Troubleshoot HAProxy entry 503 - solved - invalid health check selected

mervincm

I use HAProxy in front of internal HTTP apps to allow them to function over HTTPS with a wildcard cert. I have ~ 20 of them functioning quite well but not having any luck adding another.

I installed the haproxy-devel 0.62_12 version of the package to deal with widgets errors, and this is the first change I am making since that time.

I am fairly confident that the problem is in the backend because if I just change the front-end action to point to another backend .. it works well (just to the wrong back-end obviously)

In any case, my typical working steps are

in DNS resolver, add the new URL as an additional alias of the common VIP I use.
(confirmed lookup of the URL returns the VIP ip)

In the HAproxy service, add a new backend, use all defaults, just under the server list add a line Active name address and port mode, then the IP of the server it's hosted on, and the port it is listening on that server. no SSL for HTTP sites, and of course no SSL checks.

In the HAproxy service, edit the shared_https front end for my vip ip:443, type HTTP. add a new ACL name type host matches, then the value of the new URL. add a new actions simple use backend name backend name

unfortunately, I get a 503, service unavailable error.

viragomann

@mervincm said in Troubleshoot HAProxy entry 503:
Something regarding in the log about this issue?

In the HAproxy service, add a new backend, use all defaults, just under the server list add a line Active name address and port mode, then the IP of the server it's hosted on,

On a machine behind pfSense edit the hosts file and add this IP and host name to it.
Then try to access the backend from this machine.

Possibly it doesn't respond properly.

mervincm

@viragomann
Thank you for your assistance.

I edited my hostfile so my host resolved to the IP of the backend.

then in my browser I used that hostname, with http, and specifying the port I have from the backend.

It opened properly.

The package log is empty.

viragomann

@mervincm
So the backend server is working properly.

Did you also assign the proper SSL certificate to the frontend?
Otherwise HAproxy is not able to see the host name.

mervincm

@viragomann I don't know that the back end is working properly. It indicates an error on the dashboard.

If I change the prowlarr front end use the netdata back end, then the prowlarr URL opens up the netdata back end.

If I change the netdata front end to use the prowlarr backend, then the netdata front end also 503's

It seems to me the prowlarr back end is indeed where the issue is.

I can't explain why I have no issue opening up the prowlarr site w http by ip and specified port, or w http by name (hosts hack) and specific port. but HAProxy doesn't like it.

mervincm

@mervincm forgot to answer the cert question. There is a wildcard cert used, and even when I get the 503, it seems happy with the cert.

viragomann

@mervincm said in Troubleshoot HAProxy entry 503:

I don't know that the back end is working properly. It indicates an error on the dashboard.

I was talking about the real backend server.

It seems to me the prowlarr back end is indeed where the issue is.
I can't explain why I have no issue opening up the prowlarr site w http by ip and specified port, or w http by name (hosts hack) and specific port. but HAProxy doesn't like it.

So the backend is not working from the view of HAproxy obviously.
Check it out on the Stats page.

So I suspect that the backend host does not responding properly to the configured health check.
Which did you use for the backend?
At least the basic check should work.

mervincm

@viragomann

Ahh, the actual backend ... that makes sense
I changed the health check from http to basic, and now there is no more error on the dashboard AND the reverse proxy works. Problem solved. I had no idea that a health check failure had an impact on functionality. I thought it was just a monitoring feature.

Thanks so much!!

rpm5099

As far as I can tell the pfSense HAProxy SSL backend checks do not work and are bugged, at least for backend devices that have a self signed cert. I've tried everything and always resort back to doing basic checks.