HAProxy-devel config issue, help needed
I'm using haproxy-devel 1.5.9 pkg v 0.15 on pfsense 2.2-RC (amd64) built on Fri Jan 02 05:25:48 CST 2015. Since I updated from the december 9th build which has updated HAproxy-devel to the newer version, my sites aren't working anymore. It seems that traffic is no longer forwarded to them based on the acl. I haven't changed my haproxy-devel config in quite some time so I'm wondering if new features or required settings have been introduced that I may be missing in my current config.
/var/etc/haproxy.cfg file contents:
global maxconn 1000 log /var/run/log local0 debug stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 frontend Mirror-merged bind [wan-ip, IPv4]:80 <--removed my public IP mode http log global option httplog option http-keep-alive option forwardfor acl https ssl_fc reqadd X-Forwarded-Proto:\ http if !https reqadd X-Forwarded-Proto:\ https if https maxconn 100 timeout client 30000 acl 0_mirror hdr_beg(host) -i mirror use_backend Storage1_http if 0_mirror acl 1_bbb hdr_beg(host) -i bbb use_backend Observium_http if 1_bbb backend Storage1_http mode http errorfile 503 /var/etc/haproxy/errorfile_Storage1_http_503_ExampleErrorfile balance roundrobin timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server storage1 192.168.1.50:80 check inter 1000 weight 100 backend Observium_http mode http errorfile 503 /var/etc/haproxy/errorfile_Observium_http_503_ExampleErrorfile balance roundrobin timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server observium 192.168.1.74:80 check inter 1000 weight 100
The config itself seems to be ok, but a few things to check.
What exact error do you get in the browser, a 503 message or something else?
Could you configure the 'Internal stats port' on the settings tab, and then check in the 'Stats FS' if the backends are reported as 'up' ?
Just did a few small tests with the same 2.2 version your using and it seems to work OK for me.
I don't get any error code in my browser, simply the generic page not found error message.
I've enabled the 'Internal stats port' and on the 'Stats FS' page I see the backends (1 for each site) are up: L7OK/200 in 0ms. I have been keeping an eye on the 'Stats FS' page and noticed that some connections have made it to the backend server. I was able to load only twice a webpage throughout multiple refreshes. For the times that the page doesn't load and I get the generic page not found error message, the stats for the 'HAProxyLocalStats' are showing activity with the bytes in and out but on the front end named 'Mirror-merged' and both backends 'Storage1_http' and 'Observium_http' show no bytes in or out. It would appear to me that traffic is hitting my pfsense box and HAProxy but that it is only sometimes getting passed to the backend.
My configuration on the 'Backend' page for each site has the 'balanced' set to Round Robin. I only have one server for each site so is selecting Round Robin causing me issues by only sometimes passing traffic to the backend server?
Thanks for your help!
So you don't see session and byte counters on the frontend increase at all? That would mean the connection never arrived at haproxy.
Do you have 1:1 natting or a portforward configured on pfSense for the wan-ip? Any floating rules / traffic shaping / other packages ?
Is there a lot of traffic or high cpu usage on pfSense ? It could be worth trying to make a tcpdump of the traffic to see if a incoming connection is answered. tcpdump can be started on a ssh/console with a command like this where you put the correct ip, and the interface name for em0:
tcpdump -i em0 "host 184.108.40.206 && port 80"
The TCP handshake go's like this normally: Request connection[ S] , Accept connection[ S.] , Traffic[ .] , that would be the first 3 packets..
As for logging to '/var/run/log' that sadly doesn't do much.. It would provide more information if you log it to a actual syslog server. Also enable the 'Detailed logging', every connection handled by haproxy should show up in those logs.
The roundrobbin selection shouldnt affect anything if only 1 server is available..
Hope some of it helps..