Accessing HAproxy on IP address always fails
-
Running HAProxy on latest pfsense. Accessing on ip address alway results in a "HAproxy 503 Service Unavailable No server is available to handle this request" no matter what acl I use. Also setting a default backend won't do the trick.
Is this a known issue? Any way to work around it? At least default backend should work, isn't it?
Acl seem to work fine when using an hostname/url etc. -
Servers are shown 'up' in the stats?
Using SSL certificates? If so then do you have the sni acl's enabled? -
Yup, servers are up. No ssl (yet)
Have defined one acl (if host contains…), works fine when accessing on that name, deafults to default backend using other names. So far so good.
But accessing on IP alway gives 503 error. Can't get acl nor default backend get to work.
Problem is the ip is set hard on some old clients (terminals) and i'm unable to change that. -
Can you share the haproxy.cfg? (from bottom of settings tab)
-
A little bit sanitized :)
global
maxconn 1000
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
ssl-default-bind-options no-sslv3 no-tlsv10listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000frontend NetPay-SOAP-Service
bind <wan_ip>:12439 name <wan_ip>:12439
bind <wan_ip>:12440 name <wan_ip>:12440 ssl crt /var/etc/haproxy/NetPay-SOAP-Service.pem
mode http
log global
option http-keep-alive
timeout client 30000
acl Windesheim hdr_sub(host) -i windesheim.<domain><.COM>
acl HvA-UvA hdr_sub(host) -i uva-hva.<domain><.COM>
acl Hasselt-PXL hdr_sub(host) -i <wan_ip>acl aclcrt_NetPay-SOAP-Service hdr_reg(host) -i ^([^.]*).<domain><.COM>(:([0-9]){1,5})?$
acl aclcrt_NetPay-SOAP-Service hdr_reg(host) -i ^<domain><.COM>(:([0-9]){1,5})?$
use_backend Windesheim_http_ipvANY if Windesheim aclcrt_NetPay-SOAP-Service
use_backend UvA-HvA_http_ipvANY if HvA-UvA aclcrt_NetPay-SOAP-Service
use_backend Hasselt-PXL_http_ipvANY if Hasselt-PXL aclcrt_NetPay-SOAP-Service
use_backend Hasselt-PXL_http_ipvANY if aclcrt_NetPay-SOAP-Servicebackend Windesheim_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server Windesheim_server x.x.x.x:12439 check inter 1000backend UvA-HvA_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server UvA-HvA-Server y.y.y.y:12439 check inter 1000backend Hasselt-PXL_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server Hasselt-PXL z.z.z.z:12439 check inter 1000</domain></domain></wan_ip></domain></domain></wan_ip></wan_ip></wan_ip></wan_ip> -
As you can see every use_backend line has the acl: "aclcrt_NetPay-SOAP-Service" and there is no default_backend as far as haproxy is concerned..
This is caused by the sni acl's that are checked on the SSL section of the config, these sni acl checks are added to all backend including the one that is called the 'default' on the webgui.. If the SNI acl fails, that every backend mentioned in that frontend must match at least one of the certificate SANs. Even when accessing over http..
-
So, if I define two different frontends, one for http and one for https, then a default_backend for at least http should work fine?
-
yes
Edit:
You might want to disable the automatic ACL also. In hindsight it seems rarely needed.. -
Piba, tnx a lot for looking into my config, splitting the frontend did the trick an at least got http to work now!
Edit:
You might want to disable the automatic ACL also. In hindsight it seems rarely needed..This triggered me however, were/how do I do that? Can't find a checkbox, is it some parameter I need to pass trough somwehere?
-
Must have been blind, never mind :)