Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    HAProxy-devel config issue, help needed

    pfSense Packages
    2
    4
    1817
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jbiss_ca last edited by

      Hello,

      I'm using haproxy-devel 1.5.9 pkg v 0.15 on pfsense 2.2-RC (amd64) built on Fri Jan 02 05:25:48 CST 2015. Since I updated from the december 9th build which has updated HAproxy-devel to the newer version, my sites aren't working anymore. It seems that traffic is no longer forwarded to them based on the acl. I haven't changed my haproxy-devel config in quite some time so I'm wondering if new features or required settings have been introduced that I may be missing in my current config.

      My sites are http://mirror.mydomain.com and **http://bbb.**mydomain.com so I had setup the ACLs to look for mirror and bbb respectively. That doesn't seem to work anymore. Any advice?

      /var/etc/haproxy.cfg file contents:

      
global
	maxconn			1000
	log			/var/run/log	local0	debug
	stats socket /tmp/haproxy.socket level admin
	uid			80
	gid			80
	nbproc			1
	chroot			/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048

frontend Mirror-merged
	bind			[wan-ip, IPv4]:80   <--removed my public IP
	mode			http
	log			global
	option			httplog
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	reqadd X-Forwarded-Proto:\ http if !https
	reqadd X-Forwarded-Proto:\ https if https
	maxconn			100
	timeout client		30000
	acl			0_mirror	hdr_beg(host) -i mirror
	use_backend		Storage1_http if 0_mirror 
	acl			1_bbb	hdr_beg(host) -i bbb
	use_backend		Observium_http if 1_bbb 

backend Storage1_http
	mode			http
	errorfile			503 /var/etc/haproxy/errorfile_Storage1_http_503_ExampleErrorfile
	balance			roundrobin
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			storage1 192.168.1.50:80 check inter 1000  weight 100 

backend Observium_http
	mode			http
	errorfile			503 /var/etc/haproxy/errorfile_Observium_http_503_ExampleErrorfile
	balance			roundrobin
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			observium 192.168.1.74:80 check inter 1000  weight 100
      1 Reply Last reply Reply Quote 0
      • P
        PiBa last edited by

        Hi jbiss_ca,

        The config itself seems to be ok, but a few things to check.

        What exact error do you get in the browser, a 503 message or something else?
        Could you configure the 'Internal stats port' on the settings tab, and then check in the 'Stats FS' if the backends are reported as 'up' ?

        Just did a few small tests with the same 2.2 version your using and it seems to work OK for me.

        Greets PiBa-NL

        1 Reply Last reply Reply Quote 0
        • J
          jbiss_ca last edited by

          Hi PiBa,

          I don't get any error code in my browser, simply the generic page not found error message.

          I've enabled the 'Internal stats port' and on the 'Stats FS' page I see the backends (1 for each site) are up: L7OK/200 in 0ms. I have been keeping an eye on the 'Stats FS' page and noticed that some connections have made it to the backend server. I was able to load only twice a webpage throughout multiple refreshes. For the times that the page doesn't load and I get the generic page not found error message, the stats for the 'HAProxyLocalStats' are showing activity with the bytes in and out but on the front end named 'Mirror-merged' and both backends 'Storage1_http' and 'Observium_http' show no bytes in or out. It would appear to me that traffic is hitting my pfsense box and HAProxy but that it is only sometimes getting passed to the backend.

          My configuration on the 'Backend' page for each site has the 'balanced' set to Round Robin. I only have one server for each site so is selecting Round Robin causing me issues by only sometimes passing traffic to the backend server?

          Thanks for your help!

          1 Reply Last reply Reply Quote 0
          • P
            PiBa last edited by

            Hi jbiss_ca,

            So you don't see session and byte counters on the frontend increase at all? That would mean the connection never arrived at haproxy.

            Do you have 1:1 natting or a portforward configured on pfSense for the wan-ip? Any floating rules / traffic shaping / other packages ?

            Is there a lot of traffic or high cpu usage on pfSense ? It could be worth trying to make a tcpdump of the traffic to see if a incoming connection is answered. tcpdump can be started on a ssh/console with a command like this where you put the correct ip, and the interface name for em0:

            tcpdump -i em0 "host 1.2.3.4 && port 80"

            The TCP handshake go's like this normally: Request connection[ S] , Accept connection[ S.] , Traffic[ .] , that would be the first 3 packets..

            As for logging to '/var/run/log' that sadly doesn't do much.. It would provide more information if you log it to a actual syslog server. Also enable the 'Detailed logging', every connection handled by haproxy should show up in those logs.

            The roundrobbin selection shouldnt affect anything if only 1 server is available..

            Hope some of it helps..

            1 Reply Last reply Reply Quote 0
            • First post
              Last post