@returntrip 

Here's my setup, I had posted this in a different thread a few months ago but that conversation went a different direction. I'm using the HAProxy package on pfsense, but I included the text config for native HA proxy that pfsense generated at the end.

HTTPS/443 front-end:

HTTP/port 80 front-end:

HAProxy config:

frontend EAP-Controller-https-443
        bind                    10.0.0.50:443 name 10.0.0.50:443   ssl crt-list /var/etc/haproxy/EAP-Controller-https-443.crt_list
        mode                    http
        log                     global
        option                  http-keep-alive
        timeout client          30000
        acl                     eap-short       var(txn.txnhost) -m str -i eap
        acl                     eap-fqdn        var(txn.txnhost) -m str -i eap.localdomain
        acl                     aclcrt_EAP-Controller-https-443 var(txn.txnhost) -m reg -i ^eap(:([0-9]){1,5})?$
        acl                     aclcrt_EAP-Controller-https-443 var(txn.txnhost) -m reg -i ^eap\.localdomain(:([0-9]){1,5})?$
        http-request set-var(txn.txnhost) hdr(host)
        http-request set-header host eap:8043  if  eap-short aclcrt_EAP-Controller-https-443
        http-request set-header host eap.localdomain:8043  if  eap-fqdn aclcrt_EAP-Controller-https-443
        http-response replace-value location 8043 %[hdr(location),regsub(8043,443)]  if   aclcrt_EAP-Controller-https-443
        use_backend server-8043_ipvANY  if   aclcrt_EAP-Controller-https-443

frontend EAP-Controller-http
        bind                    10.0.0.50:80 name 10.0.0.50:80
        mode                    http
        log                     global
        option                  http-keep-alive
        timeout client          30000
        acl                     eap-short       var(txn.txnhost) -m str -i eap
        acl                     eap-fqdn        var(txn.txnhost) -m str -i eap.localdomain
        http-request set-var(txn.txnhost) hdr(host)
        http-request set-header host eap:8088  if  eap-short
        http-request set-header host eap.localdomain:8088  if  eap-fqdn
        http-response replace-value location 8088 %[hdr(location),regsub(8088,80)]
        http-response replace-value location 8043 %[hdr(location),regsub(8043,443)]
        default_backend server-http_ipvANY

backend server-8043_ipvANY
        mode                    http
        id                      100
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  server 10.0.0.151:8043 id 101 ssl check-ssl check inter 10000  verify none
        
backend server-http_ipvANY
        mode                    http
        id                      102
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  server 10.0.0.151:8088 id 101 check inter 10000

@matt25 many thanks! I could manage to get it working, one additional point I was missing was to select the "Encrypt(SSL)" on the backend (not visible in your screenshots but visible on the text config)

Hi guys,

Anyone succeeded in implemanting this with nginx ?

My nginx conf works over mobile but not over desktop ! I can't figure it out.

My desktop is presented with the logon screen but the login fails.

On my mobile phones/tablets, it works.

Here is my nginx conf :

server { if ($host = wifi.domain.com)
         { return 301 https://$host$request_uri;
        }
        listen 80;
        server_name wifi.domain.com;

location /
        {
         proxy_pass https://192.168.1.21;
         proxy_http_version 1.1;
         proxy_cache_bypass $http_upgrade;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Accept-Encoding "";
         proxy_set_header X-Forwarded-Proto $scheme;
        }
}
server {
         listen 443 ssl http2;
         server_name wifi.domain.com;

         access_log /var/log/nginx/acces_wifi.domain.com.log;
         error_log /var/log/nginx/error_wifi.domain.com.log;
location / {
         proxy_pass https://192.168.1.21; proxy_http_version 1.1;
         proxy_cache_bypass $http_upgrade;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Accept-Encoding "";
         proxy_set_header X-Forwarded-Proto $scheme;
        }

   ssl_certificate /etc/cert/bundleAG.crt;
   ssl_certificate_key /etc/cert/privkeyAG.pem;

}

Thanks for your help

I fixed it by using far less headers :

server { if ($host = wifi.domain.com)
         { return 301 https://$host$request_uri;
        }
        listen 80;
        server_name wifi.domain.com;

location /
        {
         proxy_pass https://192.168.1.21;
         proxy_set_header Host $host;
        }
}
server {
         listen 443 ssl http2;
         server_name wifi.domain.com;

         access_log /var/log/nginx/acces_wifi.domain.com.log;
         error_log /var/log/nginx/error_wifi.domain.com.log;
location / {
         proxy_pass https://192.168.1.21;
         proxy_set_header Host $host;
        }

   ssl_certificate /etc/cert/bundleAG.crt;
   ssl_certificate_key /etc/cert/privkeyAG.pem;

}