Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Troubleshoot HAProxy entry 503 - solved - invalid health check selected

    Scheduled Pinned Locked Moved Cache/Proxy
    9 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mervincm
      last edited by mervincm

      I use HAProxy in front of internal HTTP apps to allow them to function over HTTPS with a wildcard cert. I have ~ 20 of them functioning quite well but not having any luck adding another.

      I installed the haproxy-devel 0.62_12 version of the package to deal with widgets errors, and this is the first change I am making since that time.

      I am fairly confident that the problem is in the backend because if I just change the front-end action to point to another backend .. it works well (just to the wrong back-end obviously)

      In any case, my typical working steps are

      in DNS resolver, add the new URL as an additional alias of the common VIP I use.
      (confirmed lookup of the URL returns the VIP ip)

      In the HAproxy service, add a new backend, use all defaults, just under the server list add a line Active name address and port mode, then the IP of the server it's hosted on, and the port it is listening on that server. no SSL for HTTP sites, and of course no SSL checks.

      In the HAproxy service, edit the shared_https front end for my vip ip:443, type HTTP. add a new ACL name type host matches, then the value of the new URL. add a new actions simple use backend name backend name

      unfortunately, I get a 503, service unavailable error.
      2bd23f23-7f08-47fd-93ad-035ef2ce97f9-image.png
      b87f476a-f31b-4ce8-94f4-d0a79f849680-image.png
      02400c54-9bd1-45d5-8d05-56583ece546c-image.png
      c195653e-42a2-4ba5-a969-3582420573eb-image.png
      d03a172a-10b1-414e-8d4b-96a1fe1c10a3-image.png
      ba5c21a8-d8ef-423a-950c-820f010f6da9-image.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @mervincm
        last edited by

        @mervincm said in Troubleshoot HAProxy entry 503:
        Something regarding in the log about this issue?

        In the HAproxy service, add a new backend, use all defaults, just under the server list add a line Active name address and port mode, then the IP of the server it's hosted on,

        On a machine behind pfSense edit the hosts file and add this IP and host name to it.
        Then try to access the backend from this machine.

        Possibly it doesn't respond properly.

        M 1 Reply Last reply Reply Quote 0
        • M
          mervincm @viragomann
          last edited by

          @viragomann
          Thank you for your assistance.

          I edited my hostfile so my host resolved to the IP of the backend.
          bf89419a-6c8c-4f5e-8317-ea13aa4850ff-image.png

          then in my browser I used that hostname, with http, and specifying the port I have from the backend.
          6b5311a5-2a2c-4fc9-9cce-6f81619f2483-image.png
          034bad75-2066-404e-9e8d-fbb5f2175ae3-image.png

          It opened properly.

          The package log is empty.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @mervincm
            last edited by

            @mervincm
            So the backend server is working properly.

            Did you also assign the proper SSL certificate to the frontend?
            Otherwise HAproxy is not able to see the host name.

            M 1 Reply Last reply Reply Quote 0
            • M
              mervincm @viragomann
              last edited by mervincm

              @viragomann I don't know that the back end is working properly. It indicates an error on the dashboard.
              e7f8b255-4e23-4b6f-9ce5-0071c1e3e72c-image.png

              If I change the prowlarr front end use the netdata back end, then the prowlarr URL opens up the netdata back end.

              If I change the netdata front end to use the prowlarr backend, then the netdata front end also 503's

              It seems to me the prowlarr back end is indeed where the issue is.

              I can't explain why I have no issue opening up the prowlarr site w http by ip and specified port, or w http by name (hosts hack) and specific port. but HAProxy doesn't like it.

              M V 2 Replies Last reply Reply Quote 0
              • M
                mervincm @mervincm
                last edited by

                @mervincm forgot to answer the cert question. There is a wildcard cert used, and even when I get the 503, it seems happy with the cert.

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann @mervincm
                  last edited by

                  @mervincm said in Troubleshoot HAProxy entry 503:

                  I don't know that the back end is working properly. It indicates an error on the dashboard.

                  I was talking about the real backend server.

                  It seems to me the prowlarr back end is indeed where the issue is.
                  I can't explain why I have no issue opening up the prowlarr site w http by ip and specified port, or w http by name (hosts hack) and specific port. but HAProxy doesn't like it.

                  So the backend is not working from the view of HAproxy obviously.
                  Check it out on the Stats page.

                  So I suspect that the backend host does not responding properly to the configured health check.
                  Which did you use for the backend?
                  At least the basic check should work.

                  M 1 Reply Last reply Reply Quote 1
                  • M
                    mervincm @viragomann
                    last edited by

                    @viragomann

                    Ahh, the actual backend ... that makes sense
                    I changed the health check from http to basic, and now there is no more error on the dashboard AND the reverse proxy works. Problem solved. I had no idea that a health check failure had an impact on functionality. I thought it was just a monitoring feature.

                    Thanks so much!!

                    1 Reply Last reply Reply Quote 0
                    • R
                      rpm5099
                      last edited by

                      As far as I can tell the pfSense HAProxy SSL backend checks do not work and are bugged, at least for backend devices that have a self signed cert. I've tried everything and always resort back to doing basic checks.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.