@andyc23 said in HAProxy json-rpc healthcheck - need help with my example:

@andyc23
I solved this by having this in the advanced pass through.
Hope it helps someone else:

option httpchk POST / HTTP/1.1\r\nHost:\ haproxyservices\r\nContent-Type:\ application/json\r\nContent-Length:\ 76\r\n\r\n"{\"jsonrpc\":\"2.0\",\"method\":\"eth_syncing\",\"params\":[],\"id\":1}" http-check expect string false

I do get a warning though >

[WARNING] 185/013305 (92736) : parsing [/var/etc/haproxy/haproxy.cfg:132]: 'option httpchk' : hiding headers or body at the end of the version string is deprecated. Please, consider to use 'http-check send' directive instead.

not sure if important.

Sorry for bumping this old thread.

I had everything working as above, but now, since i've updated haproxy -

i now get this issue:

[ALERT] (50668) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:181] : 'option httpchk' : hiding headers or body at the end of the version string is unsupported.Use 'http-check send' directive instead..

i've tried:

http-check send meth POST uri / ver HTTP/1.1 hdr Host haproxyservices hdr Content-Type application/json hdr Content-Length 60 body "{"jsonrpc":"2.0","method":"eth_syncing","params":[],"id":1}"
http-check expect string false

anyone able to help me set the correct backend passthru?

@stephenw10

I am missing my photos :( Can you help with a couple of these posts the photos are vanishing ..

@Antibiotic

Ref:
http://www.squid-cache.org/Doc/config/memory_pools_limit/

Try to change this to a higher value if your firewall can handle it

@gurpal2000
We are talking about backends.

There is a "Default Backend" setting in the frontend. This is used if no rule matches a traffic.

Howerver, you can as well add an action for the primary backend and negate the existing ACL.

@nalle_j
So you have to investigate, what's going wrong.

I assume, that the packets reach the remote backend server, since the health check succeed, as you wrote.

To get sure, sniff the traffic at the remote site. First on the server-facing interface. If you can see requests and responses either, sniff on the Wireguard interface, and if there are no responses, sniff on the WAN to see if the packets go out to the default gateway.

Any tips on how to get this working?

@johnpoz, you are correct. I should have added that in my head it seemed like a security issue but it obviously wasn't because of the default rules.

This is pretty complex I use a separate VLAN that only gets the resources it needs for VPN but check your ACLs and if you really want to send VPN traffic into the proxy you need to force that traffic into the proxy NAT it

UPDATE 4-25-24

Added timeframes to secure web cache use

Add this to the top of the config

acl block_hours time 01:30-05:00 ssl_bump terminate all block_hours http_access deny all block_hours

@viragomann Yes, not sure why that made a difference but it's working.

follow this for use with creating a dstdom.broken file for use with pinned certificates..

https://wiki.squid-cache.org/SquidFaq/WindowsUpdate

same item however add the
office.com
office.net domains into the folder so everything works and cache for updates still works

acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
sslproxy_cert_error deny all

this works for me and all updates restored and office use