Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HaProxy + PfSense 503 Service Unavailable

    Scheduled Pinned Locked Moved Cache/Proxy
    9 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alexhen
      last edited by alexhen

      Hello,

      I created a VMware workstation environment for testing how to configuire a proper pfsense with haproxy network.
      I have two windows server 2019 with IIS with two working website via HTTPS (before installing haproxy) that are accessible remotely, afterwards then i created an two ACME certifications one with wildcard *.example.com and one for one of the websites test.example.com.
      then i configured the haproxy with the following settings :
      \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

      • Automaticaly generated, dont edit manually.
      • Generated on: 2024-03-11 15:08
        global
        maxconn 100
        stats socket /tmp/haproxy.socket level admin expose-fd listeners
        uid 80
        gid 80
        nbthread 1
        hard-stop-after 15m
        chroot /tmp/haproxy_chroot
        daemon
        server-state-file /tmp/haproxy_server_state

      listen HAProxyLocalStats
      bind 127.0.0.1:2200 name localstats
      mode http
      stats enable
      stats admin if TRUE
      stats show-legends
      stats uri /haproxy/haproxy_stats.php?haproxystats=1
      timeout client 5000
      timeout connect 5000
      timeout server 5000

      frontend TestSites
      bind 192.168.1.134:443 name 192.168.1.134:443 ssl crt-list /var/etc/haproxy/TestSites.crt_list
      mode http
      log global
      option http-keep-alive
      timeout client 30000
      acl TestSite1 var(txn.txnhost) -m str -i test.example.co.il
      http-request set-var(txn.txnhost) hdr(host)
      use_backend TestSiteA_ipvANY if TestSite1

      backend TestSiteA_ipvANY
      mode http
      id 100
      log global
      timeout connect 30000
      timeout server 30000
      retries 3
      load-server-state-from-file global
      server Site1 192.168.2.10:443 id 101 ssl verify none
      \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
      now when i reach the website test.example i get "503 Service Unavailable" i do get the proper certification but it feels like its not moving traffic to the backend (just a reminder that without haproxy i can access the websites).
      my firewall rules are open ports 80 and 443 to the router IP 192.168.1.134.
      any idea what could cause the issue?
      thanks in advence

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @alexhen
        last edited by

        @alexhen
        If you check the stats, is your backend shown as online / green?

        M A 2 Replies Last reply Reply Quote 1
        • M
          michmoor LAYER 8 Rebel Alliance @viragomann
          last edited by michmoor

          @viragomann
          Yep. Most often the reason for the 503 is that the service port is either wrong or not listening.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 0
          • A
            alexhen @viragomann
            last edited by

            @viragomann Stats.PNG

            The health check is disabled

            M V 2 Replies Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @alexhen
              last edited by

              @alexhen
              Can you visit the site when bypassing the proxy?

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              A 1 Reply Last reply Reply Quote 0
              • A
                alexhen @michmoor
                last edited by

                @michmoor Yes when i disable the HaProxy i can access the websites locally and remotely

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann @alexhen
                  last edited by

                  @alexhen
                  Try to enable the health check. Just basic (TCP) should do it fine.

                  A 1 Reply Last reply Reply Quote 0
                  • A
                    alexhen @viragomann
                    last edited by

                    @viragomann When i enable basic health with Encrypt(SSL) it reports DOWN but if i disable the Encrypt(SSL) it reports UP

                    1 Reply Last reply Reply Quote 0
                    • A
                      alexhen
                      last edited by

                      by the way when i change the setting to port 80 i get "502 Bad Gateway The server returned an invalid or incomplete response." and the site does work on port 80 without the HaProxy.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.