How to serve multiple domains from a single public IP (using HAProxy on pfSense)

This tutorial will show you how to use HAProxy reverse proxy on pfSense to serve multiple domains or utilize multiple web servers behind a single public IP address.

This purpose of the guide is to show you how to create a basic reverse proxy configuration to allow hosting multiple webservers with a single public IP. HTTPS/SSL is outside of the scope of this guide. Additionally, this guide assumes you have pfSense 2.3 or newer installed and have at least two web servers already configured.

Installing HAProxy

Log in to your pfSense web UI and navigate to System > Package Manager and click on Available Packages, and search for haproxy. For the purpose of this guide we won’t worry about haproxy_devel.


Now we need to allow traffic through the firewall.

Navigate to Firewall > Rules. Click on Add and create a new rule. Under Destination select This Firewall (self) from the dropdown menu and then under Destination Port select HTTP (80) for both the From and To menus. Leave everything else as they are. Click on Save and Apply Changes.


Configuring backends

Now that we’ve set installed HAProxy and allowed HTTP traffic to route to it, we need to configure our backends.

Navigate to Services > HAProxy, click on the Backends tab, and click on Add.

Let’s name the first one Backend1. Under Server List, click on the downward arrow and give the server a name; I’m going to use Webhost1. Under address and port put in the local IP of the server, in this case it is with port 80.


Scroll down to Advanced Settings and check Transparent ClientIP and select the appropriate interface from the dropdown list – it will usually be LAN or OPT1 (or whatever you named the OPT1 interface if you’ve set one up). Click on Save.


To set up the second backend we’ll save some time by duplicating the one we just made. Go back to the Backends page and on click on the icon under Actions that looks like two pages, one in front of the other. Rename the server pool, the server name in the pool, and change the IP address to the correct one for your second server. In our case we changed it to Backend2, Webhost2, and respectively. Save.


Configuring frontends

Now we need to tell HAProxy which backend server to use for which domain. Because we are only using one public IP address we need to create a shared frontend.

Navigate to Services > HAProxy. On the Frontend tab click on Add.

Give your shared frontend a name. I’m going to use SharedFrontend. Under Listen Address select WAN Address (IPv4) and put 80 for the port. Now scroll down to the Advanced Settings and check Forwardfor so HAProxy will tell the servers what IP addresses are accessing the domains. Click on Save.


Now that that’s done, we’re going to create the frontend to our first domain. Click on Add.

Let’s name this one WebTest1 and check Shared Frontend. The previous frontend we created should show up by default. Now set up the ACLs, or Access Control Lists – this will tell HAProxy where the traffic is supposed to go. Click the downward arrow and give the ACL a name. We’ll use ACL1. Under Expressions select Host Matches. Value is where you will input the domain of the first site – here we’ll put

Below is where we’ll determine what action takes place for the ACL. Click on the downward arrow there and under Condition ACL Names type ACL1. Make sure the backend is set to Backend1. You can choose the default backend below, but it is not necessary. Click on save.


Once again we’ll save time by using the duplicate option to create another frontend. Change the frontend name, ACL name, ACL value, condition acl name, and backend to reflect the second server. We’ll use WebTest2, Webhost2,, and Backend2 respectively.

Almost done! Now we just need to start the HAProxy service. Click on the Settings tab and check Enable HAProxy and then set the maximum number of connections. You’ll need to determine what’s appropriate for your site and ultimately the hardware that pfSense is installed on, but for this tutorial we’ll just set it to 10. Click on Save and finally click on Apply Changes.


HAProxy should now be up and running and directing the traffic to the appropriate servers! Keep in mind that this is a very basic configuration to give you something to start with.

17 thoughts on “How to serve multiple domains from a single public IP (using HAProxy on pfSense)

  1. Thanks for the write-up. If i want to direct this to a domain on namecheap, how would i configure the DNS on the website?

    1. I don’t use Namecheap so I can’t give you instructions specific to them however you would have to change the “A” record to your pfSense’s WAN IP address. For example, if your public IP is then that is what you would place in the A record. You should check with the DNS service you currently use on how to change the records.

      After updating the record you’ll have to wait a few minutes while the changes propagates to the various DNS services around the world. It shouldn’t take longer than about 5-10 minutes.

    2. I have namecheap. Basically set up dynamic DNS on pfsense (easy enough) and then make your A records on Namecheap point to (it resolves to your dynamic DNS entry that way.)

      From there, follow this guide. Igor is also right that you need just one frontend with ACLs now.

  2. In pfsense 2.3.2 you not need create several frontend in this simple example. You can create several ACL’s and Action’s in single frontend

  3. Thanks for the info I will have to give it a try after I migrate my exchange server to 2013. I need to know however if you know, if there is something I need to enable for SSL? I use CloudFlare to manage my SSL externally.

  4. Hello, What s the purpose of mark the option in Transparent Client “Use Client-IP to connect to backend servers ” , and why do you need a main shared frontend and not just individual frontends? Sorry for my English and Thanks!

  5. Hey thank you for the tutorial, I was wondering if HAProxy can also be used for services other than HTTP and HTTPS, could I perhaps use it for hosting multiple Minecraft Servers from the same IP? Say I want to have something like be redirected to a server running on one machine and then have be redirected to a different server whilst still keeping the required 25565 port?

    1. With a Minecraft server or other services, you can use simple NAT to achieve your goals. That said, HAProxy can load balance any TCP service, so yes you can use HAProxy but it may be overkill for a single service.

  6. Hi Brian,

    Aside from not opening the port 80 on WAN, is there anything else I should change from your guide if I want this to be a LAN only reverse proxy setup?


  7. Hi great post!

    I’m having trouble getting this to work with Https. I have my own wildcard ssl certificate from a CA.

    I’m pretty green so not exactly sure what boxes to check for that? I was able to get it to work via port 80 for a bit and then got a 503 error.



  8. Great post Brian! I finally manage to make it work after trying for several months. Thank to you.

    For others who are facing 503 error, please change your port for pfsense portal. It started working at port 80 once I set the portal port to some other port (I used 8888).

    Hint: If you are getting DNS rebind page or 503 when accessing your domain, chances are that your pfsense portal is still set at port 80. Just change it and it will start working.

  9. To anyone wondering about the ssl certifcate setup using haproxy, you will have to have the certificate installed on the PF Sense Server for haproxy in order for the ssl certificate to be active for the website.
    and the back end can be used upon port 80 on the local servers. Ha proxy is basically a waitress at an restaurant. You place your order, she writes it down, and sends it to the cook. She waits on the cook to make the food, and brings it back to you and sets it on the table in front of you. But you gotta tell the waitress first that you want to add extra fries to your burger order before she sends that list over to the cook.

    Waitress – Proxy Server
    Extra Fries – SSL Certificate
    Cook – Webserver

    In technical terms.
    Your the computer user, and you goto the request sends over to a proxy server with ssl encryption. The proxy server has a list of ip addresses and is able to find that direct one for the valvesocial domain request and goes directly to the webserver with the request and and url permlink.
    the webserver gives the request back to the proxy server, and the proxy server brings the data back to you the computer user with SSL encrypted using https.
    Hope this helps!

  10. In the title you say “multiple domain from a single public ip” But I only see is mutiple sub-domains not an actual domain. Does this apply to the actual FQDN as well because I can’t get it to work for a different one.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.