haproxy on pfsense fw to guac

I am having some issues with setting up a publicly accessible guacamole server thru my pfsense, which is running haproxy.

Internet > pfsense
          \ haproxy > guac

• I have my domain DNS thru cloudflare. It is currently proxied - should this matter at all?
• I have NAT set up to direct 80 and 443 thru to my haproxy VIP
• I have the haproxy frontend for port 80 redirecting to port 443
• I have the haproxy frontend for port 443 using subdomain acl's to split traffic (eventually, I am looking to have a normal 'www' site as well)

Networking:

• I can access guac locally via IP.
• I CAN NOT access guac locally via name - getting 503.
• I have "split DNS" set up (i think?) right now - I have one entry for guac pointing to its real IP, then another part of a split dns record that points both www and guac to the haproxy VIP.

The general idea is to have haproxy terminate https to the outside; then speak to guac internally via http (i.e. "ssl offloading(?))

• I have two backends set up, one for www and the other for guac.

I am unsure exactly.. where to go to troubleshoot. I was following this guide : https://geekistheway.com/2022/10/17/how-to-host-multiple-domains-using-haproxy-as-reverse-proxy-on-pfsense/ and it seems like either perhaps I am just not exactly.. knowing what to do or something.

Any help with like helping me to clarify the situation or finding logs or .. some other troubleshooting I can do would be very much appreciated.

re-edit: I had to change my settings in cloudflare to use strict ssl. everything is working now.

edit: well spoke too soon - it works, internally. still inaccessible from external. Getting a 523 from cloudflare.

It turns out - I had haproxy HTTP checks for the backend that were failing, so haproxy itself was saying it wasn't working.

I changed the url it was using to check and it works now.

for guac specifically, I had to add in /guacamole/ to the checked url.