Home ADFS and HAProxy

ADFS and HAProxy

I use pfSense for my home networks. For externally available services, I prefer to use the HAProxy package rather than setting up port forwarding. This allows me to do various checks and modifications prior to passing the traffic to my internal servers. However, when I setup HAProxy to pass traffic to my ADFS server it wasn’t working.

I could see the web traffic getting to ADFS, but it wasn’t being handled properly. After some investigation, I found that ADFS has some quirks with how it handles web traffic. Specifically, it requires the incoming HTTPS request to include SNI data indicating the name of the ADFS site. This isn’t enabled by default in HAProxy, so I had to modify my configuration.

If you are directly editing an HAProxy config file, you’ll want to add sni str(your.adfs.hostname) to the backend server line. If you’re using the pfSense HAProxy package, you’ll want to edit your backend configuration and add that to the Per server pass thru option under Advanced settings.

I only have a single ADFS instance, so I have health checks disabled. If you’re using health checks, you’ll also need to add the check-sni option.

This post is licensed under CC BY 4.0 by the author.