HaProxy + PfSense 503 Service Unavailable
-
Hello,
I created a VMware workstation environment for testing how to configuire a proper pfsense with haproxy network.
I have two windows server 2019 with IIS with two working website via HTTPS (before installing haproxy) that are accessible remotely, afterwards then i created an two ACME certifications one with wildcard *.example.com and one for one of the websites test.example.com.
then i configured the haproxy with the following settings :
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- Automaticaly generated, dont edit manually.
- Generated on: 2024-03-11 15:08
global
maxconn 100
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
server-state-file /tmp/haproxy_server_state
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000frontend TestSites
bind 192.168.1.134:443 name 192.168.1.134:443 ssl crt-list /var/etc/haproxy/TestSites.crt_list
mode http
log global
option http-keep-alive
timeout client 30000
acl TestSite1 var(txn.txnhost) -m str -i test.example.co.il
http-request set-var(txn.txnhost) hdr(host)
use_backend TestSiteA_ipvANY if TestSite1backend TestSiteA_ipvANY
mode http
id 100
log global
timeout connect 30000
timeout server 30000
retries 3
load-server-state-from-file global
server Site1 192.168.2.10:443 id 101 ssl verify none
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
now when i reach the website test.example i get "503 Service Unavailable" i do get the proper certification but it feels like its not moving traffic to the backend (just a reminder that without haproxy i can access the websites).
my firewall rules are open ports 80 and 443 to the router IP 192.168.1.134.
any idea what could cause the issue?
thanks in advence -
@alexhen
If you check the stats, is your backend shown as online / green? -
@viragomann
Yep. Most often the reason for the 503 is that the service port is either wrong or not listening. -
The health check is disabled
-
@alexhen
Can you visit the site when bypassing the proxy? -
@michmoor Yes when i disable the HaProxy i can access the websites locally and remotely
-
@alexhen
Try to enable the health check. Just basic (TCP) should do it fine. -
@viragomann When i enable basic health with Encrypt(SSL) it reports DOWN but if i disable the Encrypt(SSL) it reports UP
-
by the way when i change the setting to port 80 i get "502 Bad Gateway The server returned an invalid or incomplete response." and the site does work on port 80 without the HaProxy.
