HAProxy on pfSense anomaly

LAVenetz

On my pfSense v2.6.0, I have package haproxy v0.61_7 (dependency haproxy18-1.8.30) installed with Apache webservers. The configuration I've used have worked flawlessly for a number of years. But since a few days two of them are marked red (down). I've tried all sorts of measures, but no success: the two webservers can no longer be brought up and running. Are there any methods (haproxy specific logfiles) I can use to troubleshoot these two servers? All servers are running on Ubuntu 22.04 inclusive the marked red ones, exept one on 20.04 and one Debian 11.5 which both are marked green. Does anyone know this problem that servers suddenly give up the ghost over the Internet via haproxy? Funny: the servers are still running properly internally, and I can also administrate WordPress over the internet (which are red) with https://www.xyz1.tld/wp-admin and https://www.xyz2.tld/wp-admin.

viragomann

@lavenetz
This is commonly due to a failing backend health check.
Ensure that the backend response properly to the configured health check.

LAVenetz

@viragomann Yes thank you. This hint helped me insofar as I changed the health check method from "http" => "not set", the status indeed changed to green. But now I still don't know why these web servers are not complying with the terms. How could I now find out why the two web servers do not meet the default conditions compared to the other servers?

viragomann

@lavenetz
As mentioned, when using HTTP health check, configure it properly, so that your web server is responding to the requests from HAproxy.
State a proper URL and HTTP method in the backend settings.

Since I don't know your backend settings and your web server configuration, I cannot get an idea, what's wrong there at all.

Otherwise use the basic check method. This succeeds just if the backend servers network interface is alive.

LAVenetz

@viragomann Many thanks. The longer I (have to) deal with it, the clearer the idea behind it becomes. I tried three things: 1. I adjusted /etc/hosts and /etc/hostname like the other servers (unfortunately not as stable). 2. Field "Health check method" = "http" and field "Url used by http check requests." ="https://www.xyz1.tld" or "https://www.xyz2.tld" (OK status green). 3. (your suggestion) Field "Health check method" = "basic" (OK status green).

But it's funny that I didn't have to make any adjustments here for years. I can only guess why, since I have defined more and more subdomains per TLD. But the main thing is that I found a workaround with your help. Thanks!

LAVenetz

@lavenetz Having troubles with Mail-in-a-Box (MiaB) behind a pfSense v2.6 with HAProxy (see SNI like on top). Which ports do I have to forward the the MiaB-Box except 443 which is tracked by HAProxy (is red like on top)? I forwarded (on NAT) 80, 25, 53, 143, 587, 465, 993, 995, 4190, but no success! The MiaB is showing so much errors. When I transfer the Box back to another previous location where the router is in bridge mode => no errors at all, except Reverse DNS which is obsolete for me.

NightlyShark

@lavenetz If the connections between the Apache instances and PfSense are physical, check all cables (even if you seem to have internet on the servers, gremlins be unpredictable like that). If not, check the hypervisor's networking. You never know when an update can cripple only part of your netstack, and play the waiting game, ie expecting you to know the update has happened and reboot manually.

NightlyShark

@lavenetz Also, that is another thread.

@lavenetz said in HAProxy on pfSense anomaly:

Having troubles with Mail-in-a-Box (MiaB) behind a pfSense v2.6 with HAProxy (see SNI like on top). Which ports do I have to forward the the MiaB-Box except 443 which is tracked by HAProxy (is red like on top)?

viragomann

@lavenetz said in HAProxy on pfSense anomaly:

Which ports do I have to forward the the MiaB-Box

I think, this is the wrong place to ask this question.
Check the documentation of the app for details.

The MiaB is showing so much errors

Maybe the contents of the error messages give hints. But without knowing it, we are standing in the dark at all.

LAVenetz

@viragomann et al.: I'm totally unsure at the moment !!! I thought I could simply move the MiaB from a router that is switched to bridge mode, as I already did with like the other six web servers, to move it behind a pfSense with HAProxy and run the "sudo mailinabox" command. "Mistake", said the hedgehog and climbed down from the cactus. Maybe I have to use MiaB with the command "curl -s https://mailinabox.email/setup.sh | sudo bash"? But that would be a fresh start for me and not just a simple transfer from a router in bridge mode to an environment with pfSense and HAProxy. Sorry that would really be another topic in another location (but I felt like the issues described above in this topic got)! Or is there still salvation here?

NightlyShark

@lavenetz Friend, we most probably don't know. You should ask the Mailinabox people (/ community?), or consult the documentation.

LAVenetz

@nightlyshark Hello, regarding my problem (= MiaB behind a pfSense with HAProxy) I found something called "NAT hairpinning", posted from Lloyd Smart, in 2015:

"It’s to do with being behind a NAT. I had the same trouble running MiaB within an LXC container. I had to turn on something called “NAT hairpinning” on the virtual bridge I was using. Try searching for something like that for your pfSense firewall. It’s a bit complicated, but basically the issue is that the traffic generated by the status checks reaches your NAT/firewall, and then doesn’t get routed back to your box like you’d think it would. This is because your firewall is only configured to forward external “incoming” packets to your box, but it sees this traffic as “internal” traffic that’s trying to get to your public IP. Since the firewall is your public IP, it thinks that the traffic has reached its destination, and it just dies there. This only happens when the box tries to talk to itself over the public IP. That’s why all the external stuff is probably working just fine, and also why you can access the box over its internal IP without any issues. What you need is a way for the firewall to know to treat traffic coming from your internal box IP that’s bound for your public IP the same as incoming traffic, and forward it back to your MiaB IP accordingly. That’s what hairpinning does."

Is this the solution?

NightlyShark

@lavenetz That would be "NAT reflection" in PfSense.

LAVenetz

@nightlyshark Oh, good to know! I've found it. I can turn it on and off per port. What should I most likely choose?

1. Standard
2. Activate (NAT + Proxy)
3. Activate (NAT only)
4. Deactivate

NightlyShark

@lavenetz Only one MiaB, so, Standard, I think.