Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAPROXY + Wordpress -> Error 503

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    9 Posts 2 Posters 172 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SwissSteph
      last edited by

      Hello everyone,

      I need your advice for my problem. I've spent hours / days searching the WWW for answers but none of them are complete or would have helped me figure out what I did wrong.

      So I installed ACME and HAPROXY by following Tom's great video (thanks Tom!) which is here https://www.youtube.com/watch?v=bU85dgHSb2E

      I succeeded perfectly in the ACME part because for both my DNS "www.my-adresse-1.xyz" and "www.my-adresse-2.xy" I have the

      2aea858e-ff4d-42ea-92f2-4085e614f083-image.png

      On my Synology NAS I have my site “www.my-adresse-1.xyz” which has been running perfectly with “Wordpress” for several years.

      My two-step project is to bridge my HAPROXY on my Synology NAS address 192.168.1.46 to manage this site and its certificate and therefore remove the current NAT -> Port Foward rule that I had set up and that works to direct everything to my Synology NAS and not the site.

      200d30f4-1082-4ad5-9013-2fe6e8c0b3c7-image.png

      So I removed this NAT rule and followed Tom's tutorial for configuring HAPROXY.

      And put this one in (Firewall / Rules / WAN):
      ac8fd842-7308-46c6-b85f-1103750b98a2-image.png

      My only result, which is already good, is to have in the HAPROXY statistics no site in “green”, I can connect to it either as admin, or just to see my site (user) without any problem internally at home.

      But if I try to connect from outside, I systematically get a 503 error.

      I'm going round in circles and don't know what to do.

      I've also tried (still following Tom's video) to point to my other NAS in UNRAID and launch “kuma uptime” (the test Tom does in his video), I always end up on the home page of my UNRAID NAS and never on the kuma port 3001 (tested from outside but the same from my home), port 3001 is never taken into account by HAPROXY and doesn't redirect anything I always end up on the UNRAID home page in 192.168.1.80

      That's it, if you have just the clue to help me unblock myself, thank you very much for your help. I feel like I've tested everything!? could “pfBlockerNG” block anything? I can't easily accuse anyone but myself now...

      dac51024-25df-4886-b87e-2145e63ba8bb-image.png

      8266c79c-62ac-430a-b4bd-8b3bb066881b-image.png

      My "Frontend"

      26b3e2b0-7a0d-466a-94af-78a62ffce21b-image.png

      8ed2c42a-02b0-4730-b13c-4ed061da1a6b-image.png

      fbad2bd9-5ca0-44a2-b9d5-b4d5c1a7ccd5-image.png

      29e058db-ba6f-4d49-8822-b8f93965f5e9-image.png

      a8fb83f6-2f88-41d6-8be6-4da001516f75-image.png

      Settings Backend pour "Kuma" :
      c2ea5493-0b9d-4003-ac8f-909c785687db-image.png

      Frontend :
      c60ae957-0d17-4edd-a6fc-b3c0b48b1028-image.png

      b7c0fdcb-4291-4b4f-803f-4c7ad954fa8a-image.png

      de8020ea-6caa-4b9e-9422-2d46f0b72739-image.png

      81e9142f-e6b7-4b65-b1e4-701eedd7d086-image.png

      0ca56ae9-b271-4a38-9ca3-ba4c22ebf1d6-image.png

      I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
      ... And now I'm living with a Netgate 8200
      ... And sorry for my bad English...

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @SwissSteph
        last edited by

        @SwissSteph
        First of all ensure that the backend is shown up as online in the stats.
        You may have to configure the health check properly.

        1 Reply Last reply Reply Quote 0
        • S
          SwissSteph
          last edited by SwissSteph

          Thank you for your message. Everything seems (to me) OK!?
          b3232722-6f66-4f4b-86ac-0c0a02a1a2d9-image.png

          EDIT:
          still the same problem, even though I have the correct certificate created in ACME

          4b930c17-8c1f-4041-8f35-3cbce1ca11d2-image.png

          51efe612-30b5-4fc5-9d3b-71f77e6da8f1-image.png

          I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
          ... And now I'm living with a Netgate 8200
          ... And sorry for my bad English...

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @SwissSteph
            last edited by

            @SwissSteph
            Obviously your backend doesn't respond to the request from HAproxy though.

            HAproxy uses the settings you stated for the backend server to access it. I noticed, that you use port 443, but have "Encrypt" unchecked. I don't assume, that your server is really configured this way.
            You probably have to enable encryption in the backend settings.

            S 1 Reply Last reply Reply Quote 0
            • S
              SwissSteph @viragomann
              last edited by

              @viragomann
              Thank you for your intervention and your message. I have the impressiuon that I have used all the possibilities (my eyes don't see much anymore with all these modifications), but I still get error 503.

              Maybe it's Wordpress that's at fault? But here too I've tried removing all the plugins and the same result (well, without having tried all the possibilities below), I don't know what to modify ...

              dd4e75a1-d314-4142-9c85-bf394c4ff093-image.png

              2b10f98d-8b87-49e5-aff3-e9ca85bd6a4f-image.png

              70dfe409-c31e-442d-a22b-36543f6f5c30-image.png

              537714ae-f367-498e-b574-71d53d7dcac9-image.png

              bdfc4df7-9c4c-412d-9f88-63acd4f2f53d-image.png

              9410bb10-0e88-471a-bd2f-47caffd378ed-image.png

              686ba781-22c7-4a6d-a580-02749c2c52f8-image.png

              I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
              ... And now I'm living with a Netgate 8200
              ... And sorry for my bad English...

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @SwissSteph
                last edited by

                @SwissSteph
                The client certificate in the backend settings is for servers, which require a client certificate to get access. I don't presume, your server is configured like that. So just remove this.

                I don't use Wordpress, but I don't think that it's on the app. This would probably throw another error.

                For testing select your WP backend as default in the frontend to rule out host miss-match issues.
                And I suspect, that there is a misconfiguration indeed.
                The host-match ACL shows the value beginning with "www", but your browser screenshot shows the hostname starting with an "s".

                S 1 Reply Last reply Reply Quote 0
                • S
                  SwissSteph @viragomann
                  last edited by SwissSteph

                  @viragomann
                  Thanks again for your input, I don't know if I've understood all your message and made all the proposed changes, so here are my latest screenshots. What do you think?

                  With this configuration I have the certificate in my browser, and now a 404 error ... that's a plus ;-) I don't know if it's good news, but at least there's a change in the error.

                  What's incredible is that if I go directly to my NAS for this site it has been working perfectly for several years

                  3c4979bc-42d6-46b6-a381-1531fd5dd8a7-image.png

                  ff431d5d-dc2d-467e-9bf7-ceae606053e0-image.png

                  b9e23f7f-1769-430b-bb4e-c5e6d4d4f11e-image.png

                  fb5aeec9-a044-49b2-a057-7401a0694643-image.png

                  10be0cd5-57c4-4f3f-9865-bdd95ab85d70-image.png

                  I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
                  ... And now I'm living with a Netgate 8200
                  ... And sorry for my bad English...

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @SwissSteph
                    last edited by

                    @SwissSteph said in HAPROXY + Wordpress -> Error 503:

                    With this configuration I have the certificate in my browser, and now a 404 error ... that's a plus ;-)

                    So yeah, you are a step further.
                    However, I think, you should learn some basics about how HAproxy works.

                    In short, it acts as a webserver, which you access with your browser and it acts as a client accessing your real backend server, which hosts the page.

                    The frontend includes all the webserver settings and the client settings are done in the backend.

                    So in the frontend you have to specify settings like the IP, port, host name and if TLS should be used. If you check "SSL offloading" you need to state a certificate below, which is handed out to the web browser.
                    In the backend you have to specify, how HAproxy accesses the backend server. You can state the IP and port and if it's encrypted or not.

                    If you backend server is configured to provide TLS itself (what I assume in your case) you have to check "SSL" in the backend and probably need to set the port to 443, as long as the server does not listen on something else.
                    "SSL checks" means, that HAproxy will verifies the certificate. This might not be needed, when accessing an internal server.

                    Note that HAproxy used just the values you stated in the backend settings. It doesn't add / change the host header, even if you stated a host name. It just resolves the name and access the resulting IP.

                    If HAproxy cannot access the backend server or doesn't get a proper response you get error 503 or alike.
                    But now you get error 404. This error comes from your backend server. So presumably your backend settings are still wrong.
                    As I mentioned above "Encrypt (SSL)" might be need to check. If you still get 404 go to the backend server and check its log file for hints.

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      SwissSteph @viragomann
                      last edited by

                      @viragomann
                      THANK YOU!

                      I will study every word of your message and continue my inspection.

                      I'll come back here with the rest, and if I finally come up with a solution that works I'll put it here completely for others too.

                      I started with two "no-name" pfsense, one for use at home and the other as a backup in case of problems (which can happen when you're new to pfsense).
                      ... And now I'm living with a Netgate 8200
                      ... And sorry for my bad English...

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.