Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cloudflare HTTP 522 with HaProxy

    Scheduled Pinned Locked Moved Cache/Proxy
    6 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • tn1rpi3T
      tn1rpi3
      last edited by

      Dear all

      I'm running HaProxy 0.59_1 on pfsense 2.4.4_3 (i5, 16GB RAM, SSD).
      The sites are set up on various LXD VMs (hardware also i5, 16GB RAM, SSD).
      DNS: Cloudflare
      Web hosting: self (static public IP)

      The sites tested OK locally but via WAN
      I can't get rid of Cloudflare's HTTP error 522. ('reachable, but response too slow')

      I'm not sure if my HaProxy config is correct. (please see enclosed file)
      Any suggestions welcome.

      Thanks a bunch!
      HaProxy settings_(line_ending_WIN).txt

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @tn1rpi3
        last edited by

        @tn1rpi3
        Nice manual config writeout.. though can you please include the haproxy.cfg from the bottom of the haproxy settings tab? It shows the 'actual' config used by haproxy, and should show if there are any 'logic errors' in the configuration and how the package combined the different (shared)frontend into 1 config file. Usually easier (for me at least) to make suggestions from there..

        Reading your writeout, it seems that you have 1 certificate for all websites, and thats okay, but i dont see you write any manually created acl's to check before the 'action use-backend ' is performed..? I guess haproxy is likely sending all traffic to the same backend as a result.. But anyhow, the haproxy.conf should show such missing 'logic rules'.

        1 Reply Last reply Reply Quote 0
        • tn1rpi3T
          tn1rpi3
          last edited by

          @PiBa said in Cloudflare HTTP 522 with HaProxy:

          haproxy.conf

          Thanks for taking the time to sift through it. -
          You're right about acl's. There are none in the current config.

          Here's haproxy.cfg (renamed it to '.txt' for the upload to succeed).
          A brief look at it confirms that the lines referring to 'acl' are identical for all sites.

          So i figure I need to create correct 'default backend' acl's for all frontends.
          Would the following entry be correct for the shared frontend?
          Name Expression CS Not Value
          acl1 host matches x - 12bfree.com
          ('x' =check, '-' =blank')

          Is there anything else along the way that needs attention?
          haproxy.txt

          P 1 Reply Last reply Reply Quote 0
          • P
            PiBa @tn1rpi3
            last edited by

            @tn1rpi3
            I would not make the acl CaseSensitive. If someone writes http://12bFree.Com they should still be able to visit the website right?
            There is no need to select default-backend's in the shared-frontends and its probably better those it anyhow when using 1 certificate for all.
            But do also include the 'acl1' behind the use-backend action after defining the acl's.

            So something like this:

            Acl:
               moodleacl host matches - - moodle.12bfree.com
            Action:
               use-backend moodle.12bfree.com_ipv4 if moodleacl
            

            And repeat that for the other sites.. Also if your only using 1 certificate for all, then it could be easier to read by configuring them all in 1 frontend in the webgui also but that depends a bit on personal preference.

            Other than that it can be nice to specify allowed ciphers to get a A+ rating on ssllabs with some settings like these: ssl-config.mozilla.org , you can manually add those on the settings tab in a advanced text field..

            tn1rpi3T 1 Reply Last reply Reply Quote 1
            • tn1rpi3T
              tn1rpi3 @PiBa
              last edited by tn1rpi3

              @PiBa I've changed the configuration as follows to include the ACLs (see .txt file)
              haproxy_new.txt
              Alas, no availability via WAN. (reachable locally both via http and https)

              Could the problem have something to do with my apache2 config on the VMs?
              Originally, I set the sites up to use a self-signed certificate (before I went on to configure HaProxy).
              So the apache2 site.config files on the VMs still feature the paths to the self-signed certs.
              That doesn't seem right to me..

              EDIT: I just found out that my ISP changed my public IP address. No wonder it didn't work.
              I'll solve the issue with the ISP and then check again.

              tn1rpi3T 1 Reply Last reply Reply Quote 0
              • tn1rpi3T
                tn1rpi3 @tn1rpi3
                last edited by

                @tn1rpi3 Solved. Settings on pfsense haven proven quite correct thanks to PiBa's input. The router's correct IP address has been reassigned. Some misunderstanding on the ISP's side..
                All good now.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.