Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] backend server nginx down HAProxy

    Scheduled Pinned Locked Moved Cache/Proxy
    45 Posts 3 Posters 10.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dragoangelD
      dragoangel
      last edited by dragoangel

      🙄 facepalm.

      @wesleylc1 said in backend server nginx down HAProxy:

      @dragoangel internally it is accessible to the web page through the https protocol.

      You opened connection to NGINX or HAproxy?? Try change healthchecks to GET /

      Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
      Unifi AP-AC-LR with EAP RADIUS, US-24

      W 1 Reply Last reply Reply Quote 0
      • W
        wesleylc1 Rebel Alliance @dragoangel
        last edited by wesleylc1

        @dragoangel My problem may be that my front end already uses another default backend?

        I had already made changes from OPTIONS to GET and HEAD, for example, using https there was no success, already using http went well.

        1 Reply Last reply Reply Quote 0
        • dragoangelD
          dragoangel
          last edited by

          you musn't use "default backend". This bad practice. All time use only ACLs to assign backend.

          Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
          Unifi AP-AC-LR with EAP RADIUS, US-24

          1 Reply Last reply Reply Quote 0
          • W
            wesleylc1 Rebel Alliance
            last edited by

            I use a default backend for https systems and assign to these sites through acls.

            1 Reply Last reply Reply Quote 0
            • W
              wesleylc1 Rebel Alliance
              last edited by

              @dragoangel @PiBa Hi guys !!
              I deleted entries 443 from this backend and made new settings using 80, the image below the backend communicates successfully.

              Captura de tela de 2019-09-17 11-48-51.png

              I really need to publish this site, I will be very grateful if you help me.

              best regards,
              Wesley Santos

              1 Reply Last reply Reply Quote 0
              • W
                wesleylc1 Rebel Alliance
                last edited by

                The supplemental information, after applying the changes below to the backend, is now in active status, but the ACL still does not point to the correct page.
                001.png

                • backend status:
                  002.png

                I am using this documentation as a reference.

                https://serverfault.com/questions/664332/haproxy-returns-bad-request-invalid-host-for-seemingly-no-reason

                P 1 Reply Last reply Reply Quote 0
                • P
                  PiBa @wesleylc1
                  last edited by

                  @wesleylc1
                  Is this what your current config looks like?:

                  	use_backend HA_Sistemas-45-xx_80-www_ipvANY  if  !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce 
                  	use_backend HA_Sistemas_40-xx_443-nextcloud_ipvANY  if  !nextcloud 
                  	default_backend HA_Sistemas_43-xx_8443_ipvANY
                  

                  If so then the logic seems to be wrong. Keep in mind that the first matching 'use_backend' is used.

                  A client visiting nextcloud would match the first use_backend line that says it should not be timesheet/qsms/treinamento/.. which would evaluate to 'true'.. As such the client will be send to that 1st www backend.

                  You might want to have that one also exclude the !nextcloud.. and DO allow usage of the nextcloud backend when the nextcloud is requested.. so that should be without the ! sign.

                  1 Reply Last reply Reply Quote 0
                  • W
                    wesleylc1 Rebel Alliance
                    last edited by wesleylc1

                    @PiBa

                    Current configuration looks like this:

                    frontend HA_Sistemas-https
                    	bind			189.20.108.xx:443 name 189.20.108.xx:443   ssl crt-list /var/etc/haproxy/HA_Sistemas-https.crt_list  
                    	bind			187.75.209.xxx:443 name 187.75.209.xxx:443   ssl crt-list /var/etc/haproxy/HA_Sistemas-https.crt_list  
                    	mode			http
                    	log			global
                    	option			log-separate-errors
                    	option			httplog
                    	option			http-keep-alive
                    	timeout client		300000
                    	acl			rootrequested	var(txn.txnpath) -m str -i /
                    	acl			time-sheet	var(txn.txnhost) -m str -i time-sheet.projectus.com.br
                    	acl			qsms	var(txn.txnhost) -m str -i qsms.projectus.com.br
                    	acl			treinamento	var(txn.txnhost) -m str -i treinamento.projectus.com.br
                    	acl			proposta	var(txn.txnhost) -m str -i proposta.projectus.com.br
                    	acl			chamado	var(txn.txnhost) -m str -i chamado.projectus.com.br
                    	acl			pesquisa	var(txn.txnhost) -m str -i pesquisa.projectus.com.br
                    	acl			pesquisa-ce	var(txn.txnhost) -m str -i pesquisa-ce.projectus.com.br
                    	acl			nxc	var(txn.txnhost) -m str -i nextcloud.projectus.com.br
                    	http-request set-var(txn.txnpath) path
                    	http-request set-var(txn.txnhost) hdr(host)
                    	http-request redirect location /TimeSheet/faces/login.xhtml  if  rootrequested time-sheet 
                    	http-request redirect location /SistemaQSMS/  if  rootrequested qsms 
                    	http-request redirect location /Treinamento/  if  rootrequested treinamento 
                    	http-request redirect location /Proposta/  if  rootrequested proposta 
                    	http-request redirect location /Chamado/  if  rootrequested chamado 
                    	http-request redirect location /PesquisaClima/  if  rootrequested pesquisa 
                    	http-request redirect location /PesquisaClimaCE/  if  rootrequested pesquisa-ce 
                    	http-response add-header Content-Security-Policy upgrade-insecure-requests  if  !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce !nxc 
                    	use_backend HA_Sistemas-45-14_80-www_ipvANY  if  !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce 
                    	use_backend HA_Sistemas_40-245_443-nxc_ipvANY  if  !nxc 
                    	default_backend HA_Sistemas_43-235_8443_ipvANY
                    

                    I tried applying the settings as reported in your last message, but still have trouble redirecting to https://nextcloud.projectus.com

                    P 1 Reply Last reply Reply Quote 0
                    • P
                      PiBa @wesleylc1
                      last edited by

                      @wesleylc1
                      The settings in my message are exactly what you posted just to ask confirmation if that is what you currently had active. The settings are wrong indeed.

                      Try making them like this:

                      	use_backend HA_Sistemas-45-14_80-www_ipvANY  if  !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce !nxc
                      	use_backend HA_Sistemas_40-245_443-nxc_ipvANY  if nxc 
                      	default_backend HA_Sistemas_43-235_8443_ipvANY
                      
                      1 Reply Last reply Reply Quote 0
                      • W
                        wesleylc1 Rebel Alliance
                        last edited by wesleylc1

                        @PiBa I set up according to your last message, but the problem persists, continuing to direct nextcloud.projectus.com.br to the main site of the company.

                        
                        frontend HA_Sistemas-https
                        	bind			189.20.108.xx:443 name 189.20.108.xx:443   ssl crt-list /var/etc/haproxy/HA_Sistemas-https.crt_list  
                        	bind			187.75.209.xxx:443 name 187.75.209.xxx:443   ssl crt-list /var/etc/haproxy/HA_Sistemas-https.crt_list  
                        	mode			http
                        	log			global
                        	option			log-separate-errors
                        	option			httplog
                        	option			http-keep-alive
                        	timeout client		300000
                        	acl			rootrequested	var(txn.txnpath) -m str -i /
                        	acl			time-sheet	var(txn.txnhost) -m str -i time-sheet.projectus.com.br
                        	acl			qsms	var(txn.txnhost) -m str -i qsms.projectus.com.br
                        	acl			treinamento	var(txn.txnhost) -m str -i treinamento.projectus.com.br
                        	acl			proposta	var(txn.txnhost) -m str -i proposta.projectus.com.br
                        	acl			chamado	var(txn.txnhost) -m str -i chamado.projectus.com.br
                        	acl			pesquisa	var(txn.txnhost) -m str -i pesquisa.projectus.com.br
                        	acl			pesquisa-ce	var(txn.txnhost) -m str -i pesquisa-ce.projectus.com.br
                        	acl			nxc	var(txn.txnhost) -m str -i  nextcloud.projectus.com.br
                        	http-request set-var(txn.txnpath) path
                        	http-request set-var(txn.txnhost) hdr(host)
                        	http-request redirect location /TimeSheet/faces/login.xhtml  if  rootrequested time-sheet 
                        	http-request redirect location /SistemaQSMS/  if  rootrequested qsms 
                        	http-request redirect location /Treinamento/  if  rootrequested treinamento 
                        	http-request redirect location /Proposta/  if  rootrequested proposta 
                        	http-request redirect location /Chamado/  if  rootrequested chamado 
                        	http-request redirect location /PesquisaClima/  if  rootrequested pesquisa 
                        	http-request redirect location /PesquisaClimaCE/  if  rootrequested pesquisa-ce 
                        	http-request redirect location /login  if  rootrequested nxc 
                        	http-response add-header Content-Security-Policy upgrade-insecure-requests  if  !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce 
                        	use_backend HA_Sistemas-45-14_80-www_ipvANY  if  !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce !nxc 
                        	use_backend HA_Sistemas_40-245_443-nxc_ipvANY  if  nxc 
                        	default_backend HA_Sistemas_43-235_8443_ipvANY
                        

                        company website projectus.com.br
                        projectus.png

                        site "nextcloud" nextcloud.projectus.com.br

                        nextcloud.png

                        P 1 Reply Last reply Reply Quote 0
                        • P
                          PiBa @wesleylc1
                          last edited by

                          @wesleylc1
                          Seems to me that https://nextcloud.projectus.com.br/ is working just fine..? Can you confirm that?

                          Perhaps you have another frontend that is listening on :80 that is sending a wrong redirect?

                          W 1 Reply Last reply Reply Quote 0
                          • W
                            wesleylc1 Rebel Alliance @PiBa
                            last edited by wesleylc1

                            @PiBa redirection occurs, but leading to the wrong page, I have another frontend that responds to requests on port: 80.
                            Port Front End Settings: 80

                            frontend HA_Sistemas-http
                            	bind			189.20.108.xx:80 name 189.20.108.xx:80   
                            	bind			187.75.209.xxx:80 name 187.75.209.xxx:80   
                            	mode			http
                            	log			global
                            	option			log-separate-errors
                            	option			httplog
                            	option			http-keep-alive
                            	timeout client		30000
                            	acl			projectus	var(txn.txnhost) -m str -i projectus.com.br
                            	acl			projectus	var(txn.txnhost) -m str -i www.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i time-sheet.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i treinamento-qsms.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i qsms.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i proposta.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i treinamento.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i chamado.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i  pesquisa.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i pesquisa-ce.projectus.com.br
                            	acl			cadcae	var(txn.txnhost) -m str -i www.cadcae.projectus.com.br
                            	acl			cadcae	var(txn.txnhost) -m str -i cadcae.projectus.com.br
                            	acl			rh	var(txn.txnhost) -m str -i rh.projectus.com.br
                            	http-request set-var(txn.txnhost) hdr(host)
                            	http-request redirect scheme https  if  redirect-to-SSL 
                            	http-request redirect location http://www.projectus.com.br  if  !projectus !cadcae !rh 
                            	use_backend HA_Sistemas-45-14_80-www_ipvANY  if  projectus 
                            	use_backend HA_Sistemas_43-70_80-ged_ipvANY  if  cadcae 
                            	use_backend HA_Sistemas_42-226_80-rh_ipvANY  if  rh 
                            
                            • It worked after creating the "nextcloud.projectus.com.br" ACL
                            	acl			projectus	var(txn.txnhost) -m str -i projectus.com.br
                            	acl			projectus	var(txn.txnhost) -m str -i www.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i time-sheet.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i treinamento-qsms.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i qsms.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i proposta.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i treinamento.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i chamado.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i  pesquisa.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i pesquisa-ce.projectus.com.br
                            	acl			redirect-to-SSL	var(txn.txnhost) -m str -i nextcloud.projectus.com.br
                            	acl			cadcae	var(txn.txnhost) -m str -i www.cadcae.projectus.com.br
                            	acl			cadcae	var(txn.txnhost) -m str -i cadcae.projectus.com.br
                            	acl			rh	var(txn.txnhost) -m str -i rh.projectus.com.br
                            
                            1 Reply Last reply Reply Quote 0
                            • W
                              wesleylc1 Rebel Alliance
                              last edited by wesleylc1

                              @PiBa can you explain to me, why the backen only focused up after using the setting "HTTP / 1.1 \ r \ nHost: \ nextcloud.projectus.com.br"?

                              Captura de tela de 2019-09-19 16-37-12.png

                              P 1 Reply Last reply Reply Quote 0
                              • P
                                PiBa @wesleylc1
                                last edited by

                                @wesleylc1
                                Can you tell me why your nginx configuration requires the host header to be send in requests?

                                W 2 Replies Last reply Reply Quote 0
                                • W
                                  wesleylc1 Rebel Alliance @PiBa
                                  last edited by

                                  @PiBa I really don't know why ngix requires the header to be sent on requests; I followed an Internet totorial to deploy "nextcloud" using nginx. Can you open the link to try to help me understand?

                                  How to Install NextCloud on Ubuntu 18.04 with Nginx (LEMP Stack)

                                  1 Reply Last reply Reply Quote 0
                                  • W
                                    wesleylc1 Rebel Alliance @PiBa
                                    last edited by

                                    @PiBa Hi man, these were the answers I found about your question.

                                    In order to figure out which virtual host to use, I think

                                    This causes you to go to the default_server host_server

                                    P 1 Reply Last reply Reply Quote 0
                                    • P
                                      PiBa @wesleylc1
                                      last edited by

                                      @wesleylc1
                                      Then it seems you have answered your question why the host header must be send in checks 👍 . HAProxy's health-checks by default do not send this header and your nginx configuration needs it to find the correct virtual host with the server_name configuration. The 'default virtual host' likely returns the 400 response status. Its nice to know that doing some research and actually understanding how things work you can succeed with fishing without needing other people to give you the fish, that will definitely help with future diagnosing of issues.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.