HAProxy stooped after upgrade



  • A little background. I've been happily using pfsense and learning a lot.
    I've been using HAProxy for quite sometime without issue. But now fit completely stopped working, I'll include the config.
    It stopped after upgrade of HAProxy and pfsense to the newest versions. Thanks. If any of the code layout is wrong it was from renaming the domain.

    # Automaticaly generated, dont edit manually.
    # Generated on: 2019-04-11 07:11
    global
    	maxconn			100
    	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
    	uid			80
    	gid			80
    	nbproc			1
    	nbthread			1
    	hard-stop-after		15m
    	chroot				/tmp/haproxy_chroot
    	daemon
    	tune.ssl.default-dh-param	2048
    	server-state-file /tmp/haproxy_server_state
    	ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
    	tune.ssl.default-dh-param 2048
    	
    	# Time-to-first-Byte (TTFB) value needs to be optimized based on
    	# the actual public certificate chain see
    	# https://www.igvita.com/2013/10/24
    	# /optimizing-tls-record-size-and-buffering-latency/
    	tune.ssl.maxrecord 1370
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:444 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats show-legends
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend shared-frontend-merged
    	bind			2.1.2.1:443 name 2.1.2.1:443   ssl crt-list /var/etc/haproxy/shared-frontend.crt_list  
    	mode			http
    	log			global
    	option			http-keep-alive
    	option			forwardfor
    	acl https ssl_fc
    	http-request set-header		X-Forwarded-Proto http if !https
    	http-request set-header		X-Forwarded-Proto https if https
    	timeout client		70000
    	# Remove headers that expose security-sensitive information.
    	rspidel ^Server:.*$
    	rspidel ^X-Powered-By:.*$
    	rspidel ^X-AspNet-Version:.*$
    	acl			plexpass	var(txn.txnhost) -m str -i plexpass.domain.com
    	acl			nextcloud	var(txn.txnhost) -m str -i nextcloud.domain.com
    	acl			tautulli	var(txn.txnhost) -m str -i tautulli.domain.com
    	acl			onlyoffice	var(txn.txnhost) -m str -i onlyoffice.domain.com
    	acl			ombi	var(txn.txnhost) -m str -i ombi.domain.com
    	acl			community	var(txn.txnhost) -m str -i community.domain.com
    	acl			sonarr	var(txn.txnhost) -m str -i sonarr.domain.com
    	acl			couchpotato	var(txn.txnhost) -m str -i couchpotato.domain.com
    	acl			torrent	var(txn.txnhost) -m str -i torrent.domain.com
    	acl			homelab	var(txn.txnhost) -m str -i homelab.domain.com
    	acl			radarr	var(txn.txnhost) -m str -i radarr.domain.com
    	acl			ladarr	var(txn.txnhost) -m str -i lidarr.domain.com
    	acl			emby	var(txn.txnhost) -m str -i emby.domain.com
    	acl			vnc	var(txn.txnhost) -m str -i vnc.domain.com
    	acl			vpn	var(txn.txnhost) -m str -i vpn.domain.com
    	acl			rdp	var(txn.txnhost) -m str -i rdp.domain.com
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^pfsense\.domain\.com(:([0-9]){1,5})?$
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^community\.domain\.com(:([0-9]){1,5})?$
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^couchpotato\.domain\.com(:([0-9]){1,5})?$
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^homelab\.domain\.com(:([0-9]){1,5})?$
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^lidarr\.pdomain\.com(:([0-9]){1,5})?$
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^nextcloud\.domain\.com(:([0-9]){1,5})?$
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^ombi\.domain\.com(:([0-9]){1,5})?$
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^onlyoffice\.domain\.com(:([0-9]){1,5})?$
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^plexpass\.domain\.com(:([0-9]){1,5})?$
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^radarr\.domain\.com(:([0-9]){1,5})?$
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^sonarr\.domain\.com(:([0-9]){1,5})?$
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^tautulli\.domain\.com(:([0-9]){1,5})?$
    	acl			aclcrt_shared-frontend	var(txn.txnhost) -m reg -i ^torrent\.domain\.com(:([0-9]){1,5})?$
    	http-request set-var(txn.txnhost) hdr(host)
    	use_backend nextcloud_ipvANY  if  nextcloud 
    	use_backend plexpass_ipvANY  if  plexpass 
    	use_backend tautulli_ipvANY  if  tautulli 
    	use_backend onlyoffice_ipvANY  if  onlyoffice 
    	use_backend ombi_ipvANY  if  ombi 
    	use_backend community_ipvANY  if  community 
    	use_backend sonarr_ipvANY  if  sonarr 
    	use_backend couchpotato_ipvANY  if  couchpotato 
    	use_backend torrent_ipvANY  if  torrent 
    	use_backend homelab_ipvANY  if  homelab 
    	use_backend Radarr_ipvANY  if  radarr 
    	use_backend Lidarr_ipvANY  if  ladarr 
    	use_backend Emby_ipvANY  if  emby 
    	use_backend vnc_ipvANY  if  vnc 
    	use_backend vpn_ipvANY  if  vpn 
    	use_backend rpd_ipvANY  if  rdp 
    
    frontend http-https-frontend
    	bind			2.1.2.1:80 name 2.1.2.1:80   
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	http-request redirect scheme https 
    
    backend nextcloud_ipvANY
    	mode			http
    	id			102
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			nextcloud 192.168.102.212:80 id 104 check inter 1000  
    
    backend plexpass_ipvANY
    	mode			http
    	id			100
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			plexpass 192.168.102.104:32400 id 101 check inter 1000  
    
    backend tautulli_ipvANY
    	mode			http
    	id			105
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			tautulli 192.168.102.104:8181 id 103 check inter 1000  
    
    backend onlyoffice_ipvANY
    	mode			http
    	id			106
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			onlyoffice 192.168.102.218:80 id 103 check inter 1000  
    
    backend ombi_ipvANY
    	mode			http
    	id			107
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			ombi 192.168.102.104:3579 id 103 check inter 1000  
    
    backend community_ipvANY
    	mode			http
    	id			108
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			community 192.168.102.219:80 id 103 check inter 1000  
    
    backend sonarr_ipvANY
    	mode			http
    	id			109
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			sonarr 192.168.102.104:8989 id 103 check inter 1000  
    
    backend couchpotato_ipvANY
    	mode			http
    	id			110
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			couchpotato 192.168.102.219:5050 id 103 check inter 1000  
    
    backend torrent_ipvANY
    	mode			http
    	id			111
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			torrent 192.168.102.106:8181 id 103 ssl check-ssl check inter 1000  verify none 
    
    backend homelab_ipvANY
    	mode			http
    	id			112
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			homelab 192.168.102.104:80 id 103 check inter 1000  
    
    backend Radarr_ipvANY
    	mode			http
    	id			113
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			radarr 192.168.102.104:7878 id 103 check inter 1000  
    
    backend Lidarr_ipvANY
    	mode			http
    	id			114
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			lidarr 192.168.102.104:8686 id 103 check inter 1000  
    
    backend Emby_ipvANY
    	mode			http
    	id			115
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			emby 192.168.102.104:8096 id 103 check inter 1000  
    
    backend vnc_ipvANY
    	mode			http
    	id			116
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			emby 192.168.102.107:5900 id 103 check inter 1000  
    domain.com
    backend vpn_ipvANY
    	mode			http
    	id			117
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			emby 192.168.102.107:5900 id 103 check inter 1000  
    
    backend rpd_ipvANY
    	mode			http
    	id			118
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			emby 192.168.102.107:5900 id 103 check inter 1000
    


  • @treybeatty
    Can you define what 'stooped' means exactly?

    • Error while starting haproxy?
    • Haproxy starts and stats page works, but client traffic does not reach the (web)servers ?
    1. Any error message shown in the browser?
    2. Can you 'curl' to haproxy locally on the pfSense box itself?
    3. Does the stats page show the (web)servers as 'up' ?

Log in to reply