• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[solved] backend server nginx down HAProxy

Scheduled Pinned Locked Moved Cache/Proxy
45 Posts 3 Posters 11.9k Views 3 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W Offline
    wesleylc1 Rebel Alliance
    last edited by wesleylc1 Sep 16, 2019, 2:57 PM Sep 16, 2019, 2:17 PM

    Hi guys, I set up https internally on the nginx server, already responding to https requests on nextcloud.projectus.com.br, now I'm trying to apply backend settings to my front end, which is already configured to use port 443, but my The backend displays the error "L7STS / 400 in 46ms".

    Captura de tela de 2019-09-16 11-15-04.png

    • front end settings
    frontend HA_Sistemas-https
    	bind			189.20.108.xx:443 name 189.20.108.xx:443   ssl crt-list /var/etc/haproxy/HA_Sistemas-https.crt_list  
    	bind			187.75.209.2xx:443 name 187.75.209.xx:443   ssl crt-list /var/etc/haproxy/HA_Sistemas-https.crt_list  
    	mode			http
    	log			global
    	option			log-separate-errors
    	option			httplog
    	option			http-keep-alive
    	timeout client		300000
    	acl			rootrequested	var(txn.txnpath) -m str -i /
    	acl			time-sheet	var(txn.txnhost) -m str -i time-sheet.projectus.com.br
    	acl			qsms	var(txn.txnhost) -m str -i qsms.projectus.com.br
    	acl			treinamento	var(txn.txnhost) -m str -i treinamento.projectus.com.br
    	acl			proposta	var(txn.txnhost) -m str -i proposta.projectus.com.br
    	acl			chamado	var(txn.txnhost) -m str -i chamado.projectus.com.br
    	acl			pesquisa	var(txn.txnhost) -m str -i pesquisa.projectus.com.br
    	acl			pesquisa-ce	var(txn.txnhost) -m str -i pesquisa-ce.projectus.com.br
    	acl			nextcloud	var(txn.txnhost) -m str -i nextcloud.projectus.com.br
    	http-request set-var(txn.txnpath) path
    	http-request set-var(txn.txnhost) hdr(host)
    	http-request redirect location /TimeSheet/faces/login.xhtml  if  rootrequested time-sheet 
    	http-request redirect location /SistemaQSMS/  if  rootrequested qsms 
    	http-request redirect location /Treinamento/  if  rootrequested treinamento 
    	http-request redirect location /Proposta/  if  rootrequested proposta 
    	http-request redirect location /Chamado/  if  rootrequested chamado 
    	http-request redirect location /PesquisaClima/  if  rootrequested pesquisa 
    	http-request redirect location /PesquisaClimaCE/  if  rootrequested pesquisa-ce 
    	http-response add-header Content-Security-Policy upgrade-insecure-requests  if  !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce 
    	use_backend HA_Sistemas-45-xx_80-www_ipvANY  if  !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce 
    	default_backend HA_Sistemas_40-xxx_443-nextcloud_ipvANY
    	default_backend HA_Sistemas_43-xxx_8443_ipvANY
    
    • backend settings
    backend HA_Sistemas_40-xxx_443-nextcloud_ipvANY
    	mode			http
    	id			109
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			nextcloud 192.168.40.xxx:443 id 108 ssl check inter 1000  verify none 
    

    best regards,
    Wesley Santos

    D 1 Reply Last reply Sep 16, 2019, 5:30 PM Reply Quote 0
    • D Offline
      dragoangel @wesleylc1
      last edited by Sep 16, 2019, 5:30 PM

      @wesleylc1 Try disable healthchecks for beginning

      Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
      Unifi AP-AC-LR with EAP RADIUS, US-24

      W 1 Reply Last reply Sep 16, 2019, 5:34 PM Reply Quote 0
      • W Offline
        wesleylc1 Rebel Alliance @dragoangel
        last edited by wesleylc1 Sep 16, 2019, 5:37 PM Sep 16, 2019, 5:34 PM

        @dragoangel How do I disable health checks?

        Would it be as in the picture?
        Captura de tela de 2019-09-16 14-36-23.png

        Captura de tela de 2019-09-16 14-36-47.png

        D 1 Reply Last reply Sep 16, 2019, 5:43 PM Reply Quote 0
        • D Offline
          dragoangel @wesleylc1
          last edited by Sep 16, 2019, 5:43 PM

          @wesleylc1 yes. That it. Try opening you frontend domain

          Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
          Unifi AP-AC-LR with EAP RADIUS, US-24

          W 1 Reply Last reply Sep 16, 2019, 5:45 PM Reply Quote 0
          • W Offline
            wesleylc1 Rebel Alliance @dragoangel
            last edited by Sep 16, 2019, 5:45 PM

            @dragoangel No external access yet.

            D 1 Reply Last reply Sep 16, 2019, 5:54 PM Reply Quote 0
            • D Offline
              dragoangel @wesleylc1
              last edited by Sep 16, 2019, 5:54 PM

              @wesleylc1 No big matter, open internal haproxy address. Align your pc /etc/hosts file to resolve domain for test, or use unbound for point to internal ip, or etc

              Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
              Unifi AP-AC-LR with EAP RADIUS, US-24

              W 1 Reply Last reply Sep 16, 2019, 6:05 PM Reply Quote 0
              • W Offline
                wesleylc1 Rebel Alliance @dragoangel
                last edited by Sep 16, 2019, 6:05 PM

                @dragoangel internally it is accessible to the web page through the https protocol.

                Captura de tela de 2019-09-16 14-58-32.png

                I even set the line below on my network gateway.

                Captura de tela de 2019-09-16 15-04-06.png

                best regards,
                Wesley Santos

                D 1 Reply Last reply Sep 16, 2019, 6:10 PM Reply Quote 0
                • D Offline
                  dragoangel @wesleylc1
                  last edited by dragoangel Sep 16, 2019, 6:10 PM Sep 16, 2019, 6:10 PM

                  @wesleylc1 You accessing nginx or haproxy now? Print nslookup domain.com output plz

                  Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                  Unifi AP-AC-LR with EAP RADIUS, US-24

                  1 Reply Last reply Reply Quote 0
                  • W Offline
                    wesleylc1 Rebel Alliance
                    last edited by Sep 16, 2019, 6:29 PM

                    @dragoangel This access is being made from my LAN subnet, below the nslookup output.

                    nslookup nextcloud.projectus.com.br
                    Server:		192.168.45.11
                    Address:	192.168.45.11#53
                    
                    Non-authoritative answer:
                    Name:	nextcloud.projectus.com.br
                    Address: 189.20.108.xx
                    

                    best regards,
                    Wesley Santos

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      dragoangel
                      last edited by Sep 16, 2019, 6:54 PM

                      hm... you said that you access it locally, but domain resolving goes to public IP

                      Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                      Unifi AP-AC-LR with EAP RADIUS, US-24

                      W 1 Reply Last reply Sep 16, 2019, 7:01 PM Reply Quote 0
                      • W Offline
                        wesleylc1 Rebel Alliance @dragoangel
                        last edited by Sep 16, 2019, 7:01 PM

                        The resolution is pointing to the public IP, because my DNS provider is external.

                        1 Reply Last reply Reply Quote 0
                        • D Offline
                          dragoangel
                          last edited by Sep 16, 2019, 7:01 PM

                          @dragoangel said in backend server nginx down HAProxy:

                          You accessing nginx or haproxy now

                          You accessing nginx or haproxy now??

                          Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                          Unifi AP-AC-LR with EAP RADIUS, US-24

                          W 1 Reply Last reply Sep 16, 2019, 7:10 PM Reply Quote 0
                          • W Offline
                            wesleylc1 Rebel Alliance @dragoangel
                            last edited by Sep 16, 2019, 7:10 PM

                            I do not understand, can you explain again?

                            1 Reply Last reply Reply Quote 0
                            • D Offline
                              dragoangel
                              last edited by dragoangel Sep 16, 2019, 7:13 PM Sep 16, 2019, 7:12 PM

                              🙄 facepalm.

                              @wesleylc1 said in backend server nginx down HAProxy:

                              @dragoangel internally it is accessible to the web page through the https protocol.

                              You opened connection to NGINX or HAproxy?? Try change healthchecks to GET /

                              Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                              Unifi AP-AC-LR with EAP RADIUS, US-24

                              W 1 Reply Last reply Sep 16, 2019, 7:24 PM Reply Quote 0
                              • W Offline
                                wesleylc1 Rebel Alliance @dragoangel
                                last edited by wesleylc1 Sep 16, 2019, 7:31 PM Sep 16, 2019, 7:24 PM

                                @dragoangel My problem may be that my front end already uses another default backend?

                                I had already made changes from OPTIONS to GET and HEAD, for example, using https there was no success, already using http went well.

                                1 Reply Last reply Reply Quote 0
                                • D Offline
                                  dragoangel
                                  last edited by Sep 16, 2019, 7:35 PM

                                  you musn't use "default backend". This bad practice. All time use only ACLs to assign backend.

                                  Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                                  Unifi AP-AC-LR with EAP RADIUS, US-24

                                  1 Reply Last reply Reply Quote 0
                                  • W Offline
                                    wesleylc1 Rebel Alliance
                                    last edited by Sep 16, 2019, 7:50 PM

                                    I use a default backend for https systems and assign to these sites through acls.

                                    1 Reply Last reply Reply Quote 0
                                    • W Offline
                                      wesleylc1 Rebel Alliance
                                      last edited by Sep 17, 2019, 3:00 PM

                                      @dragoangel @PiBa Hi guys !!
                                      I deleted entries 443 from this backend and made new settings using 80, the image below the backend communicates successfully.

                                      Captura de tela de 2019-09-17 11-48-51.png

                                      I really need to publish this site, I will be very grateful if you help me.

                                      best regards,
                                      Wesley Santos

                                      1 Reply Last reply Reply Quote 0
                                      • W Offline
                                        wesleylc1 Rebel Alliance
                                        last edited by Sep 19, 2019, 11:59 AM

                                        The supplemental information, after applying the changes below to the backend, is now in active status, but the ACL still does not point to the correct page.
                                        001.png

                                        • backend status:
                                          002.png

                                        I am using this documentation as a reference.

                                        https://serverfault.com/questions/664332/haproxy-returns-bad-request-invalid-host-for-seemingly-no-reason

                                        P 1 Reply Last reply Sep 19, 2019, 3:38 PM Reply Quote 0
                                        • P Offline
                                          PiBa @wesleylc1
                                          last edited by Sep 19, 2019, 3:38 PM

                                          @wesleylc1
                                          Is this what your current config looks like?:

                                          	use_backend HA_Sistemas-45-xx_80-www_ipvANY  if  !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce 
                                          	use_backend HA_Sistemas_40-xx_443-nextcloud_ipvANY  if  !nextcloud 
                                          	default_backend HA_Sistemas_43-xx_8443_ipvANY
                                          

                                          If so then the logic seems to be wrong. Keep in mind that the first matching 'use_backend' is used.

                                          A client visiting nextcloud would match the first use_backend line that says it should not be timesheet/qsms/treinamento/.. which would evaluate to 'true'.. As such the client will be send to that 1st www backend.

                                          You might want to have that one also exclude the !nextcloud.. and DO allow usage of the nextcloud backend when the nextcloud is requested.. so that should be without the ! sign.

                                          1 Reply Last reply Reply Quote 0
                                          35 out of 45
                                          • First post
                                            35/45
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received