HAProxy-devel config issue, help needed

  • Hello,

    I'm using haproxy-devel 1.5.9 pkg v 0.15 on pfsense 2.2-RC (amd64) built on Fri Jan 02 05:25:48 CST 2015. Since I updated from the december 9th build which has updated HAproxy-devel to the newer version, my sites aren't working anymore. It seems that traffic is no longer forwarded to them based on the acl. I haven't changed my haproxy-devel config in quite some time so I'm wondering if new features or required settings have been introduced that I may be missing in my current config.

    My sites are http://mirror.mydomain.com and **http://bbb.**mydomain.com so I had setup the ACLs to look for mirror and bbb respectively. That doesn't seem to work anymore. Any advice?

    /var/etc/haproxy.cfg file contents:

    	maxconn			1000
    	log			/var/run/log	local0	debug
    	stats socket /tmp/haproxy.socket level admin
    	uid			80
    	gid			80
    	nbproc			1
    	chroot			/tmp/haproxy_chroot
    	tune.ssl.default-dh-param	2048
    frontend Mirror-merged
    	bind			[wan-ip, IPv4]:80   <--removed my public IP
    	mode			http
    	log			global
    	option			httplog
    	option			http-keep-alive
    	option			forwardfor
    	acl https ssl_fc
    	reqadd X-Forwarded-Proto:\ http if !https
    	reqadd X-Forwarded-Proto:\ https if https
    	maxconn			100
    	timeout client		30000
    	acl			0_mirror	hdr_beg(host) -i mirror
    	use_backend		Storage1_http if 0_mirror 
    	acl			1_bbb	hdr_beg(host) -i bbb
    	use_backend		Observium_http if 1_bbb 
    backend Storage1_http
    	mode			http
    	errorfile			503 /var/etc/haproxy/errorfile_Storage1_http_503_ExampleErrorfile
    	balance			roundrobin
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			storage1 check inter 1000  weight 100 
    backend Observium_http
    	mode			http
    	errorfile			503 /var/etc/haproxy/errorfile_Observium_http_503_ExampleErrorfile
    	balance			roundrobin
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			observium check inter 1000  weight 100

  • Hi jbiss_ca,

    The config itself seems to be ok, but a few things to check.

    What exact error do you get in the browser, a 503 message or something else?
    Could you configure the 'Internal stats port' on the settings tab, and then check in the 'Stats FS' if the backends are reported as 'up' ?

    Just did a few small tests with the same 2.2 version your using and it seems to work OK for me.

    Greets PiBa-NL

  • Hi PiBa,

    I don't get any error code in my browser, simply the generic page not found error message.

    I've enabled the 'Internal stats port' and on the 'Stats FS' page I see the backends (1 for each site) are up: L7OK/200 in 0ms. I have been keeping an eye on the 'Stats FS' page and noticed that some connections have made it to the backend server. I was able to load only twice a webpage throughout multiple refreshes. For the times that the page doesn't load and I get the generic page not found error message, the stats for the 'HAProxyLocalStats' are showing activity with the bytes in and out but on the front end named 'Mirror-merged' and both backends 'Storage1_http' and 'Observium_http' show no bytes in or out. It would appear to me that traffic is hitting my pfsense box and HAProxy but that it is only sometimes getting passed to the backend.

    My configuration on the 'Backend' page for each site has the 'balanced' set to Round Robin. I only have one server for each site so is selecting Round Robin causing me issues by only sometimes passing traffic to the backend server?

    Thanks for your help!

  • Hi jbiss_ca,

    So you don't see session and byte counters on the frontend increase at all? That would mean the connection never arrived at haproxy.

    Do you have 1:1 natting or a portforward configured on pfSense for the wan-ip? Any floating rules / traffic shaping / other packages ?

    Is there a lot of traffic or high cpu usage on pfSense ? It could be worth trying to make a tcpdump of the traffic to see if a incoming connection is answered. tcpdump can be started on a ssh/console with a command like this where you put the correct ip, and the interface name for em0:

    tcpdump -i em0 "host && port 80"

    The TCP handshake go's like this normally: Request connection[ S] , Accept connection[ S.] , Traffic[ .] , that would be the first 3 packets..

    As for logging to '/var/run/log' that sadly doesn't do much.. It would provide more information if you log it to a actual syslog server. Also enable the 'Detailed logging', every connection handled by haproxy should show up in those logs.

    The roundrobbin selection shouldnt affect anything if only 1 server is available..

    Hope some of it helps..

Log in to reply