503 Service Unavailable

jmorfali

Hello,

I am trying to configure Haproxy on Pfsense which has two backend web servers. In /servcies/Haproxy/Stats/ the servers are present and working. My file: /var/log/haproxy.log/ is empty..... I do not know why, but I always arrive on a page: 503 Service Unavailable when I try to access a web page on one of the servers in backend. Here is my file: /var/etc/haproxy/haproxy.cfg

Automaticaly generated, dont edit manually.

Generated on: 2020-05-13 17:03

global
maxconn 100000
log /var/log/jm syslog info
stats socket /tmp/haproxy.socket level admin expose-fd listeners
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
log-send-hostname haproxy1
server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats refresh 4
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend Shared-frontend-merged
bind 51.79.9.180:443 name 51.79.9.180:443 ssl crt-list /var/etc/haproxy/Shared-frontend.crt_list
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl aclcrt_Shared-frontend var(txn.txnhost) -m reg -i ^bravad-dev5.com(:([0-9]){1,5})?$
acl Prod1 var(txn.txnhost) -m str -i bravad-dev5.com
http-request set-var(txn.txnhost) hdr(host)
use_backend OVHPHP_ipv4 if Prod1

Thx!

PiBa

@jmorfali
How is the backend configured? Healthchecks enabled an show in stats as up? no transparent-client-ip used?

jmorfali

Hello @PiBa,

Thank you for your answer. Here is the configuration of my backend:

PiBa

@jmorfali
Can you disable the TransparentClientIP feature? See if that resolves anything? Do the webservers use pfSense as their default route? (to make sure reply traffic passed back through pfsense>haproxy )

jmorfali

@PiBa
Actually that solves the problem if I disable the TransparentClientIP feature. Thank you! But, how am I going to see the client's IP address on my backend servers?

thank you very much

PiBa

@jmorfali
Do the webservers use pfSense as their default route?
If not then the 'transparent' option is out the window..

There are basically 3 options then to achieve it:

• TransparentClientIP (possible for all TCP protocols, but does require the webservers default-route and reply traffic back through pfSense..) Seems your environment doesn't currently meet these requirements..
• HTTP-forward-for-header (requires that haproxy is operating in http mode so it can insert the http-header, also requires to configure the webserver to use this header for its logging and other actions inside the web application..)
• Proxy-Protocol (can be used with all TCP protocols but does require that the target server is configured to understand this protocol..) https://www.haproxy.com/blog/haproxy/proxy-protocol/ not a lot of 'server applications' are ready to receive this but some can..