[solved] backend server nginx down HAProxy

dragoangel · Sep 13, 2019, 9:13 PM

@wesleylc1 it will at least help you understand how it works. And latter you can configure second test backend with ssl. But in any case: redirects to subdomain, another protocol better be done on proxy, not on backend. And http2 is useless on backend - haproxy will use http1.1 when speaking with backend but will give h2 to end clients if you configure it on Frontend binding.

wesleylc1 · Sep 13, 2019, 9:14 PM

@dragoangel As shown, my backend is already pointing to port 443 and selecting the SSL check box.

dragoangel · Sep 13, 2019, 9:18 PM

@wesleylc1 Lol red line on ipv4 192.168.x.x, funny. Why cares, you mentioned public domain (https://nextcloud.projectus.com.br), but masked private ip? Ok. And what haproxy status you now see on backend ?

wesleylc1 · Sep 13, 2019, 9:20 PM

@dragoangel lol lol 502 Bad Gateway

dragoangel · Sep 13, 2019, 9:24 PM

@wesleylc1 Why at bottom writed Ubuntu...? You go to haproxy or to nginx and see this?.. In any case: go to nginx straight and check you backend first. It eork? If yes - then fix your healthcheck. If it still not work add header host on backend config of haproxy in case you have in nginx multiple domains on same port-cert

wesleylc1 · Sep 16, 2019, 2:57 PM

Hi guys, I set up https internally on the nginx server, already responding to https requests on nextcloud.projectus.com.br, now I'm trying to apply backend settings to my front end, which is already configured to use port 443, but my The backend displays the error "L7STS / 400 in 46ms".

front end settings

frontend HA_Sistemas-https
	bind			189.20.108.xx:443 name 189.20.108.xx:443   ssl crt-list /var/etc/haproxy/HA_Sistemas-https.crt_list  
	bind			187.75.209.2xx:443 name 187.75.209.xx:443   ssl crt-list /var/etc/haproxy/HA_Sistemas-https.crt_list  
	mode			http
	log			global
	option			log-separate-errors
	option			httplog
	option			http-keep-alive
	timeout client		300000
	acl			rootrequested	var(txn.txnpath) -m str -i /
	acl			time-sheet	var(txn.txnhost) -m str -i time-sheet.projectus.com.br
	acl			qsms	var(txn.txnhost) -m str -i qsms.projectus.com.br
	acl			treinamento	var(txn.txnhost) -m str -i treinamento.projectus.com.br
	acl			proposta	var(txn.txnhost) -m str -i proposta.projectus.com.br
	acl			chamado	var(txn.txnhost) -m str -i chamado.projectus.com.br
	acl			pesquisa	var(txn.txnhost) -m str -i pesquisa.projectus.com.br
	acl			pesquisa-ce	var(txn.txnhost) -m str -i pesquisa-ce.projectus.com.br
	acl			nextcloud	var(txn.txnhost) -m str -i nextcloud.projectus.com.br
	http-request set-var(txn.txnpath) path
	http-request set-var(txn.txnhost) hdr(host)
	http-request redirect location /TimeSheet/faces/login.xhtml  if  rootrequested time-sheet 
	http-request redirect location /SistemaQSMS/  if  rootrequested qsms 
	http-request redirect location /Treinamento/  if  rootrequested treinamento 
	http-request redirect location /Proposta/  if  rootrequested proposta 
	http-request redirect location /Chamado/  if  rootrequested chamado 
	http-request redirect location /PesquisaClima/  if  rootrequested pesquisa 
	http-request redirect location /PesquisaClimaCE/  if  rootrequested pesquisa-ce 
	http-response add-header Content-Security-Policy upgrade-insecure-requests  if  !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce 
	use_backend HA_Sistemas-45-xx_80-www_ipvANY  if  !time-sheet !qsms !treinamento !proposta !chamado !pesquisa !pesquisa-ce 
	default_backend HA_Sistemas_40-xxx_443-nextcloud_ipvANY
	default_backend HA_Sistemas_43-xxx_8443_ipvANY

backend settings

backend HA_Sistemas_40-xxx_443-nextcloud_ipvANY
	mode			http
	id			109
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			nextcloud 192.168.40.xxx:443 id 108 ssl check inter 1000  verify none

best regards,
Wesley Santos

dragoangel · Sep 16, 2019, 5:30 PM

@wesleylc1 Try disable healthchecks for beginning

wesleylc1 · Sep 16, 2019, 5:37 PM

@dragoangel How do I disable health checks?

Would it be as in the picture?

dragoangel · Sep 16, 2019, 5:43 PM

@wesleylc1 yes. That it. Try opening you frontend domain

wesleylc1 · Sep 16, 2019, 5:45 PM

@dragoangel No external access yet.

dragoangel · Sep 16, 2019, 5:54 PM

@wesleylc1 No big matter, open internal haproxy address. Align your pc /etc/hosts file to resolve domain for test, or use unbound for point to internal ip, or etc

wesleylc1 · Sep 16, 2019, 6:05 PM

@dragoangel internally it is accessible to the web page through the https protocol.

I even set the line below on my network gateway.

best regards,
Wesley Santos

dragoangel · Sep 16, 2019, 6:10 PM

@wesleylc1 You accessing nginx or haproxy now? Print nslookup domain.com output plz

wesleylc1 · Sep 16, 2019, 6:29 PM

@dragoangel This access is being made from my LAN subnet, below the nslookup output.

nslookup nextcloud.projectus.com.br
Server:		192.168.45.11
Address:	192.168.45.11#53

Non-authoritative answer:
Name:	nextcloud.projectus.com.br
Address: 189.20.108.xx

best regards,
Wesley Santos

dragoangel · Sep 16, 2019, 6:54 PM

hm... you said that you access it locally, but domain resolving goes to public IP

wesleylc1 · Sep 16, 2019, 7:01 PM

The resolution is pointing to the public IP, because my DNS provider is external.

dragoangel · Sep 16, 2019, 7:01 PM

@dragoangel said in backend server nginx down HAProxy:

You accessing nginx or haproxy now

You accessing nginx or haproxy now??

wesleylc1 · Sep 16, 2019, 7:10 PM

I do not understand, can you explain again?

dragoangel · Sep 16, 2019, 7:13 PM

facepalm.

@wesleylc1 said in backend server nginx down HAProxy:

@dragoangel internally it is accessible to the web page through the https protocol.

You opened connection to NGINX or HAproxy?? Try change healthchecks to GET /

wesleylc1 · Sep 16, 2019, 7:31 PM

@dragoangel My problem may be that my front end already uses another default backend?

I had already made changes from OPTIONS to GET and HEAD, for example, using https there was no success, already using http went well.