Installing HAProxy on pfSense

HAProxy and pfSense are both wonderful solutions on their own. pfSense is a firewall distribution sitting at the edge of your network. Incoming request from external clients has to pass through pfSense. Hence it is very desirable to have features on our network edge where we can perform various tasks on these incoming requests before forwarding them to actual servers. These tasks can be like:

  1. Load balance requests to various servers based on weight or there availability.
  2. Throttle client requests based on clients properties.
  3. Redirect some links straight away before even sending it to servers.
  4. Secure your servers from malicious clients or requests with malicious content.
  5. Collect health and performance stats of your web infrastructure.
  6. Terminate SSL at the edge. Off-load SSL processing from actual servers.

This is where HAProxy stands out. HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. Integrating both of these solutions in one package on our network edge is very desirable.

There are couples of ways to integrate them.

Using pfSense Packages:

Users wishing to extend the functionality of their pfSense installation can use pfSense packages. Packages are very easy to install. They show up in pfSense menu and packages even support their own GUI. Package manager is one of the best things in pfSense. There are so many useful packages in that list like pfflowd, squid3, iperf etc. There are two packages available for HAProxy.

haproxy (1.4.21 pkg v 1.2) – This package implements HTTP balance features from HAProxy.

haproxy-full (1.4.21 pkg v 1.0) – This package implements both TCP and HTTP balance features from HAProxy.

Just install any one of these packages and you can see “HAProxy” under “Services” menu in pfSense. These packages help you with basic configuration of HAProxy using GUI. However, these packages don’t let us harness all features of HAProxy. For example if you want to use ACLs, you won’t find any GUI setting for that in haproxy-full package. Haproxy-full package aims at TCP and Http load balancing, where as “haproxy” package is specifically for http load balancing. Also you cannot go for latest build of HAProxy which continues to add latest features and bug fixes like SSL termination.

Something so powerful and important component of our network edge should not be bound in packages. It deserves a complete attention on its maintainability, easy configuration and full feature access and control.

Directly Installing FreeBSD package of HAProxy on pfSense

pfSense is basically a FreeBSD distribution and in FreeBSD the preferred way to install applications is using FreeBSD Ports Collection.

However, there is no port tree available under pfSense. Also installation of portsnap is strictly prohibited in pfSense. I think it is good not to install such utilities directly under pfsense.

However you can add FreeBSD packages (Not pfSense Packages via Package Manager) in pfSense using pkg_add command.

However you may encounter following error while adding a FreeBSD package for HAProxy.

“Error: Unable to get File unavailable (e.g., file not found, no access)”

You may find some packages for HAProxy here:


If you can find the package for version you are looking for, then you can add package by using full URL.

pkg_add –r

However, I will not suggest installing HAProxy using package directly under pfSense. First, it is hard to find packages of latest versions or some specific versions. Secondly, keeping applications up to date along with its dependencies is not as smooth as with using FreeBSD Ports Collection. Both pfSense and HAProxy are such a critical part of your web stack that their availability really depends a lot on the maintainability of these components in production environment. So what is the solution? Enter FreeBSD jails.

Installing HAProxy inside a JAIL in pfSense

I would rather like to take this opportunity of “Installing HAProxy in pfSense” to setup a framework which is capable to integrate components like HAProxy with pfSense, in such a way that they harness full power of the component and maintains a good isolation with pfSense, so that it is a viable option for production environments.

Solution is to install HAProxy inside a JAIL with its own IP address and environment, well isolated from pfSense. This gives you the flexibility to install whatever you want for HAProxy without interfering with pfSense.

This is not as simple as installing packages. However it makes your life easy and gives you complete control over HAProxy and pfSense once set.

First we need to setup a jail administration framework on pfSense. This will allow us to easily create, update, remove, start, stop and restart jails. Again there is a pfSense package “pfJailctl” available for the purpose. However I found it quite unstable for production environment. So my choice is ezjail. It offers a lot of advantages and goes very well with pfSense.

I have separate post in two parts on “Setting Up ezJail and Ports Collection on pfSense” for this purpose.

Setting Up ezJail and Ports Collection on pfSense – Part 1

Setting Up ezJail and Ports Collection on pfSense – Part 2

Once done with setting up the required infrastructure, integrating HAProxy with pfSense is just a matter of installing another port on a FreeBSD system (pfSense in our case). Setting up a FreeBSD jail infrastructure on pfSense makes it possible to harness full power of HAProxy, while maintaining pfSense’s integrity as a top class firewall distribution.

Use following commands to install HAProxy in the Jail you created in above posts.

Login into Jail:

jexec 2 sh

Install HAProxy:

cd /usr/ports/net
ls hapro*
cd haproxy-devel
make install clean

Install HAProxy on pfSense

Install HAProxy

Configure HAProxy Options

Configure HAProxy Options

HAProxy Installed on pfSense

HAProxy Installed on pfSense

Enable HAProxy Startup

echo ‘haproxy_enable="YES"’ >> /etc/rc.conf

Create HAProxy.conf

Either create a file in /usr/local/etc or upload configuration.

vi /usr/local/etc/haproxy.conf

Sample Configuration file:

 # Simple configuration for an HTTP proxy listening on port 80 on all
 # interfaces and forwarding requests to a single backend "servers" with a
 # single server "server1" listening on
     maxconn 256

     mode http
     timeout connect 5000ms
     timeout client 50000ms
     timeout server 50000ms

 frontend http-in
     bind *:80
     default_backend servers

 backend servers
     server server1 maxconn 32

Test Configuration

Using HAProxy binary:

haproxy -f haproxy.conf –c

Using Startup script

cd /usr/local/etc/rc.d
./haproxy configtest

Start-Stop HAProxy Daemon

/usr/local/etc/rc.d/haproxy start
/usr/local/etc/rc.d/haproxy stop

Upload files into Jail

Use pfSense’s “Diagnostics -> Command Prompt” to upload files to pfSense’s tmp directory.

Exit Jail and then copy it into Jail Directory:

cp /tmp/ /jails/ha.testnet.local/tmp/

Note: When uploading configuration files created on a Windows machine, make sure you first convert EOL (End of Line) characters to Unix format. This can be done using Notepad++’s option “Edit -> EOL Conversion -> Unix”.

About Dinesh Sharma

Experienced system architect, programmer, and trainer. This blog is a way of giving back and helping the community. So feel free to ask a question or to leave a comment.

  • Young Entrepreneur

    Hi Mr. Dinesh,

    I’m new to pfSense and thank you for the know how, I managed to follow and install your “Setting Up ezJail and Ports Collection on pfSense – Part 1 and part 2”. Now my question is, I only have one public IP, can I just copy the haproxy binary from the jail to pfSense and run the haproxy straight from pfSense with the only one public IP I have, ot is there any better way to achieve that? Please advise!

    Thank you!


    • Hi Chooi,

      If you have managed to go through Part 1 and 2 and have setup a jail, then you are 95% done. I would recommend you to stick with installing HAProxy in the jail. You don’t need to bind HAProxy jail to your WAN IP/Interface. Mostly web servers are hosted in DMZ network or sometime in LAN also. You can host your HAProxy jail in same network as of web servers. Just forward required http/https ports from your WAN to your JAIL IP.

      I also prefer this because this is a good option when you have more than one WAN link terminated on pfSense. Let me know if you need more help.


  • Krishna Kumar S

    Hi Dinesh,

    I have configured mysql and radius in my pf and the authentication also working fine. Now I want the usage of each user to be limited to 1 GB per day.moth etc… Have you ever tried any attribute to handle this ?

    If so please let me know I am curious to know about it.

    Thanks in advance…!!!!!

  • Pingback: Fixed: How can I use HAproxy with SSL and get X-Forwarded-For headers AND tell PHP that SSL is in use? #programming #it #answer | IT Info()

  • Pingback: How-to: How can I use HAproxy with SSL and get X-Forwarded-For headers AND tell PHP that SSL is in use? #development #answer #it | SevenNet()