and pondering what next. This is perfect time to follow your tutorial. By the way, do you run all your server VM, CT etc behind pfsense while the rest of the home on another network? Can you cover such scenario as 1. using pfsense only for your server and services on it while all other devices on home network but able to talk to homeassistant, 2. pfsense as main router and setting up simple vlans etc.

Thank you for the excellent guide on how to get this configured. The only issue I am having is how I am configured like most where my pfSense is inside my network after my ISP enabled router. This is my hardware. When I go to add the Frontend for HAProxy it is showing the Address as the static assignment from my ISP device...not my public IP. I think there is a NAT issue but unsure of the best route. ISP is consumer grade so there is not a static IP possible. Thoughts?

One small but very important detail missing from these instructions: you need to "Enable HAProxy" in the Services > HAProxy > Settings menu. It is not enabled by default when you install the service.

This post I'm writing now is just shy of a year after you posted this video, which ironically, was about the same time I started to struggle with getting haProxy running on pfSense. Thanks to this video, I got the few missing points to get the installation complete. I was using dyndns to do my DNS hosting, but I think I'll be switching over to Cloudflare. The ONLY thing I'm missing right now is getting DNS to update correctly. pfSense just comes back saying it couldn't do the update, and I can't seem to find the log (yet). Not a huge deal right at the moment. I can edit the IP manually for now, as I don't change IPs frequently, but it'll still need to be done.

Not sure if it's a default, but HAproy wasn't enabled when I followed this tutorial. Kinda just jumped straight into the backend without going over connection limits etc.

Good one.

You don’t need acme for this if you are using cloudflare, you can just generate a cloudflare origin ssl cert, then select “full tls strict” in the ssl tab in cloudflare, upload that cert in your pfsense and have it served by haproxy

Love the ACME tool for PFS, usually good when running HAP, but since Letsencrypt lost their X3 Root Cert this Fall, it's shown it's ups and downs... Luckily PFS let's you import wherever Certs you got, so opting for paid SSL saves the day... I'm hoping after TLS 1-1.1 sheds away, the updates that follow may provide some legacy patching in older mobiles concerning Letsencrypt, but I won't hold my breath.

Is the reason that you don't use wildcard certs that you have two wans? I'm very new to this stuff but it seems like wildcard certs might not work if you have multiple public IPs for different services?

Thank you for the video. The popup is also green on failure renew cert, which is strange.

Hey man. Great video. question though. The issue I'm having now is my subdomains work and are accessble via HAProxy but my main root domain is not. I can't access my main page only subdomains via HAProxy. Any ideas on where to look to resolve that issue?

everything works fine but i want Bitwarden to have a certificate local as well. is there a way with HAProxy that i can use these certificates as well?

Thanks for making this video. Does this method still work? I tried it, and I am getting the 522 error that others saw. I switched to Full (strict) encryption, but that didn't fix things. The only thing I do differently is that I did not use Google for my domain registry. I decided to use Cloudflare since they were giving me the other services. When I set up my domain, I used an A record for the base domain name as well as the sub-domain names. Is that correct? I tried to look on the discord site, but I don't know my way around there, and I couldn't find the discussion on this video.

Welcome can you help me I have a desktop computer with 4 network ports - 4 DSL lines I want to collect speed on a virtual IP I hope you can help me

How do you handle the certificates if you have k8s cluster in network using traefik as reverse proxy? Besides that, my setup is similar using pfsense and cloudflare. Thanks.

Also with tokens, true, you only see once for security reasons

Thanks for the guide! I was able to get most things working from scratch, but could not get my hosted service to respond. After a few hours of troubleshooting, I found that HAProxy was NOT enabled! Went to HAProxy -> Settings -> Enable HAProxy Everything worked after that.

i have one question any one can answer it ?? why all this for just ssl certificate i can use let's encrypt or if i purchase a domain name from any platform i can have free basic ssl encryption . if you need waf or ddos capability this is a different thing . but you have to change the title of the video to somthing related to security measure

That comment about perverts.... I was rolling!

Hi, good video, i have all this configuration at my home, my problem is when i try to connect my backend api, This service it is in another machine, another ip, behind the firewall, it is not working. I saw in your video, when you test the page with login and password it is the same my. How you configurate that access to not expolse your backend api?

Quick question: does cloudflare intercept you TLS traffic in this setup?

Thinking you did a very poor review on discussion for pfsense firewall settings, followed exactly, Cloudflare cannot connect to haproxy on request, it keeps saying host error. Also consider opening the following port under Firewall / Rules / WAN, does not include the opening for firewall under any time i have created a rule in this section. I will try to figure it out, but its been an all night headache because nobody that makes these videos does a more detailed explanation on the firewall settings in pfsense.

Not ever. No way. Now he's Johnny Hammersticks.

what if my wan is under CGNAT will this work or big requirement is having accessible public Ip?

Nextcloud itself is not exposed to internet correct? Meaning without HAProxy you can only access nextcloud on your private network? Mine is only accessible from inside and I think if you want to make it accessible from outside you have to set it up differently on initial setup but from what I understand that’s not necessary with HAproxy? Great videos!!

great explanation and setup, I wanted to do similar, do anybody have similar setup but on ubiquiti HW without pfSense on additional HW ? pfSense router in my country cost double the price

Having never done a Cloudflare API token and there's lots of templates I don't know where to start? I'll guess it's the Edit zone DNS template but that's a guess! Let's see if that works.

9:39 how do you know which of the CAs you have to choose?

Thks. I have a question: the second part (haproxy setup) is in case we want to access from outside, right ? So if I don’t want , but I still want to access my service (cloudcommander or whatever) from my lan with a valid certificate, I can skip this second part ?

Hi, my "ca" list have only "none" in the backend form, and in certificate manager, i just have nothing. can anyone help ?

nice

Great video - I tried this myself but could not get it to work though. Keep getting a "This site can’t be reached" .... "Refused to connect" :S

If i have a Dyn WAN IP, i still use an A Type Record ??? Ur should i use an CNAME With duckdns?`

Any idea how to setup this up for local DNS?

can you create a video on how to sign TrueNAS scale with pfsense acme?

With cloudflare you set up https to your pfsence, which has your let`s encrypt sert. It is a little bit redundant , as you just have set up proper cert on pfsense. so you have: internet trough cloudflare cert and proxy to cloudflare, then cloudflare to pfsense with let`s encrypt cert. You can disable CF proxy ( in DNS settings ) to realy see your cert on domain, otherwise you will see CF cert. About modes: 'Flexible' encryption mode means that cloudflare doesnt check for https and can proxy to http service full checks for any https cert (even self signed will work) Full ( strict) means to check proper https cert( let`s encrypt one)

Well, I wanted to get this set up to test, and maybe start hosting my website, but pfSense won't show any available packages with the error "Unable to retrieve package information.". Google is not much help as most of the posts are old. I'm on version 2.5.0-development, and no matter what I try it just says I'm on the latest version. I came here from your latest video about self hosting. A few years back I ran a site off of server 2003, but put that OS to bed for obvious reasons. I'll try again, after Amazon delivers my 6 WD Red Plus drives for my NAS project. Gee, wonder who put that idea in my head? Lol!

ehh, done everything as said, i addes my vmware server with port to pfsense but still cant acces it, but i cant do it with my public ip

can I do the same steps to run a Minecraft server?

Anyone know how to do this for services you dont wanna expose to the internet ?

Excellent video(s). I moved my domains to Cloudflare, got all the necessary codes, keys, etc to obtain a verified Acme account. I have a question regarding Acme and Haproxy as it relates to the appliance I'm using to run pfSense. I have an old self-signed certificate that I created years ago to eliminate the annoying "proceed at your risk" warning I'd get when I entered the static IP address where the pfSense appliance resides. I loaded it in the trusted stores of Chrome and it works as advertised. I watched the Lawrence System video on how to create a certificate using Acme and Haproxy for private servers, etc. I've tried to implement those steps to replace the old self-signed certificate but I just can't get it to work. Would you consider creating a video that addresses this topic? Thank you.

which is better or easier... Im using Tunnels and I dont have to open port 443... which is better?

... Any chance you've done a update that details how to renew certificates for this build.

Great tutorial, thanks. I followed it and it works in my setup but only if I disable the DNS proxy in my Cloudflare's A record (gray cloud) or if I disable DNSBL in fBlockerNG. If I proxy the DNS in cloudflare dashboard then I get Error 522 when trying to access my device. Do you have any hints on how to solve this?

Hello, Great tutorial! I have a strange issue though... Once complete, I can access nextcloud via the domain just fine. Once I enter a new username and password and hit enter, I start getting 522 errors from the domain. The really peculiar thing is I can still access it via the domain name from my PC. Are there any pfsense settings I should maybe look at? The LAN rule is just all to all, so thought that would be enough for the server. EDIT: Even stranger, from the same PC, incognito chrome can't access the webpage when standard does.

How do you setup PFSense?

Sorry, noob here, I also followed but can't connect, do i need to set up some certs on the server side to be able to connect using https?

How did you assign port 8282 to your nextcloud server? I keep running into issues because my ISP blocks port 80. 443 is open though. Does anyone know how to get around this?

Can't we use 1 certificate for all services i think its possible.

Where did you get the desk mat?

Does having an open port like this leave you vulnerable, can you access via your public IP to the server? I've tried without HAproxy and it doesn't work :( but with CloudFlare's proxy turned off it works, therefore, I assume HAproxy is need to sortout the certs - I'm not 100% sure how HAproxy works

Mr. Balloon hands, isn't that from Billy Madison?

Are there any steps I need to do for a dynamic public IP. Mine seems to change every other week, so how do I incorporate something like DynDNS or NO-IP with pfSense and the rest?

At the part where you create haproxy backend and select CA acmecert, I do not see the option you select. The options I see are "none", the internet security research option and the long one you show after the research option. Could this be why I get a 500 error when accessing my page (Error 526 Inalid SSL Certificate and the diagram shows browser and cloudflare working but not host therefore SSL cert did not pass validation?)? Why isn't that option showing up for me? I have tried changing Cloudflare TLS to full and full(strict) and it makes no difference.

What box do you use for pfsense?

Followed exactly, can't connect with my domain, not sure why.

Mr ballon hands is from Pink Floyd?

Has anyone else got this working? I have got most of it. It will not find my home server.

Straight up broke my opnsense interface while trying to set up haproxy. Hopefully someone gets a kick out of my misery.

I don‘t understand why you grey out your ip address, because the way you set it up, it is public anyway

Allowing all 443 traffic on your WAN ACL is extremely unsafe! I would recommend changing that, and locking it down to specific sources and destinations.

johnny hammersticks ovah here. thinks he's gotta go and bossa nova. captain tiein' knots! not my ip, not my problem, thats what I always say!

Caddy! ❤️

hope the comment in the intro was "not well performed sarcasm"... Otherwise informative and recreatable at home.

That's some of the weirdest ip addressing ive seen @ 3.01 mark....

Eh, so far 2 out of 10 of your half explained tuts have worked for me. When I see your head on a thumbnail, I will stear clear.

Good video but you have accidentally exposed your public ip... Please go thru and correct the situation.

Hand Banana

not my chair not my problem

you drinking out of cups?

lol he did all that and used flexible ssl on cloudflare. you dont need acme and ssl offloading for the FLEXIBLE option. what a muppet

This tutorial is major fail. You talk about how to to all this but NEVER show it. This isn't audio podcast. It's youtube video tutorial. You need to show not talk about doing it. FAIL!

Heya when I access my website it come up with a pfsense window that state "Potential DNS Rebind attack detected, see en.wikipedia.org/wiki/DNS_rebinding Try accessing the router by IP address instead of by hostname." slightly worried that I have exposed the wrong thing if anyone can help that would be amazing!