Haproxy with ACME Certs and Cloudflare

By thunderwood

One of the biggest parts of a self hosted environment is your reverse proxies. Services that you host typically are on random ports, like Sonarr on 8989, or Plex on 32400. This is no bueno, and plus you wan’t protection for the servers these services are running off of. That is where a reverse proxy can help. Nginx (the most well known) is capable of handling the SSL portion of it too. In this case, I will be using Haproxy as a package on pfSense with ACME certificates behind Cloudflare as this is the setup I use.

ACME Certificates w/ Lets-Encrypt

The first part of this setup is all about the certs. These certificates are important as they will allow for SSL encryption from your router to machine itself. First part is to setup an account with ACME for an account key.

Click add new, then fill out the fields. Make sure to pick “Production ACME v2”, then click “Create new account key.” Then, click register.

Next, add the certificate. Make sure to pay attention to each field when filling them out as they can be tricky. Since we are using cloudflare, select that option from the drop down “Method”. One important note is that when you create an API token for the domain/sub-domain you are adding, make sure it is configured as such:

Hit create token, then add it to the corresponding field in Acme.

Click save, then “Issue/Renew”. This will take a while, so give it time to receive the cert from Lets-Encrypt. Once it spills out a thousand lines in green text, refresh the page and it will show you the certificate was just issued.

Now that’s done, move over to Cloudflare.


This step is easy, we just need to add an A record for DNS. Navigate to the DNS section on Cloudflare, then click “Add Record”. Enter your domain/sub, External IP, and that’s it!


Now for the fun part. Navigate to Haproxy in pfSense under Services. Go to backend, then “add”.

Change health check method to “Basic” from http. Click save.

Next, Navigate to the frontend section. Click add.

Do not enable a Default backend. Enable the “Use forwardfor option”, and then go down to the SSL Offloading section. Under SNI Filter, put *.<domain>.com. For certificate, add your newly created account there. Additional certificates is for sub domains that you may have. Next, hit save and apply changes.

That’s it! Navigate to your domain and enjoy!!!