@kiokoman said in HAProxy: 503 errors on 2 domains:

@oguruma
HAproxy 503 Service Unavailable No server is available to handle this request is passed when the http check fail for some reason even if the service is up and running

like in this post https://serverfault.com/a/886319

you need to adjust that option in a way that it receve a valid response from the server or disable httpchk

Thanks again for the help. I got it working by deleting both the frontends and the backends for the not-working domains and recreating them, making sure to disable health checks from the outset when creating the backends.

One thing that is curious is that I re-installed ERPNext on separate, vanilla VM and pointed the backend to that new VM with healthcheck enabled, and it worked fine...

Hi,

same problem here after upgrading from 2.6 to 2.7.2,
Certificate manager don't fill 'In use' column for some of the certifcates used by HAProxy.

Anyone has an explanation or solution?

Thanks

@ironwood Ok, I found the solution, or rather, ChatGPT found the solution. Under System > Advanced > Admin Access, there is a setting called WebGUI Login Redirect. This is the description:

When this is unchecked, access to the webConfigurator is always permitted even on port 80, regardless of the listening port configured. Check this box to disable this automatically added redirect rule.

The redirect is enabled for port 80 by default and was conflicting with the http to https redirect I had set up in HAproxy a long time ago. I check the box to disable it, saved, enabled my redirect and voila, it works!

I'm guessing this was either a new feature in 23.09.1 or it I had it checked before and it "unchecked" itself? Would be interested in finding if that setting exists in earlier versions if anyone hasn't upgraded.

@kiokoman said in CARP Mode Multicast / Unicast ?:

@Yathus
indeed, if you can't use multicast., peer address is the second node for primary pfsense and vice versa for secondary pfsense
forget about PFSYNC interface it is used only for configuration synchronization and pfsync state synchronization

I made a test, i create a "Virtual IP" on primary pfsense and i put IP from secondary on "peer IP" and it's working. I create only on the primary node, nothing on second node, Sync did the job.

Does nobody know or have any ideas? I am really stuck on this.

@SteveITS And that is what is strange...the rules on the primary firewall are there...and for that matter ALL the rules for all the interfaces are there and not overwritten or deleted...just the HA ones. And I don't change any of the rules on the prmary as it relates to HA.

@SteveITS the carp began to work after entering the second gateway in first High Availability option

thanks!)

@Daniel_Hyde
Yes, as the hint there is mentioning.
This setting needs only to be made on the primary.

@viragomann ,

Observed something weird where if i turn off state synchronisation in System>> High availability. Application is working. Any suggestions for this weird behaviour??

@SteveITS Thank you!
Unfortunately there does not seem to be a backup option for users and/or certificates only. So looks like i'm going to have to copy those sections of config over manually.

@jeffsmith82 said in Sync not working:

used to force you to use the admin account until a relativity recent version

Oh, good to know, thanks.

@Kajetan321 the vip just points to one of them, whoever is the master. So yeah to it the name is not correct.

What you would want to setup is alternative name..

systemadv.jpg

so if you pfsense1.home.arpa, and pfsense2.home.arpa on the 2 boxes. Here for the vip name you would want pfsense.home.arpa

This is located under system / advanced / admin access

@SteveITS Thank you very much. I appreciate immensely your input. It clarified my misunderstanding.

@jimp , thanks for the directions.