How to serve multiple domains from a single public IP (using HAProxy on pfSense)

This tutorial will show you how to use HAProxy reverse proxy on pfSense to serve multiple domains or utilize multiple web servers behind a single public IP address.

This purpose of the guide is to show you how to create a basic reverse proxy configuration to allow hosting multiple webservers with a single public IP. HTTPS/SSL is outside of the scope of this guide. Additionally, this guide assumes you have pfSense 2.3 or newer installed and have at least two web servers already configured.

Installing HAProxy

Log in to your pfSense web UI and navigate to System > Package Manager and click on Available Packages, and search for haproxy. For the purpose of this guide we won’t worry about haproxy_devel.

installhaproxy

Now we need to allow traffic through the firewall.

Navigate to Firewall > Rules. Click on Add and create a new rule. Under Destination select This Firewall (self) from the dropdown menu and then under Destination Port select HTTP (80) for both the From and To menus. Leave everything else as they are. Click on Save and Apply Changes.

firewallrule

Configuring backends

Now that we’ve set installed HAProxy and allowed HTTP traffic to route to it, we need to configure our backends.

Navigate to Services > HAProxy, click on the Backends tab, and click on Add.

Let’s name the first one Backend1. Under Server List, click on the downward arrow and give the server a name; I’m going to use Webhost1. Under address and port put in the local IP of the server, in this case it is 10.0.0.1 with port 80.

backendserverpool

Scroll down to Advanced Settings and check Transparent ClientIP and select the appropriate interface from the dropdown list – it will usually be LAN or OPT1 (or whatever you named the OPT1 interface if you’ve set one up). Click on Save.

backendserverpool_advanced

To set up the second backend we’ll save some time by duplicating the one we just made. Go back to the Backends page and on click on the icon under Actions that looks like two pages, one in front of the other. Rename the server pool, the server name in the pool, and change the IP address to the correct one for your second server. In our case we changed it to Backend2, Webhost2, and 10.0.0.11 respectively. Save.

duplicatebackend

Configuring frontends

Now we need to tell HAProxy which backend server to use for which domain. Because we are only using one public IP address we need to create a shared frontend.

Navigate to Services > HAProxy. On the Frontend tab click on Add.

Give your shared frontend a name. I’m going to use SharedFrontend. Under Listen Address select WAN Address (IPv4) and put 80 for the port. Now scroll down to the Advanced Settings and check Forwardfor so HAProxy will tell the servers what IP addresses are accessing the domains. Click on Save.

sharedfrontend

Now that that’s done, we’re going to create the frontend to our first domain. Click on Add.

Let’s name this one WebTest1 and check Shared Frontend. The previous frontend we created should show up by default. Now set up the ACLs, or Access Control Lists – this will tell HAProxy where the traffic is supposed to go. Click the downward arrow and give the ACL a name. We’ll use ACL1. Under Expressions select Host Matches. Value is where you will input the domain of the first site – here we’ll put webtest1.briantruscott.com.

Below is where we’ll determine what action takes place for the ACL. Click on the downward arrow there and under Condition ACL Names type ACL1. Make sure the backend is set to Backend1. You can choose the default backend below, but it is not necessary. Click on save.

serverfrontend

Once again we’ll save time by using the duplicate option to create another frontend. Change the frontend name, ACL name, ACL value, condition acl name, and backend to reflect the second server. We’ll use WebTest2, Webhost2, webtest2.briantruscott.com, and Backend2 respectively.

Almost done! Now we just need to start the HAProxy service. Click on the Settings tab and check Enable HAProxy and then set the maximum number of connections. You’ll need to determine what’s appropriate for your site and ultimately the hardware that pfSense is installed on, but for this tutorial we’ll just set it to 10. Click on Save and finally click on Apply Changes.

finalsettings

HAProxy should now be up and running and directing the traffic to the appropriate servers! Keep in mind that this is a very basic configuration to give you something to start with.

12 thoughts on “How to serve multiple domains from a single public IP (using HAProxy on pfSense)

  1. Thanks for the write-up. If i want to direct this to a domain on namecheap, how would i configure the DNS on the website?

    1. I don’t use Namecheap so I can’t give you instructions specific to them however you would have to change the “A” record to your pfSense’s WAN IP address. For example, if your public IP is 172.98.67.132 then that is what you would place in the A record. You should check with the DNS service you currently use on how to change the records.

      After updating the record you’ll have to wait a few minutes while the changes propagates to the various DNS services around the world. It shouldn’t take longer than about 5-10 minutes.

    2. I have namecheap. Basically set up dynamic DNS on pfsense (easy enough) and then make your A records on Namecheap point to 127.0.0.0 (it resolves to your dynamic DNS entry that way.)

      From there, follow this guide. Igor is also right that you need just one frontend with ACLs now.

  2. In pfsense 2.3.2 you not need create several frontend in this simple example. You can create several ACL’s and Action’s in single frontend

  3. Thanks for the info I will have to give it a try after I migrate my exchange server to 2013. I need to know however if you know, if there is something I need to enable for SSL? I use CloudFlare to manage my SSL externally.

  4. Hello, What s the purpose of mark the option in Transparent Client “Use Client-IP to connect to backend servers ” , and why do you need a main shared frontend and not just individual frontends? Sorry for my English and Thanks!

  5. Hey thank you for the tutorial, I was wondering if HAProxy can also be used for services other than HTTP and HTTPS, could I perhaps use it for hosting multiple Minecraft Servers from the same IP? Say I want to have something like vanilla.mydomain.co.uk be redirected to a server running on one machine and then have modded.mydomain.co.uk be redirected to a different server whilst still keeping the required 25565 port?

    1. With a Minecraft server or other services, you can use simple NAT to achieve your goals. That said, HAProxy can load balance any TCP service, so yes you can use HAProxy but it may be overkill for a single service.

  6. Hi Brian,

    Aside from not opening the port 80 on WAN, is there anything else I should change from your guide if I want this to be a LAN only reverse proxy setup?

    Thanks

Leave a Reply