503 Service Unavailable

  • Hello,

    I am trying to configure Haproxy on Pfsense which has two backend web servers. In /servcies/Haproxy/Stats/ the servers are present and working. My file: /var/log/haproxy.log/ is empty..... I do not know why, but I always arrive on a page: 503 Service Unavailable when I try to access a web page on one of the servers in backend. Here is my file: /var/etc/haproxy/haproxy.cfg

    Automaticaly generated, dont edit manually.

    Generated on: 2020-05-13 17:03

    maxconn 100000
    log /var/log/jm syslog info
    stats socket /tmp/haproxy.socket level admin expose-fd listeners
    gid 80
    nbproc 1
    nbthread 1
    hard-stop-after 15m
    chroot /tmp/haproxy_chroot
    tune.ssl.default-dh-param 2048
    log-send-hostname haproxy1
    server-state-file /tmp/haproxy_server_state

    listen HAProxyLocalStats
    bind name localstats
    mode http
    stats enable
    stats refresh 4
    stats admin if TRUE
    stats show-legends
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

    frontend Shared-frontend-merged
    bind name ssl crt-list /var/etc/haproxy/Shared-frontend.crt_list
    mode http
    log global
    option http-keep-alive
    option forwardfor
    acl https ssl_fc
    http-request set-header X-Forwarded-Proto http if !https
    http-request set-header X-Forwarded-Proto https if https
    timeout client 30000
    acl aclcrt_Shared-frontend var(txn.txnhost) -m reg -i ^bravad-dev5.com(:([0-9]){1,5})?$
    acl Prod1 var(txn.txnhost) -m str -i bravad-dev5.com
    http-request set-var(txn.txnhost) hdr(host)
    use_backend OVHPHP_ipv4 if Prod1


  • @jmorfali
    How is the backend configured? Healthchecks enabled an show in stats as up? no transparent-client-ip used?

  • Hello @PiBa,

    Thank you for your answer. Here is the configuration of my backend:

  • @jmorfali
    Can you disable the TransparentClientIP feature? See if that resolves anything? Do the webservers use pfSense as their default route? (to make sure reply traffic passed back through pfsense>haproxy )

  • @PiBa
    Actually that solves the problem if I disable the TransparentClientIP feature. Thank you! But, how am I going to see the client's IP address on my backend servers?

    thank you very much

  • @jmorfali
    Do the webservers use pfSense as their default route?
    If not then the 'transparent' option is out the window..

    There are basically 3 options then to achieve it:

    • TransparentClientIP (possible for all TCP protocols, but does require the webservers default-route and reply traffic back through pfSense..) Seems your environment doesn't currently meet these requirements..
    • HTTP-forward-for-header (requires that haproxy is operating in http mode so it can insert the http-header, also requires to configure the webserver to use this header for its logging and other actions inside the web application..)
    • Proxy-Protocol (can be used with all TCP protocols but does require that the target server is configured to understand this protocol..) https://www.haproxy.com/blog/haproxy/proxy-protocol/ not a lot of 'server applications' are ready to receive this but some can..

Log in to reply