HAproxy give me 503 error on HTTPS



  • Hello everyone!

    I currently use HAproxy to serve the content of 2 web servers.
    It works perfectly well in HTTP, but as soon as I try to access one of this server in HTTPS, I directly encounter a 503 error…

    Here is the configuration of my frontend and backend https

    Thank for your help !
    ![gulczynski.stairwaytoweb.fr - Services HAProxy Frontend Edit - Mozilla Firefox.jpg](/public/imported_attachments/1/gulczynski.stairwaytoweb.fr - Services HAProxy Frontend Edit - Mozilla Firefox.jpg)
    ![gulczynski.stairwaytoweb.fr - Services HAProxy Frontend Edit - Mozilla Firefox.jpg_thumb](/public/imported_attachments/1/gulczynski.stairwaytoweb.fr - Services HAProxy Frontend Edit - Mozilla Firefox.jpg_thumb)


    ![gulczynski.stairwaytoweb.fr - Services HAProxy Backend Edit - Mozilla Firefox.jpg](/public/imported_attachments/1/gulczynski.stairwaytoweb.fr - Services HAProxy Backend Edit - Mozilla Firefox.jpg)
    ![gulczynski.stairwaytoweb.fr - Services HAProxy Backend Edit - Mozilla Firefox.jpg_thumb](/public/imported_attachments/1/gulczynski.stairwaytoweb.fr - Services HAProxy Backend Edit - Mozilla Firefox.jpg_thumb)
    ![gulczynski.stairwaytoweb.fr - Services HAProxy Backend Edit - Mozilla Firefox_2.jpg](/public/imported_attachments/1/gulczynski.stairwaytoweb.fr - Services HAProxy Backend Edit - Mozilla Firefox_2.jpg)
    ![gulczynski.stairwaytoweb.fr - Services HAProxy Backend Edit - Mozilla Firefox_2.jpg_thumb](/public/imported_attachments/1/gulczynski.stairwaytoweb.fr - Services HAProxy Backend Edit - Mozilla Firefox_2.jpg_thumb)



  • Hi,
    I had a similar issue, which caused by the port usage for pfsense WebUI.

    Had you moved the pfsense WebUI away from Port 443, before you setup of haproxy?



  • Hey,
    My PFsense webUI use the 44445 port. This was configured before the installation of HAproxy



  • ok, great. please give this try: swicht the monitoring of your backend from "http" to "basic". (monitor a https backend with http normally does not work.)



  • I've change the monitoring like this but the error still appear.

    ![gulczynski.stairwaytoweb.fr - Services HAProxy Backend Edit - Mozilla Firefox_3.jpg](/public/imported_attachments/1/gulczynski.stairwaytoweb.fr - Services HAProxy Backend Edit - Mozilla Firefox_3.jpg)
    ![gulczynski.stairwaytoweb.fr - Services HAProxy Backend Edit - Mozilla Firefox_3.jpg_thumb](/public/imported_attachments/1/gulczynski.stairwaytoweb.fr - Services HAProxy Backend Edit - Mozilla Firefox_3.jpg_thumb)



  • I can help you.
    Yours problem that you wrong configuring HAProxy.



  • @DRago_Angel:

    I can help you.
    Yours problem that you wrong configuring HAProxy.

    Hi,

    Where did I go wrong in this configuration?



  • ok,
    is your https-backend shown availiable in the haproxy stats? (green bar)
    are you using a proper certificate for your SSL Offloading frontend? (using the pfsense webui cert causes a "HTTP Strict Transport Security (HSTS)" error.



  • My https-backend is Down on the HAproxy Stats
    I'm using an letsencrypt certificate generated by ACME via my WebUI.
    Also, when I'm looking at the logs, I've this error :

    Oct 20 15:54:43 haproxy[33792]: Health check for server Backend2-SSL_http_ipvANY/Webhost2SSL failed, reason: Layer6 invalid response, info: "SSL handshake failure", check duration: 0ms, status: 0/2 DOWN.
    

    ![gulczynski.stairwaytoweb.fr - Services HAProxy Stats - Mozilla Firefox_2.jpg](/public/imported_attachments/1/gulczynski.stairwaytoweb.fr - Services HAProxy Stats - Mozilla Firefox_2.jpg)
    ![gulczynski.stairwaytoweb.fr - Services HAProxy Stats - Mozilla Firefox_2.jpg_thumb](/public/imported_attachments/1/gulczynski.stairwaytoweb.fr - Services HAProxy Stats - Mozilla Firefox_2.jpg_thumb)



  • ok, skip the frontend cert.

    your problem is caused by the offline backend. unless the check is successful, you'll get always this 503.

    just for debugging:

    • check if your backend Webserver accessible from inside via https

    • is the webserver responding correctly over https, switch off the backend check (set the monitoring to none)



  • First if you want more than one domain (site) to work on HAProxy on same port you need to create only one main frontend:
    multidomain_group
    If you want use all time HTTPS for all yours domain it is a good practise to add at this level => Actions => http-response header set => name: Strict-Transport-Security fmt: max-age=15768000 => Condition acl names: left blank.
    Checkbox on Don't log normal.
    Checkbox on Use "forwardfor" option.
    Checkbox on Without client cert.
    Save.

    Second you need create new sub-frontend:
    name it: some.domain.com
    Checkbox on Shared Frontend.
    Chose from list multidomain_group.
    Access Control lists =>
    => name: some.domain.com
    => expression: host matches
    => value: some.domain.com

    Actions => Use backend => some.domain.com.
    => Condition acl names: some.domain.com
    Default Backend: none!

    On backend part:
    you need to check what is CA of yours backend HTTPS. You can do it by adding to pfSense certificate of RootCA (look at attachments). Or if you can do not really need it - simply use 80 on backend, and use SSL offloading on HAProxy to add HTTPS. And please use Health check method: HTTP, it's best choose, and maybe look at Http check method if you know what your backend method blocking, you can change it to GET, this more overhead but work better. Set check method to none is good to for only testing purpose.

    ![Add CA to pfSensne.png](/public/imported_attachments/1/Add CA to pfSensne.png)
    ![Add CA to pfSensne.png_thumb](/public/imported_attachments/1/Add CA to pfSensne.png_thumb)
    ![Chose your CA.png](/public/imported_attachments/1/Chose your CA.png)
    ![Chose your CA.png_thumb](/public/imported_attachments/1/Chose your CA.png_thumb)



  • @oki:

    ok, skip the frontend cert.

    your problem is caused by the offline backend. unless the check is successful, you'll get always this 503.

    just for debugging:

    • check if your backend Webserver accessible from inside via https

    • is the webserver responding correctly over https, switch off the backend check (set the monitoring to none)

    When I put the checks on none, my server goes to UP but I still encounter the 503 error (not instantly as before)



  • @DRago_Angel:

    First if you want more than one domain (site) to work on HAProxy on same port you need to create only one main frontend:
    multidomain_group
    If you want use all time HTTPS for all yours domain it is a good practise to add at this level => Actions => http-response header set => name: Strict-Transport-Security fmt: max-age=15768000 => Condition acl names: left blank.
    Checkbox on Don't log normal.
    Checkbox on Use "forwardfor" option.
    Checkbox on Without client cert.
    Save.

    Second you need create new sub-frontend:
    name it: some.domain.com
    Checkbox on Shared Frontend.
    Chose from list multidomain_group.
    Access Control lists =>
    => name: some.domain.com
    => expression: host matches
    => value: some.domain.com

    Actions => Use backend => some.domain.com.
    => Condition acl names: some.domain.com
    Default Backend: none!

    On backend part:
    you need to check what is CA of yours backend HTTPS. You can do it by adding to pfSense certificate of RootCA (look at attachments). Or if you can do not really need it - simply use 80 on backend, and use SSL offloading on HAProxy to add HTTPS. And please use Health check method: HTTP, it's best choose, and maybe look at Http check method if you know what your backend method blocking, you can change it to GET, this more overhead but work better. Set check method to none is good to for only testing purpose.

    I need to use HTTPS only for this web application.
    The CA used by my PFsense is Letsencrypt, the same as my certificate issued by ACME for my Webserver.
    I tried to put my backend on 80 with SSL-Offloading on the frontend but I still encounter my problem.



  • in your current haproxy setup (initial post), you do ssl offloading and do ssl encryption again on your backend.

    1. is your backend webserver listening on port https://10.10.10.52:443 and can you access the webserver using https?)
    2. when reencryption is not needed in your LAN, switch "SSL off" for your backend. and change the HAProxy Backend to your http listening port. (maybe http://10.10.10.52:80 ?)
    3. Verify, that the status for your backend is Up in haproxy.
    4. if 1 to 3 is successful done, verify that you are using the correct Certificate for your Frontend. (DO NOT USE the pfsense WebUI Certificate, neither a (root) CA certificate). It's needed to use a SSL-Webserver certificate, as issued from Let's encrypt.



  • @oki:

    in your current haproxy setup (initial post), you do ssl offloading and do ssl encryption again on your backend.

    1. is your backend webserver listening on port https://10.10.10.52:443 and can you access the webserver using https?)
    2. when reencryption is not needed in your LAN, switch "SSL off" for your backend. and change the HAProxy Backend to your http listening port. (maybe http://10.10.10.52:80 ?)
    3. Verify, that the status for your backend is Up in haproxy.
    4. if 1 to 3 is successful done, verify that you are using the correct Certificate for your Frontend. (DO NOT USE the pfsense WebUI Certificate, neither a (root) CA certificate). It's needed to use a SSL-Webserver certificate, as issued from Let's encrypt.

    It work like a charm when I switch SSL off on my backend and change my http listening to 80 !
    I also put the verification method back on HTTP.
    I'm doing more extensive functional tests tonight and I'm making a return to you and DRago_Angel!


Log in to reply