Messages

Hoping someone can point me in the right direction. I've setup according to this guide and anything I DO want to offload is working perfectly. But I also have a service I do NOT want offloading and instead to just passthrough haproxy to it's own reverse proxy (nginx). But I keep getting the cert for the working offloaded service.
I did originally put both domains into the 1 map file, but you'll notice they are now in 2. I have no issue reverting to 1 if that's how it works, but I had the same result.
When trying the domain not working debug log shows

2025-03-13T15:37:07-06:00	Informational	haproxy	Connect from 123.123.123.123:35560 to 75.158.105.237:443 (1_HTTPS_Frontend/HTTP)
2025-03-13T15:37:07-06:00	Informational	haproxy	123.123.123.123:35488 [13/Mar/2025:15:37:06.986] 0_SNI_frontend SSL_backend/SSL_SERVER 1/0/172 3288 -- 7/4/3/3/0 0/0
2025-03-13T15:37:07-06:00	Informational	haproxy	123.123.123.123:35488 [13/Mar/2025:15:37:06.987] 1_HTTPS_Frontend/127.4.4.3:443: SSL handshake failure
2025-03-13T15:37:06-06:00	Informational	haproxy	123.123.123.123:35372 [13/Mar/2025:15:37:06.576] 0_SNI_frontend SSL_backend/SSL_SERVER 1/0/223 396 -- 5/3/2/2/0 0/0
2025-03-13T15:37:06-06:00	Informational	haproxy	123.123.123.123:35372 [13/Mar/2025:15:37:06.577] 1_HTTPS_Frontend/127.4.4.3:443: SSL handshake failure (error:0A000416:SSL routines::sslv3 alert certificate unknown)
2025-03-13T15:37:06-06:00	Informational	haproxy	123.123.123.123:35328 [13/Mar/2025:15:37:06.409] 0_SNI_frontend SSL_backend/SSL_SERVER 1/0/167 3288 -- 6/4/3/2/0 0/0
2025-03-13T15:37:06-06:00	Informational	haproxy	123.123.123.123:35328 [13/Mar/2025:15:37:06.409] 1_HTTPS_Frontend/127.4.4.3:443: SSL handshake failure

It appears to try the HTTPS front end first, fail then tries the SNI. From what I understand the SNI should then be routing the traffic according to the rule to not SSL offload but it doesn't...

Here is my config (sanitized of course/hopefully)

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    ocsp-update.mindelay 300
    ocsp-update.maxdelay 3600
    httpclient.resolvers.prefer   ipv4
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua
cache opnsense-haproxy-cache
    total-max-size 4
    max-age 60
    process-vary off

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: 1_http_frontend ()
frontend 1_http_frontend
    bind 127.4.4.3:80 name 127.4.4.3:80 accept-proxy
    mode http
    option http-keep-alive

    # logging options
    # ACL: NoSSL_condition
    acl acl_60ece619a266e9.71758723 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_60ece619a266e9.71758723

# Frontend: 0_SNI_frontend ()
frontend 0_SNI_frontend
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode tcp
    default_backend SSL_backend

    # logging options
    option tcplog
    option socket-stats

    # ACTION: PUBLIC_nooffloaddomain_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/67d34435367b99.58937721.txt)]

# Frontend: 1_HTTPS_Frontend ()
frontend 1_HTTPS_Frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.4.4.3:443 name 127.4.4.3:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/60ed00e1c92857.09613107.certlist
    mode http
    option http-keep-alive
    option forwardfor
    timeout client 15m

    # logging options

    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/615ce4557a4dc4.14466569.txt)]

# Backend: Plex_backend ()
backend Plex_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Plex 192.168.1.42:32400 ssl verify none

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server SSL_SERVER 127.4.4.3 send-proxy-v2 check-send-proxy

# Backend: Ombi_backend ()
backend Ombi_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server Ombi 192.168.1.84:5055

# Backend: HomeAssist_backend ()
backend HomeAssist_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server ha 192.168.1.12:8123

# Backend: storage_backend ()
backend storage_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    option forwarded
    option forwardfor
    server storage 192.168.1.69:443 ssl alpn h2,http/1.1 verify none

# Backend: nooffloaddomain_backend (nooffloaddomain)
backend nooffloaddomain_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server nooffloaddomain 192.168.1.118 ssl verify none resolve-prefer ipv4



listen local_statistics
    bind            127.0.0.1:8822
    mode            http
    stats uri       /haproxy?stats
    stats realm     HAProxy\ statistics
    stats admin     if TRUE

# remote statistics are DISABLED

Code Select Expand

#615ce4557a4dc4.14466569
# public access subdomains
plex Plex_backend
storage storage_backend
ha HomeAssist_backend
workingdomain.com Ombi_backend

Code Select Expand

#67d34435367b99.58937721
# public access subdomains
notworkingdomain.com notworkingdomain_backend
staticstuff notworkingdomain_backend
I have no doubt I've missed something completely, or at the very least misunderstood and would appreciate any help that can be provided.

Hey i have this kinda working but only one tls termination. On the firewall side. The traffic is passed unencrypted to another backend haproxy and traefik. Im not understanding your setup well, are you trying to do double tls termination or tls passthrough?

Hello! I dont know if the Hellsite or more experienced persons will reply to this, but i just want to ask a quick question regarding implementing this with ipv6. Is it just adding another ssl server ip using ULA/Loopback ipv6 and having that as the backend then adding those to the the http_frontend? I am simply asking since the idea popped into my head recently if i could also run this using ipv6 and ipv4, otherwise i have been using the ipv4 setup for a long time now. Again, just some thoughts i had recently.
Thanks and have a nice day!

Thank you for replying. May i ask a few more things then? in allowed ips do i put both ::/0 and the /56? on the client side. and on the server side do i put the whole /48? Also i followed the docs on the site to site wireguard and the selective routing. i found this snippet at the bottom of the page

        When adding the IPv6 address to Tunnel Address in the WireGuard Instance configuration, specify a /127 mask, rather than a /128

        Then, when creating an IPv6 Gateway for the tunnel, specify the IP address to be another IPv6 address that is within the /127 subnet of the Tunnel Address

i setup the client and server side with a /64, it still works but i want to know if i should ideally add a /127 then as the tunnel address?

I managed to get the tunnel up and running im just stumped on how i would route the rest of the /56 back to home. Anyone have the time to point me in the right direction?

Hello and good day to all!
I wanted to know from more experienced people here, if a provider has given me a routed /48 subnet through the wan address, is it as simple as adding it as an Virtual ip on wan, and then i can use the whole subnet? or do i need to have a separate interface so that i can use dhcpv6 on it? one of the reasons is that i want to do a site to site vpn using wireguard and route a /56 to the other location. but i am not well versed in this topic. And this problem has me stumped for weeks now. I have the tunnel up and running with no issues. The issues comes into play when i want to use another /56 on the local site. I am using GUA's for the addressing on the wireguard tunnel ipv6 only.

Thank you for taking the time to reply to my thread. Will try this on the weekend and reply back.
I have another question in the meantime, on the reply by alh he states on number 4

4. HAProxy plugin: Create "condition" (enter name ["myservice_sni"], condition type is "SNI TLS extension matches (TCP request content inspection)" with value "myservice.example.com" or whatever your FQDN is)

I dont really understand how this one works. is the myservice.example.com supposed to be the traefik dashboard domain? or can i put a wildcard certificate for it, something like *.mydomain.example?

Thank you once again.

Hello! I wanted to post here since i could not managed to solve this on my own. i feel like im almost there but i cant get it to work. Everything else works just that i cannot seem to pass to traefik. It gives me either a 503 no service or 400 bad request.
I have followed the tutorial: https://forum.opnsense.org/index.php?topic=23339.0 for the base sni install
then i added rules to the sni frontend using the reply from alh: https://forum.opnsense.org/index.php?topic=18538.msg84958#msg84958

my config looks like this:

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: sni_frontend (Listening on 80 and 443)
frontend sni_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind ::1:80 name ::1:80
    bind ::1:443 name ::1:443
    mode tcp
    default_backend ssl_backend

    # logging options
    # ACL: traffic_ssl
    acl acl_63e3d7d7d34b32.18126829 req_ssl_hello_type 1
    # ACL: myservice_sni
    acl acl_63e3d8dd452718.96347718 req.ssl_sni -i traefik.homelabbity.uk

    # ACTION: request_inspect_delay
    # NOTE: actions with no ACLs/conditions will always match
    tcp-request inspect-delay 5
    # ACTION: request_content_accept_ssl
    tcp-request connection accept if acl_63e3d7d7d34b32.18126829
    # ACTION: myservice_sni
    use_backend traefik_backend if acl_63e3d8dd452718.96347718

# Frontend: HTTP_frontend (Listiening on Virtual IP)
frontend HTTP_frontend
    bind 127.10.20.5:80 name 127.10.20.5:80 accept-proxy
    bind ::1:80 name ::1:80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: nossl_condition
    acl acl_63d848da104d83.11157892 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_63d848da104d83.11157892

# Frontend: HTTPS_frontend (Listen on virtual ip 443)
frontend HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 127.10.20.5:443 name 127.10.20.5:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63d84eb22bdba2.49299791.certlist
    bind ::1:443 name ::1:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/63d84eb22bdba2.49299791.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: local_subdomains_condition
    acl acl_63d8643cc31f29.38373794 src 192.168.50.0/24 192.168.200.0/24

    # ACTION: local_subdomains_rule
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63d863c71a8079.31054171.txt)] if acl_63d8643cc31f29.38373794
    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/63d84917101ea0.76258733.txt)]

# Backend: ssl_backend (ssl_backend)
backend ssl_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server ssl_server 127.10.20.5 send-proxy-v2 check-send-proxy

# Backend: traefik_backend (traefik)
backend traefik_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    server traefik_server 192.168.200.5:8443 send-proxy-v2 check-send-proxy



# statistics are DISABLED





any help would be greatly appreciated.

Please refer to this post about it. Be warned I can not provide help for this since I am not using such a setup.

https://forum.opnsense.org/index.php?topic=18538.msg84958#msg84958

Still thank you for posting a link to a possible soloution. I have had my hunches but at least it narrows down the area at which to look at. Thank you and have a nice day!

After reading a couple of time and trial-and-error, finally I got it running. The key infortation was written in the chapter:

sorry to ressurect but would like to know how you were able to implement this

Hello again Mr.Hellsite the guide you provided has been rock solid for a year now. no hiccups or whatsoever. Im writing back in this post because i wanted to know exactly what you meant on NR.6 on the faq page as im interested in managing a traefik instance behind haproxy

How can we load balance TCP traffic that we don't want to get SSL offloaded, f.e. OpenVPN over TCP?
In my tutorial I only explain how to "redirect+load balance SSL offloaded traffic".
This is because I myself don't have (yet) the need to actually load balance any non SSL traffic.
However balancing non SSL traffic is pretty much the same as balancing SSL traffic.
You only have to make sure that your "NOSSLservice_rule" or "NOSSLservices_map-file_rule" is placed on the "SNI_frontend" instead of the "HTTPS_frontend" and that the backend that belongs to your

Would this kind of setup be applicable to do traefik behind haproxy? also what do you exactly mean by NOSSL_service_rule NOSSL_services_map_file_rule?

1. The map file is case sensitive. Fix it.

2. Remove the "send-proxy-v2 check-send-proxy" directives from the backends of your actual services. These two options are only necessary on the "SSL_backend".
4. Your "HTTP_frontend" and "HTTPS_frontend" should ONLY be listening to your SSL_server IP address. Not to "0.0.0.0:0" or "::::0". Just think about it and take a look at my diagram in the first post... You should quickly figure that this doesn't make any sense.

Thanks! That solved a lot of the problems i had.

I also had to edit some settings on my cloudflare setup in order for it to work. I now have full access to everything aside from nextcloud and some other stuff. while still being proxied behind cloudflare. I dont know if it will be useful for other cloudflare users. But for me at least since i wanted to go cloudflare for everything. I ended up also using the cloudflare certs and uploading it to HAP while still being onf Full(Strict) mode. i dont know if its and intended sideffect but i didnt have to use split dns for this. I could just call up everything by subdomain.domain.com locally.
Also with regards to the map file for the local subdomanins. The format should look like this?

local loca_backend

plex plex_backend

Should there be a space in between?
Last questions. Is it possible to use the generated Cert for both truenas and opnsense instead of the self signed one? would it break the config? Also is there a specifi HAP sub, or should i just post in the General section?

Thanks! So, i set up HAP as per the guide, and am wondering if its a normal consequence to have 503 error on my truenas webui. Internally i can acces it no problems, outside of the home network i am unable to. Sidenote, i do not plan to expose the web ui or planned to. I was just using it as a sort of test run to see if it will resolve to my domain.truenas.com. I also did expose plex under port 32400. But seem to encounter some TLS handshake errors. It would be nice if you could take a look at my config and point me in the right direction. I did only a A and AAAA record for wildcard hostname i.e *.mydomain.com. I dont know if thats enough.
My general goal is to only expose plex and some other services like nextcloud, but thats for another section of the forums. Also my network is kinda flat. All services run through a single VLAN.
I created two Servers and two backends. One for Truenas and plex respectively.
i have been trying to make a stable connection to plex but it just seems to either time out or lose connection after a while.

Heres and output of my config file, i have some disabled stuff in the config file since i turn on and off stuff for testing. Also renamed some stuff, truenas is just the Physical server with the IP. (myloopbackip) is the virutal address.

Code Select Expand

#
# Automatically generated configuration.
# Do not edit this file manually.
#

#
# NOTE: HAProxy is currently DISABLED
#
global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    4
    hard-stop-after             60s
    no strict-limits
    maxconn                     10000
    tune.ssl.default-dh-param   4096
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    maxconn 5000
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr libc,last
    default-server maxconn 5000

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: SNI_frontend (Listening on ip:80 / ip:443)
frontend SNI_frontend
    bind 0.0.0.0:80 name 0.0.0.0:80
    bind 0.0.0.0:443 name 0.0.0.0:443
    bind :::80 name :::80
    bind :::443 name :::443
    mode tcp
    default_backend SSL_Backend
    # tuning options
    timeout client 30s

    # logging options

# Frontend: HTTP_frontend (Listening on 127.10.20.5)
frontend HTTP_frontend
    bind (myloopbackip):80 name (myloopbackip):80 accept-proxy
    bind :::80 name :::80 accept-proxy
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: NoSSL_Condition
    acl acl_62aa8dcf894a87.42381056 ssl_fc

    # ACTION: HTTPtoHTTPS
    http-request redirect scheme https code 301 if !acl_62aa8dcf894a87.42381056

# Frontend: HTTPS_frontend (Listening on (myloopbackip))
frontend HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind (myloopbackip):443 name (myloopbackip):443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62aad04a028639.71957640.certlist
    bind :::443 name :::443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/62aad04a028639.71957640.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options

    # ACTION: Public_subdomains_map_rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/62aa8e31993357.88056717.txt)]
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }

# Backend: SSL_Backend ()
backend SSL_Backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server SSL_Server (myloopbackip) send-proxy-v2 check-send-proxy

# Backend (DISABLED): router_Backend (router Backend)

# Backend: truenas_Backend (truenas Backend)
backend truenas_Backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    # WARNING: pass through options below this line
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-reuse safe
    server truenas truenasip:443 ssl sni str(truenas) verify none send-proxy-v2 check-send-proxy

# Backend: plex_backend (plex Backend)
backend plex_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server Plex truenasip:32400 send-proxy-v2 check-send-proxy



This is my map file:

Code Select Expand


# public access domains
truenas truenas_backend
plex plex_backend


Hi! First off, i want to thank you for the detailed guide you posted. I am new to HAProxy and have some questions regarding some configs, do you still reply to this post? or should i ask or open another thread somewhere? Thanks!

Thanks! That was just for testing to better see the scope. I cant find the problem if the ip's are all over the place. Still i wanted to just setup my pihole properly/adguard for ipv6. And one of my probable solutions was to just set a static ipv6 for the pihole using dhcpv6. That didnt work out quite what i expected. Might just try using the link local address. Or might just go back to SLAAC since managing dhcpv6 seems to be a pita.

Thanks for all the replies. Was busy at work so unable to reply sooner. Im going to make an example, since i still cant seem to wrap my head around the concept. My ISP should give out like a: 2a02:0000:0000:a2(XX). As far as i understand that should be the whole prefix (/56) from my isp and the XX at the end should be whatever Prefix id i set under interfaces? Also under DHCPv6 i just put a range like ::a000-::b0ff. Would that be ok? Zeroes should just be befor that :: no?