HAproxy Settings error
-
Hi,
Pfsense 2.5.0
When I try to enable HAproxy (2.2.6-3709bd4) after configuring the settings page, I get the following error:[warning] 064/160157 (64125) : can't open global server state file '/tmp/haproxy_server_state': no such file or directory
I have set port 2200 as Internal stats port
Why does this happen and is there a solution for it?
-
@gschmidt
Its a 'warning' not an 'error'. It haproxy should startup fine despite that warning. Reason is that no 'state' was saved when previous running haproxy was running.. Though on a 'fresh' start that never is the case i guess. Solution could be to change the code to only load serverstates if the file is actually pressent.. But once your up and running it should never show again when changing configurations. As during restarts the states are first saved and then haproxy is 'reloaded'. -
Understood...thanx!
-
Hi,
I have read that it is wise when opening ports 80 and 443 for HAproxy, to change the port or disable the redirect rule of the pfSense webgui.
If I check the “Disable webConfigurator redirect rule” in advanced settings, am I still able to access the pfSense web app inside my network (LAN)? Just to be sure that I don’t lock my self out of pfSense.
-
imho its wise to change the port and disable the redirect rule of the pfSense webgui.
After that the http://pfsense wont work anymore
And if the port is changed to for example 444, then https://pfsense/ won't work either.. but https://pfsense:444/ should work fine..and to avoid losing access completely to the webgui make sure you have SSH access, that would allow to undo changes and reboot if for some unknown reason the webgui access stops working..
-
I have tested this and I can still access pfSense from the LAN side. SSH was already enabled
Update: I didn't read your reply well enough "change the port and disable the redirect rule"
To which port do you refer? The WAN port for anti-lockout? -
@gschmidt said in HAproxy Settings error:
To which port do you refer?
In the menu: System/Advanced/Admin Access
The setting: "TCP port"After changing that the anti lockout should automatically change as well..
-
@piba
Yesterday I have already created the following rules for HAproxy (online tutorial). The below example is for the HTTPS 443 port, but I also have created it for the HTTP 80 port
So if I set a port number at the System/Advanced/Admin Access/TCP field e.g. 8010....the LAN anti lock-out port will become 8010?
Or do I need to ceate a rule first for port 8010 which matches the port in the TCP field?I have read some issue of people locking themselves out...just wanna be cautious.
-
@gschmidt
to be cautious you could:
-manually create a rule that allows 8010
-change the webgui tcpport
-check the antilockout also changed
-remove manual rule
I cant imagine it to go wrong that way even if the antilockout rule update laggs a little..
and adding rules to allow access to haproxy's frontend ports as desired.. -
I followed the steps and this is the result (after removing the cautious rule)
Used port 10443:
The anti lock-out rules on the WAN side are removed
But to login in pfSense, I need to add the port: 192.168.X.X:10433
The port number was previously not nessecary, is this correct? -
@gschmidt
Yes, when running a webgui/website on a non standard port it must be specified in the browser.. -
Thanx for the help man!
Now, yesterday I have already tested a bit with a backend and frontend, but I ran into problems...I will create a new issue to explain what I want to achieve and what errors I ran into
(whithout above settings and rules, I guess beside safety this doesn't affect the workability of ACME/HAproxy ?)