Cloudflare, HA proxy, pfsense -- 522 error

Hi, just seeking from input

I’m coming from a configuration involving pfsense and Apache. Apache was acting as both the reverse proxy and web server. SSL certs for domain are from cloudflare. Configuration was working in terms of outside computers being able to access web server with pfSense NATing all traffic on ports 80/443 to the internal web server IP address.

I’m trying now to separate the reverse proxy and use HAproxy which is contained as a package within the pfsense router. The HAproxy acts as an SSL offloader then forwards the request to webserver port 80 on the backend.

Per HA documentation my only firewall rule with this setup is to allow port 80/443 on WAN side access to the HA proxy.

I don’t have any additional ports being passed to the backend (which might be the problem).

In my firewall logs I am getting the following packets being blocked when trying to access the webserver and receiving the 522 error:

Jan 21 07:18:26 WAN Default deny rule IPv4 (1000000103) TCP:S

The IP being blocked is a cloudflare IP address and contained in the list provided by cloudflare

Recommendations from cloudflare ( would suggest opening ports in the firewall to allow access to the backend server to allow for a TCP connection.

My concern however is that cloudflare is trying to create a TCP connection over port 443 when the intermediate proxy should forward packets to port 80. Or perhaps I’m not thinking about this clearly. What specific ports should I allow to the backend webserver(s) – ports 80 and 443 despite the frontend HA Proxy?