Hassio and pfsense with haproxy

So as I continue my build out of HASS I start to think of how I’m going to make this available outside of the house when I feel its ready to be opened up.

I understand the need to password protect the front end and I intend on using an SSL with it, like I do my other public facing sites at home.

I currently use PFSense as my firewall and I use HAProxy on there to handle the reverse proxy, as well as handling my ssl offload there. I see with the config examples I can add some trusted subnets to the config to bypass the password prompts.

However when using HAProxy the client doesn’t get the actual remote IP instead it only sees the IP of the firewall interface that is hitting it. As I intend to enable fail2ban in the config to block hacking attempts I’ve hit a bit of a snag on how to best handle this.

Even here inside the network I have my clients going through the proxy just so we don’t have to punch in the port number everytime. Yeah lazy.

So here is the problem. When I do open it up to the public side, if its just getting the IP of the firewall interface passed back to it if someone attempts to login over and over it will just end up banning the firewall IP. Anyone else dealt with this? I guess I could just leave it on the private side and require the VPN in order to hit it while outside but not sure how I feel about that.

Thanks for your help with this and I look forward to coming to a solution.

Did you ever figure this out? I’m working on the same thing right now…

I’m not 100% sure, but take a look at use_x_forwarded_for and trusted_proxies.

1 Like

Yes @tboyce1is 100% correct I used the trusted_proxies for my use case and the use_x_forwarded_for as well and we’re good now.


I got the web interface working,

no luck on the iOS mobile app though, only used the trusted_proxies I disabled the forwarder option in the front end definition.