HAProxy - can't get a site to work

CreationGuy

I'll start off saying that I have several sites working with HAProxy. They all are in a Promox host running portainer.

I create a separate VM (container) with a static IP, 10.20.20.8. It's running Searxng and apache. To get to it: http://10.20.20.8/searxng/

I want to to set it up so that all I have to do is go to https://searx.mydomain.net/

I can't get that to work.
Screenshot 2024-04-23 at 12-58-31 TheWall.jrfam.net - Services HAProxy Backend Edit.png

viragomann

@CreationGuy said in HAProxy - can't get a site to work:

To get to it: http://10.20.20.8/searxng/

So the site is running within a subdirectory?
Just put it into the root directory.

If you run within a subdirectory you need to tell HAproxy to insert it into to the path, when accessing the backend.

CreationGuy

@viragomann I'm not sure how to do either. I don't think that I can move the directory without breaking searxng.

http://10.20.20.8/ will load the default Apache2 page, but cannot even get to the default page by the subdomain path.

viragomann

@CreationGuy
For sure, you can also use https://searx.mydomain.net/searxng/ for accessing the server. But this might also not be desired.

CreationGuy

@viragomann After a clearing of DNS and restarting of services on pfsense, when I got to http://searx.domain.net/searxng/ it loads, https however, will not.

Secure Connection Failed

An error occurred during a connection to searx.domain.net. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

viragomann

@CreationGuy
I assume, this is due to https redirecting periodically.

Anyway, I don't think you like to use http://searx.domain.net/searxng/. So lets try to let HAproxy insert the "/searxng" into the path.

So go into the backend settings and add an action. Select select "http-request set-path" and enter "/searxng/%[path]" below.

I think, this should do the job. But maybe also an ACL is needed to trigger this action.

CreationGuy

@viragomann said in HAProxy - can't get a site to work:

/searxng/%[path]

Screenshot 2024-04-23 at 15-28-56 TheWall.jrfam.net - Services HAProxy Backend.png
Screenshot 2024-04-23 at 15-29-14 TheWall.jrfam.net - Services HAProxy Backend Edit.png

viragomann

@CreationGuy
You have to enter the string at "fmt".

CreationGuy

@viragomann I fixed that, but in Firefox I get this:



Secure Connection Failed

An error occurred during a connection to searx.domain.net. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

viragomann

@CreationGuy
Yes, but that's a different problem with SSL.

In the frontend you have to uncheck SSL offloading for port 80.

If you want to access the server via SSL you need to configure the frontend with port 443 + SSL offloading and assign a proper certificate to it.

CreationGuy

@viragomann I do, I have other services such as portainer, FileBrowser (Docker that has no SSL so HAProxy assigns on via Cloud Flare). The difference here is searx is on a totally separate server than the one running portainer.

viragomann

@CreationGuy

But port 80 + SSL offloading will not work in the browser as long as you don't state the port like https://searx.mydomain.net:80

CreationGuy

@viragomann I guess I don't know how to explain it.

SearxNG installs in a folder /searxng so when you go to to apache searver, in my case, http://10.20.20.8, I get the apache hello page, if I go to http://10.20.20.8/searxng I get the searxng engine.

I want to use HA proxy to just use my cert when going to https://searx.mydomain.net

viragomann

@CreationGuy said in HAProxy - can't get a site to work:

I want to use HA proxy to just use my cert when going to https://searx.mydomain.net

So when your enter this into your browser (with https in front as scheme), the browser to the the port 443!
Thus the frontend has to listen on port 443 and provide a proper SSL certificate, since the browser is expecting it.

No matter which port your backend server is listening on. This might be 80 or whatever and has to be stated in the backend settings.

CreationGuy

@viragomann I belive I understand that but isn't that what HAProxy is doing for my other websites/services?
Why won't it work for this one service?
DNS Host Overrides:
DNS Host Override.jpg

Screenshot 2024-04-23 at 17-18-24 TheWall.jrfam.net - Services HAProxy Backend Edit.png

CreationGuy

Thank you for your help, after a reboot of the router, it is now working.... thank you again!

viragomann

@CreationGuy said in HAProxy - can't get a site to work:

after a reboot of the router, it is now working....

Of pfSense?
Strange. HAproxy should be restarted on each configuration change anyway.

CreationGuy

@viragomann Yes, not sure why that made a difference but it's working.