Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Accessing HAproxy on IP address always fails

    Scheduled Pinned Locked Moved pfSense Packages
    10 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      wickeren
      last edited by

      Running HAProxy on latest pfsense. Accessing on ip address alway results in a "HAproxy 503 Service Unavailable No server is available to handle this request" no matter what acl I use. Also setting a default backend won't do the trick.
      Is this a known issue? Any way to work around it? At least default backend should work, isn't it?
      Acl seem to work fine when using an hostname/url etc.

      1 Reply Last reply Reply Quote 0
      • P Offline
        PiBa
        last edited by

        Servers are shown 'up' in the stats?
        Using SSL certificates? If so then do you have the sni acl's enabled?

        1 Reply Last reply Reply Quote 0
        • W Offline
          wickeren
          last edited by

          Yup, servers are up. No ssl (yet)
          Have defined one acl (if host contains…), works fine when accessing on that name, deafults to default backend using other names. So far so good.
          But accessing on IP alway gives 503 error. Can't get acl nor default backend get to work.
          Problem is the ip is set hard on some old clients (terminals) and i'm unable to change that.

          1 Reply Last reply Reply Quote 0
          • P Offline
            PiBa
            last edited by

            Can you share the haproxy.cfg? (from bottom of settings tab)

            1 Reply Last reply Reply Quote 0
            • W Offline
              wickeren
              last edited by

              A little bit sanitized  :)

              global
              maxconn 1000
              stats socket /tmp/haproxy.socket level admin
              uid 80
              gid 80
              nbproc 1
              chroot /tmp/haproxy_chroot
              daemon
              tune.ssl.default-dh-param 2048
              server-state-file /tmp/haproxy_server_state
              ssl-default-bind-options no-sslv3 no-tlsv10

              listen HAProxyLocalStats
              bind 127.0.0.1:2200 name localstats
              mode http
              stats enable
              stats admin if TRUE
              stats uri /haproxy/haproxy_stats.php?haproxystats=1
              timeout client 5000
              timeout connect 5000
              timeout server 5000

              frontend NetPay-SOAP-Service
              bind <wan_ip>:12439 name <wan_ip>:12439 
              bind <wan_ip>:12440 name <wan_ip>:12440 ssl  crt /var/etc/haproxy/NetPay-SOAP-Service.pem 
              mode http
              log global
              option http-keep-alive
              timeout client 30000
              acl Windesheim hdr_sub(host) -i windesheim.<domain><.COM>
              acl HvA-UvA hdr_sub(host) -i uva-hva.<domain><.COM>
              acl Hasselt-PXL hdr_sub(host) -i <wan_ip>acl aclcrt_NetPay-SOAP-Service hdr_reg(host) -i ^([^.]*).<domain><.COM>(:([0-9]){1,5})?$
              acl aclcrt_NetPay-SOAP-Service hdr_reg(host) -i ^<domain><.COM>(:([0-9]){1,5})?$
              use_backend Windesheim_http_ipvANY  if  Windesheim aclcrt_NetPay-SOAP-Service
              use_backend UvA-HvA_http_ipvANY  if  HvA-UvA aclcrt_NetPay-SOAP-Service
              use_backend Hasselt-PXL_http_ipvANY  if  Hasselt-PXL aclcrt_NetPay-SOAP-Service
              use_backend Hasselt-PXL_http_ipvANY  if  aclcrt_NetPay-SOAP-Service

              backend Windesheim_http_ipvANY
              mode http
              log global
              timeout connect 30000
              timeout server 30000
              retries 3
              option httpchk OPTIONS /
              server Windesheim_server x.x.x.x:12439 check inter 1000

              backend UvA-HvA_http_ipvANY
              mode http
              log global
              timeout connect 30000
              timeout server 30000
              retries 3
              option httpchk OPTIONS /
              server UvA-HvA-Server y.y.y.y:12439 check inter 1000

              backend Hasselt-PXL_http_ipvANY
              mode http
              log global
              timeout connect 30000
              timeout server 30000
              retries 3
              option httpchk OPTIONS /
              server Hasselt-PXL z.z.z.z:12439 check inter 1000</domain></domain></wan_ip></domain></domain></wan_ip></wan_ip></wan_ip></wan_ip>

              1 Reply Last reply Reply Quote 0
              • P Offline
                PiBa
                last edited by

                As you can see every use_backend line has the acl: "aclcrt_NetPay-SOAP-Service" and there is no default_backend as far as haproxy is concerned..

                This is caused by the sni acl's that are checked on the SSL section of the config, these sni acl checks are added to all backend including the one that is called the 'default' on the webgui.. If the SNI acl fails, that every backend mentioned in that frontend must match at least one of the certificate SANs. Even when accessing over http..

                1 Reply Last reply Reply Quote 0
                • W Offline
                  wickeren
                  last edited by

                  So, if I define two different frontends, one for http and one for https, then a default_backend for at least http should work fine?

                  1 Reply Last reply Reply Quote 0
                  • P Offline
                    PiBa
                    last edited by

                    yes

                    Edit:
                    You might want to disable the automatic ACL also. In hindsight it seems rarely needed..

                    1 Reply Last reply Reply Quote 0
                    • W Offline
                      wickeren
                      last edited by

                      Piba, tnx a lot for looking into my config, splitting the frontend did the trick an at least  got http to work now!

                      @PiBa:

                      Edit:
                      You might want to disable the automatic ACL also. In hindsight it seems rarely needed..

                      This triggered me however, were/how do I do that? Can't find a checkbox, is it some parameter I need to pass trough somwehere?

                      1 Reply Last reply Reply Quote 0
                      • W Offline
                        wickeren
                        last edited by

                        Must have been blind, never mind :)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.