• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Troubleshoot HAProxy entry 503 - solved - invalid health check selected

Cache/Proxy
3
9
1.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mervincm
    last edited by mervincm May 21, 2023, 10:11 PM May 15, 2023, 6:50 AM

    I use HAProxy in front of internal HTTP apps to allow them to function over HTTPS with a wildcard cert. I have ~ 20 of them functioning quite well but not having any luck adding another.

    I installed the haproxy-devel 0.62_12 version of the package to deal with widgets errors, and this is the first change I am making since that time.

    I am fairly confident that the problem is in the backend because if I just change the front-end action to point to another backend .. it works well (just to the wrong back-end obviously)

    In any case, my typical working steps are

    in DNS resolver, add the new URL as an additional alias of the common VIP I use.
    (confirmed lookup of the URL returns the VIP ip)

    In the HAproxy service, add a new backend, use all defaults, just under the server list add a line Active name address and port mode, then the IP of the server it's hosted on, and the port it is listening on that server. no SSL for HTTP sites, and of course no SSL checks.

    In the HAproxy service, edit the shared_https front end for my vip ip:443, type HTTP. add a new ACL name type host matches, then the value of the new URL. add a new actions simple use backend name backend name

    unfortunately, I get a 503, service unavailable error.
    🔒 Log in to view
    🔒 Log in to view
    🔒 Log in to view
    🔒 Log in to view
    🔒 Log in to view
    🔒 Log in to view

    V 1 Reply Last reply May 15, 2023, 10:17 AM Reply Quote 0
    • V
      viragomann @mervincm
      last edited by May 15, 2023, 10:17 AM

      @mervincm said in Troubleshoot HAProxy entry 503:
      Something regarding in the log about this issue?

      In the HAproxy service, add a new backend, use all defaults, just under the server list add a line Active name address and port mode, then the IP of the server it's hosted on,

      On a machine behind pfSense edit the hosts file and add this IP and host name to it.
      Then try to access the backend from this machine.

      Possibly it doesn't respond properly.

      M 1 Reply Last reply May 16, 2023, 6:45 PM Reply Quote 0
      • M
        mervincm @viragomann
        last edited by May 16, 2023, 6:45 PM

        @viragomann
        Thank you for your assistance.

        I edited my hostfile so my host resolved to the IP of the backend.
        🔒 Log in to view

        then in my browser I used that hostname, with http, and specifying the port I have from the backend.
        🔒 Log in to view
        🔒 Log in to view

        It opened properly.

        The package log is empty.

        V 1 Reply Last reply May 16, 2023, 7:27 PM Reply Quote 0
        • V
          viragomann @mervincm
          last edited by May 16, 2023, 7:27 PM

          @mervincm
          So the backend server is working properly.

          Did you also assign the proper SSL certificate to the frontend?
          Otherwise HAproxy is not able to see the host name.

          M 1 Reply Last reply May 16, 2023, 10:37 PM Reply Quote 0
          • M
            mervincm @viragomann
            last edited by mervincm May 16, 2023, 10:51 PM May 16, 2023, 10:37 PM

            @viragomann I don't know that the back end is working properly. It indicates an error on the dashboard.
            🔒 Log in to view

            If I change the prowlarr front end use the netdata back end, then the prowlarr URL opens up the netdata back end.

            If I change the netdata front end to use the prowlarr backend, then the netdata front end also 503's

            It seems to me the prowlarr back end is indeed where the issue is.

            I can't explain why I have no issue opening up the prowlarr site w http by ip and specified port, or w http by name (hosts hack) and specific port. but HAProxy doesn't like it.

            M V 2 Replies Last reply May 16, 2023, 10:38 PM Reply Quote 0
            • M
              mervincm @mervincm
              last edited by May 16, 2023, 10:38 PM

              @mervincm forgot to answer the cert question. There is a wildcard cert used, and even when I get the 503, it seems happy with the cert.

              1 Reply Last reply Reply Quote 0
              • V
                viragomann @mervincm
                last edited by May 17, 2023, 11:40 AM

                @mervincm said in Troubleshoot HAProxy entry 503:

                I don't know that the back end is working properly. It indicates an error on the dashboard.

                I was talking about the real backend server.

                It seems to me the prowlarr back end is indeed where the issue is.
                I can't explain why I have no issue opening up the prowlarr site w http by ip and specified port, or w http by name (hosts hack) and specific port. but HAProxy doesn't like it.

                So the backend is not working from the view of HAproxy obviously.
                Check it out on the Stats page.

                So I suspect that the backend host does not responding properly to the configured health check.
                Which did you use for the backend?
                At least the basic check should work.

                M 1 Reply Last reply May 17, 2023, 11:09 PM Reply Quote 1
                • M
                  mervincm @viragomann
                  last edited by May 17, 2023, 11:09 PM

                  @viragomann

                  Ahh, the actual backend ... that makes sense
                  I changed the health check from http to basic, and now there is no more error on the dashboard AND the reverse proxy works. Problem solved. I had no idea that a health check failure had an impact on functionality. I thought it was just a monitoring feature.

                  Thanks so much!!

                  1 Reply Last reply Reply Quote 0
                  • R
                    rpm5099
                    last edited by Mar 17, 2025, 2:23 AM

                    As far as I can tell the pfSense HAProxy SSL backend checks do not work and are bugged, at least for backend devices that have a self signed cert. I've tried everything and always resort back to doing basic checks.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.