Hi, haproxy status gives me these errors even though it seems to work:

$ systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2020-05-08 09:00:34 UTC; 22min ago
Process: 26543 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q (code=exited, status=0/SUCCESS)
Main PID: 26544 (haproxy)
Tasks: 2 (limit: 24956)
Memory: 14.9M
CGroup: /system.slice/haproxy.service
├─26544 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
└─26546 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid

May 08 09:00:34 server1 haproxy[26544]: [WARNING] 128/090034 (26544) : config : ‘option forwardfor’ ignored for backend ‘port.5060’ as it requires HTTP mode.
May 08 09:00:34 server1 haproxy[26544]: [WARNING] 128/090034 (26544) : config : ‘option forwardfor’ ignored for backend ‘port.5061’ as it requires HTTP mode.
May 08 09:00:34 server1 systemd[1]: Started HAProxy Load Balancer.

My config file:

#---------------------------------------------------------------------

Example configuration for a possible web application. See the

full configuration options online.

https://www.haproxy.org/download/1.8/doc/configuration.txt

#---------------------------------------------------------------------

#---------------------------------------------------------------------

Global settings

#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the ‘-r’ option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#

log 127.0.0.1:514 local0
chroot      /var/lib/haproxy
pidfile     /var/run/haproxy.pid
maxconn     4000
user        haproxy
group       haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

# utilize system-wide crypto-policies
ssl-default-bind-ciphers PROFILE=SYSTEM

ssl-default-server-ciphers PROFILE=SYSTEM
tune.ssl.default-dh-param 2048

#---------------------------------------------------------------------

common defaults that all the ‘listen’ and ‘backend’ sections will

use if not designated in their block

#---------------------------------------------------------------------

defaults
mode http
option forwardfor
option http-server-close
log global
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 2048

#---------------------------------------------------------------------

main frontend which proxys to the backends

#---------------------------------------------------------------------
frontend main
bind *:5000
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js

use_backend static          if url_static
default_backend             app

frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
stats realm Haproxy\ Statistics
stats auth user:password

#---------------------------------------------------------------------

static backend for serving up images, stylesheets and such

#---------------------------------------------------------------------
backend static
balance roundrobin

server static 127.0.0.1:4331 check

#---------------------------------------------------------------------

round robin balancing between the various backends

#---------------------------------------------------------------------

backend app
balance roundrobin

server app1 127.0.0.1:5001 check

server app2 127.0.0.1:5002 check

server app3 127.0.0.1:5003 check

server app4 127.0.0.1:5004 check

#---------------------------------------------------------------------

My config

#---------------------------------------------------------------------

frontend port.5060
mode tcp
option tcplog
bind 172.16.10.100:5060
default_backend port.5060

frontend port.5061
mode tcp
option tcplog
bind 172.16.10.100:5061
default_backend port.5061

frontend website1:80
bind 172.16.10.99:80
redirect scheme https code 301 if !{ ssl_fc }
default_backend website1:443

frontend website1:443
bind 172.16.10.99:443 ssl crt /etc/pki/tls/certificate.pem
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
default_backend website1:443

backend port.5060
balance roundrobin
mode tcp
option tcplog
server gw1 192.168.100.121:5060 check
server gw2 192.168.100.122:5060 check

backend port.5061
balance roundrobin
mode tcp
option tcplog
server gw1 192.168.100.121:5061 check
server gw2 192.168.100.122:5061 check

backend website1:80
balance roundrobin
redirect scheme https if !{ ssl_fc }
server web1 192.168.100.41:80 check verify none
server web2 192.168.100.42:80 check verify none

backend website1:443
balance roundrobin
redirect scheme https if !{ ssl_fc }
cookie SESSIONID insert indirect nocache
server web1 192.168.100.41:443 ssl check verify none cookie web1
server web2 192.168.100.42:443 ssl check verify none cookie web2

How can i solve it?

Thank in advanced!!

1 post - 1 participant

Read full topic

I’m trying to take the incoming domain name with www.example.com and pass it to a backend server named site.example.com. I know we can use variables now and dynamic resolution with this:

http-request do-resolve

but I’m not 100% sure how to do variable manipulation in HA proxy configuration. Does it need to be done in LUA?

This is the error I’m getting now but I’m pretty sure it’s because I’m trying to do a search and replace without do-resolve:

[ALERT] 128/124302 (66007) : parsing [haproxy.cfg:50] : 'server web-servers' : could not resolve address 'site.%[req.hdr(Host),regsub(^www.,,)]'.
[ALERT] 128/124302 (66007) : Failed to initialize server(s) addr.


global
    log         127.0.0.1 local2 debug
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    daemon
    stats socket /var/lib/haproxy/stats

resolvers mydns
  nameserver google 8.8.8.8:53
  timeout retry   1s
  hold valid 10s
  hold nx 3s
  hold other 3s
  hold obsolete 0s
  accepted_payload_size 8192

defaults
    mode                    http
    option                  httplog
    log                     global
    option                  dontlognull
    option                  http-server-close
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

frontend frontend-http

    bind *:80
    bind *:443 # ssl crt /etc/haproxy/ssl/default.pem crt /etc/haproxy/ssl

    acl redirect path_beg -i /rd
    use_backend backend-tracking if redirect

    default_backend backend-default

backend backend-default
    option forwardfor

backend backend-default
option forwardfor
http-response set-header X-Publishing-system website
http-request set-header X-Target %[req.hdr(Host)]
http-request set-header X-Hostname %[req.hdr(Host),regsub(^www.,site.,)]
http-request web-server do-lookup(hdr(X-Hostname))

server web-servers  web-server:80 check

backend backend-tracking
    option forwardfor
    http-response set-header X-Publishing-system redirect
    http-request set-uri %[url,regsub(^/rd,/,)]
    server web-hp www.trackingplatform.com:80 check

1 post - 1 participant

Read full topic

Hi
I am trying to complile haproxy 2.1.4 from source on a CentOS 8 system.
When I use option USE_STATIC_PCRE=1, the make command fails with the following error:

/bin/ld: cannot find -lpcreposix  
/bin/ld: cannot find -lpcre  
collect2: error: ld returned 1 exit status  
make: *** [Makefile:860: haproxy] Error 1  

This is the command I use to run:
make TARGET=linux-glibc USE_LUA=1 USE_OPENSSL=1 USE_REGPARM=1 USE_PCRE=1 USE_STATIC_PCRE=1 USE_SYSTEMD=1 USE_ZLIB=1

Whe I remove “USE_STATIC_PCRE=1” compiling works fine.
Am I missing something?

# cat  /etc/centos-release  
CentOS Linux release 8.1.1911 (Core)  
# uname -a  
Linux testsystem1 4.18.0-147.8.1.el8_1.x86_64 #1 SMP Thu Apr 9 13:49:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux  

Many thanks
Toni

1 post - 1 participant

Read full topic

Hi Everyone,
I am new to HAProxy setup. I don’t know what i am doing wrong, please if anyone can help me.
I have 2 applications ( Grafana and Konga) running in below IP/port .
Grafana => 169.144.62.128:32323
Konga => 169.144.62.128:30018
And my HAProxy server is 169.144.62.165.
I want to configure like when i will browse URL http://169.144.62.165/grafana , it will open Grafana application and when i will browse for http://169.144.62.165/konga , it will open konga. Below is my code, i don’t know what wrong i am doing -

frontend mylab
bind 169.144.62.165:80
acl PATH_grafana path_beg -i /grafana
acl PATH_conga path_beg -i /conga
use_backend grafana-backend if PATH_grafana
use_backend conga-backend if PATH_conga

backend grafana-backend
mode http tcp
server grafana1 169.144.62.128:32323

backend conga-backend
mode http tcp
server konga1 169.144.62.128:30018

1 post - 1 participant

Read full topic

Hello,

looking for a solution in my case, thanks for help.

I have a haproxy in front of some Windows Server Backends. The WinServer Backends peform a Kerberos Authentication through haproxy and provide application. This is working already.

My problem is to control access to the proxy. I cant used a IP based control, because some of my testusers have daily switching IPs.
So i tried a basic auth in haproxy. I created a userlist and appropriate acl in frontend:
acl authorized http_auth(basic-auth-list)
http-request auth realm protected if !authorized
This works too, but breaks Kerberos Auth, because Authorization Header in Request is changing and Win-Backends deny access.
Iam looking for a way to combine these auths, so basic auth in the frontends and reuse original Authorisation header to the backends.

Thanks,
Hajo

1 post - 1 participant

Read full topic

Hi Guys,

I am trying to convert the following Nginx code into HAProxy but seem to be having trouble figuring it out and wonder if someone could point me in the right direction.

The below code is taken from Nginx and all it does is looks for the authorization header and if the regex matches then it will direct you onto the matched backend.

server {
    listen       80;
        location / {
            proxy_set_header Host $http_host;
            if ($http_authorization ~* "^AWS4-HMAC-SHA256 Credential=ROML2P775VPAT7RLPOWU") {
           # proxy the request to Minio-1
               proxy_pass http://localhost:9001;
            }
            if ($http_authorization ~* "^AWS4-HMAC-SHA256 Credential=ENT3GYJCKCD1Q79XLP4C") {
           # proxy the request to Minio-2
               proxy_pass http://localhost:9002;
            }
            if ($http_authorization ~* "^AWS4-HMAC-SHA256 Credential=C988WQ23D98207ELOLPW") {
           # proxy the request to Minio-3
               proxy_pass http://localhost:9003;
            }
    }
}

This code was originally taken from https://github.com/krishnasrinivas/wikinotes/wiki/Minio-Multi-tenancy as I am trying to do multi tenancy with MinIO but using HAProxy to do the proxying.

If anyone has an idea or where to start, I would love to hear from you.

Kind Regards,

Majestic

3 posts - 2 participants

Read full topic

Hi all,

I found this repository for sending HTTP request from lua script, but I didn’t find any example. Do you know how should I use this library in my lua script?

1 post - 1 participant

Read full topic

Hello,

i have wildcard certificate from godaddy working now in Linux Server and i want to move to haproxy server and convert it to pem and until now no luck

i tried to cat crt and key in one pem file put not working.
any help please?

Thanks.

1 post - 1 participant

Read full topic

I am trying to set up a backend with nodejs and haproxy. The problem is that, when using haproxy, when you access a page, it loads, but sometimes other resources (js, css, etc) will not load (Err: Connection refused in Chrome, failed to load … in firefox)

It seems that adding option http-server-close in haproxy configuration file solves the problem, but why is this happening? As far as I am aware, nodejs supports keepalive and enqueues requests. What am I missing?

Thanks.

I asked this on stackoverflow here.

1 post - 1 participant

Read full topic

Hi, how to allow requests by resource access decoded from JWT token.

This is decoded resource_access:
{ [“app1”] = { [“roles”] = { [1] = ROLE_WRITE,} ,} ,[“app2”] = { [“roles”] = { [1] = ROLE_WRITE,[2] = ROLE_READ,} ,} ,[“app3”] = { [“roles”] = { [1] = ROLE_READ,} ,} ,}

I need allow request to specific endpoint when app have read access in JWT token.

Best Regards

2 posts - 2 participants

Read full topic

We have a use case in which we need to reload HAP every 15 seconds. For every reload, the latency shoots up to 12ms. Normal latency is 7ms at 32k req/s.

Below is what I have tried -

• On the same host, I started two HAP processes identical to each other with peers config.

The backend/frontends have the same name but listen addresses are different.

Example -

HAP1

frontend test80
    bind 1.1.1.3:80 

HAP2

frontend test80
   bind 1.1.1.4:80  

The actual vip for this frontend is different, I am using iptables to nat the requests to one of the two HAP processes in the same host.

Initial NAT is configured in such a way that every request that comes to the VIP will be sent to the HAP1.

When we need to reload, we will add a new rule to NAT all request to the HAP2’s frontend and remove the old nat rule.

Then we reload the HAP1 as now the requests are being processed by the HAP2 as per the NAT rule.

But we still see the latency during the reload to be same.

Any thoughts on how we can reduce the reload latency will be really helpful.

Thanks

1 post - 1 participant

Read full topic

Hi,

I’ve been tested HTTP2 in haproxy 1.8, and seems HTTP2 is not faster than HTTP1.1 in haproxy.

Here are the test result:

HTTP2

root@client9:~# h2load -n 1000000 -c 10 -m 20 https://www.example.com
starting benchmark...
spawning thread #0: 10 total client(s). 1000000 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 10% done
progress: 20% done
progress: 30% done
progress: 40% done
progress: 50% done
progress: 60% done
progress: 70% done
progress: 80% done
progress: 90% done
progress: 100% done

finished in 32.96s, 30338.35 req/s, 21.84MB/s
requests: 1000000 total, 1000000 started, 1000000 done, 1000000 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1000000 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 720.02MB (755000240) total, 119.21MB (125000000) headers (space savings 32.80%), 583.65MB (612000000) data
                     min         max         mean         sd        +/- sd
time for request:      736us     29.84ms      5.62ms      1.37ms    68.33%
time for connect:     3.95ms      7.62ms      5.78ms      1.36ms    60.00%
time to 1st byte:     6.31ms     13.75ms      9.17ms      2.63ms    60.00%
req/s           :    3033.88     4628.95     3653.63      663.31    90.00%
root@client9:~#

HTTP1.1

root@client9:~# h2load -n 1000000 -c 10 -m 20 https://www.example.com
starting benchmark...
spawning thread #0: 10 total client(s). 1000000 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Server Temp Key: ECDH P-256 256 bits
No protocol negotiated. Fallback behaviour may be activated
Server does not support NPN/ALPN. Falling back to HTTP/1.1.
Application protocol: http/1.1
No protocol negotiated. Fallback behaviour may be activated
Server does not support NPN/ALPN. Falling back to HTTP/1.1.
No protocol negotiated. Fallback behaviour may be activated
Server does not support NPN/ALPN. Falling back to HTTP/1.1.
No protocol negotiated. Fallback behaviour may be activated
Server does not support NPN/ALPN. Falling back to HTTP/1.1.
No protocol negotiated. Fallback behaviour may be activated
Server does not support NPN/ALPN. Falling back to HTTP/1.1.
No protocol negotiated. Fallback behaviour may be activated
Server does not support NPN/ALPN. Falling back to HTTP/1.1.
No protocol negotiated. Fallback behaviour may be activated
Server does not support NPN/ALPN. Falling back to HTTP/1.1.
No protocol negotiated. Fallback behaviour may be activated
Server does not support NPN/ALPN. Falling back to HTTP/1.1.
No protocol negotiated. Fallback behaviour may be activated
Server does not support NPN/ALPN. Falling back to HTTP/1.1.
No protocol negotiated. Fallback behaviour may be activated
Server does not support NPN/ALPN. Falling back to HTTP/1.1.
progress: 10% done
progress: 20% done
progress: 30% done
progress: 40% done
progress: 50% done
progress: 60% done
progress: 70% done
progress: 80% done
progress: 90% done
progress: 100% done

finished in 22.86s, 43738.68 req/s, 34.83MB/s
requests: 1000000 total, 1000000 started, 1000000 done, 1000000 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1000000 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 796.32MB (835000000) total, 167.85MB (176000000) headers (space savings 0.00%), 583.65MB (612000000) data
                     min         max         mean         sd        +/- sd
time for request:     1.24ms     22.40ms      4.40ms      1.40ms    78.87%
time for connect:     3.62ms     15.69ms      8.56ms      3.89ms    80.00%
time to 1st byte:     5.92ms     21.85ms     13.02ms      5.01ms    70.00%
req/s           :    4373.94     4839.08     4549.50      154.24    60.00%
root@client9:~#

root@haproxy-1-6:~# ./haproxy-1.8.25/haproxy -v
HA-Proxy version 1.8.25 2020/04/02
Copyright 2000-2020 Willy Tarreau <willy@haproxy.org>

root@haproxy-1-6:~#
root@haproxy-1-6:~# diff haproxy.cfg haproxy.http2.cfg
15a16,17
>         # log 127.0.0.1   local0 info
>
58c60,61
<         bind *:443 ssl crt-list /usr/local/etc/cert_list_lbl-afusldyn no-sslv3
---
>         bind *:443 ssl crt-list /usr/local/etc/cert_list_lbl-afusldyn no-sslv3 alpn h2,http/1.1
>         # bind *:443 ssl crt-list /usr/local/etc/cert_list_lbl-afusldyn no-sslv3 alpn http/1.1,h2
root@haproxy-1-6:~#

Also, what bother me is that HTTP2 requires web server tuned to speed web load, like ngx_http_v2_module in nginx, we need to configure http2_push to enable server pushing feature in HTTP2.
So as a pure proxy, is it helpful to enable H2 in haproxy? Can haproxy speed up web load using H2? Is H2 in haproxy still incomplete?

1 post - 1 participant

Read full topic

Hello,

I am trying to configure Haproxy on Pfsense which has two backend web servers. In /servcies/Haproxy/Stats/ the servers are present and working. My file: /var/log/haproxy.log/ is empty… I do not know why, but I always arrive on a page: 503 Service Unavailable when I try to access a web page on one of the servers in backend. Here is my file: /var/etc/haproxy/haproxy.cfg

Automaticaly generated, dont edit manually.

Generated on: 2020-05-13 17:03

global
maxconn 100000
log /var/log/jm syslog info
stats socket /tmp/haproxy.socket level admin expose-fd listeners
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
log-send-hostname haproxy1
server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats refresh 4
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend Shared-frontend-merged
bind 51.79.9.180:443 name 51.79.9.180:443 ssl crt-list /var/etc/haproxy/Shared-frontend.crt_list
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl aclcrt_Shared-frontend var(txn.txnhost) -m reg -i ^bravad-dev5.com(:([0-9]){1,5})?$
acl Prod1 var(txn.txnhost) -m str -i bravad-dev5.com
http-request set-var(txn.txnhost) hdr(host)
use_backend OVHPHP_ipv4 if Prod1

Thx!

1 post - 1 participant

Read full topic

root@Test-QA:/etc/haproxy# service haproxy start
Job for haproxy.service failed because the control process exited with error code.
See “systemctl status haproxy.service” and “journalctl -xe” for details.

root@Test-QA:/etc/haproxy# systemctl status haproxy.service
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2020-05-14 16:18:01 IST; 9min ago
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: 8564 ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=1/FAILURE)
Process: 8553 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=0/SUCCESS)
Main PID: 8564 (code=exited, status=1/FAILURE)

May 14 16:18:01 Test-QA systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
May 14 16:18:01 Test-QA systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 5.
May 14 16:18:01 Test-QA systemd[1]: Stopped HAProxy Load Balancer.
May 14 16:18:01 Test-QA systemd[1]: haproxy.service: Start request repeated too quickly.
May 14 16:18:01 Test-QA systemd[1]: haproxy.service: Failed with result ‘exit-code’.
May 14 16:18:01 Test-QA systemd[1]: Failed to start HAProxy Load Balancer.

1 post - 1 participant

Read full topic

Hi! I hope you’re all doing well

I’ve got a HAProxy setup which runs on the edge of our cluster brilliantly. I’ve built in failover using PCS and it’s been absolutely solid.

Within our cluster we’ve traditionally had X number of nodes, each referenced in the configuration as below. The proxy also performs TLS termination (hence the HTTP mode rather than TCP’ing it through).

backend web

    mode http
    balance leastconn
    option tcp-check
    # default-server check-send-proxy send-proxy check port 2443 fall 3 rise 2
    default-server port 80 check port 443 fall 3 rise 2 send-proxy
    reqadd X-Forwarded-Proto:\ https
    reqadd X-Forwarded-Port:\ 443

    server web01 192.168.1.20:80
    server web02 192.168.1.21:80
    server web03 192.168.1.22:80

In the above instance, I know that we have three nodes on their respective IP’s, .20, .21 & 22. However, we are now looking at a new solution which can spawn nodes at any point and can be on any address being .20 - .50. Is there an easy/suggested way to handle this use case?

I’m imagining I’ll still have to configure each node like the above configuration, but we’d expect a majority of them to be appear offline. Is there a way to not show down status but mark the out nodes as backups, and then when they come online automatically make them an active node?

What I ideally don’t want is a sea of red on the status page as most of the IP’s are unallocated and unresponsive.

Thanks!

1 post - 1 participant

Read full topic

Hello,

I have a custom log format for my HAProxy configured and want to used halog to parse the log files. I couldn’t find any way to provide my custom format to halog. Does anyone know if it is possible to parse using halog my custom log messages from /var/log/haproxy.log?

If not, is it possible to log multiple log formats in the same file (one line for my syslog server and one line to be used by halog for parsing)?

1 post - 1 participant

Read full topic

Hi @lukastribus
Facing the below error when executed service haproxy start
[ALERT] 134/202644 (3712) : Starting proxy mysql-cluster: cannot bind socket [127.0.0:3306]

1 post - 1 participant

Read full topic

Hi all,

I’m having an issue in moving a company’s application from SSL termination to SSL passthrough on HAproxy. The application is composed by 2 servers; the frontend which as a webpage that display a gadget coming from the backend, and the backend that has the final gadget webpage. When I have HAproxy in SSL termination I am able to access both backend and frontend servers without issues, and these are how the access are logged:

Backend directly:

May 14 12:40:19 CLB11-LAB2-1 haproxy[16068]: 192.168.151.32:51643 [14/May/2020:12:40:19.473] global_https_front~ https_back_ece/ECE1-LAB2-1 0/0/2/9/11 200 1956 - - --NN 1/1/0/0/0 0/0 “GET /system/templates/finesse/gadget/agent/ece.xml HTTP/1.1”

Frontend via gadget:

May 14 12:42:24 CLB11-LAB2-1 haproxy[16068]: 192.168.151.32:51799 [14/May/2020:12:42:24.807] global_https_front~ https_back_ece/ECE1-LAB2-1 0/0/1/5/6 200 50942 - - --VN 1/1/0/0/0 0/0 “GET /system/web/apps/shared/fonts/egainicons.woff HTTP/1.1”

*note: in the frontend log I can see that the connection is coming from my computer (192.168.151.32)

When I switch the configuration to SSL passthrough, the backend direct access works fine but then the access via front-end stops working, showing the following logs:

Backend directly:

May 14 12:47:10 CLB11-LAB2-1 haproxy[16093]: 192.168.151.32:51955 [14/May/2020:12:45:11.346] https_in https_back_ece/ECE1-LAB2-1 1/0/118823 19700 – 1/1/0/0/0 0/0
May 14 12:47:16 CLB11-LAB2-1 haproxy[16093]: 192.168.151.32:52046 [14/May/2020:12:47:16.496] https_in https_back_ece/ECE1-LAB2-1 3/1/107 2037 SD 1/1/0/0/0 0/0

Frontend via gadget:

May 14 12:46:37 CLB11-LAB2-1 haproxy[16093]: 172.20.104.30:52894 [14/May/2020:12:46:37.832] https_in https_in/ -1/-1/0 0 SC 2/2/0/0/0 0/0

*note: in the frontend log the connection is coming from the frontend server and not my computer

Here my HAproxy config:

global
log /dev/log local0 debug
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 2000

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
#option forwardfor
option redispatch
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
timeout tunnel 3600s
timeout http-keep-alive 1s
timeout http-request 15s
timeout queue 30s
timeout tarpit 60s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend http_in
mode http
option httplog
bind *:80
option forwardfor
redirect scheme https if !{ ssl_fc }

frontend https_in
mode tcp
option tcplog
bind *:443
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
stats uri /haproxy?stats

   acl host_ece req.ssl_sni -i ece.lab2.domain.com
   use_backend https_back_ece if host_ece

backend https_back_ece
mode tcp
option tcplog
option ssl-hello-chk
option httpchk HEAD /default
http-check expect ! rstatus ^5
cookie JSESSIONID prefix nocache
default-server inter 3000 fall 2
server ECE1-LAB2-1 172.20.206.45:443 check check-ssl verify none cookie s1
server ECE2-LAB2-1 172.21.206.45:443 check check-ssl backup verify none cookie s2

It is due to the fact that the connection is passing through HAproxy and cannot process the HTTP GET request? Any idea of what could cause this issue?

Thank you!

1 post - 1 participant

Read full topic

I have an HAProxy setup that is working correctly for serving a custom 503, except for images and ref-sheets.

inside the .http file i have the following that isn’t loading

> <a class="navbar-brand" href="#"><img class="header-logo" alt="Brand Logo" title="Brand Logo" src="images/standard-logo.png"></a>

src is in -> /errorfiles/images

i have also tried the fully-qualified path, but am met with the same outcome. Is it possible to load images in the error page?

1 post - 1 participant

Read full topic

Hello I have a https / http frontend which accesses an http backend.
Basically I want to limit the frontent to https. The problem, however, is that the web service repeatedly generates a POST 400 (BAD REQUEST) error when called up via https when I open the page via my web browser.

Here is my configuration:

global
	maxconn			5000
	log			/var/run/log	local0	debug
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state
	

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend NachOpenVPN_HTTPS-aus_LAN
	bind			10.4.4.239:443 name 10.4.4.239:443  no-sslv3 ssl crt-list /var/etc/haproxy/NachOpenVPN_HTTPS-aus_LAN.crt_list
	bind			10.4.4.239:80 name 10.4.4.239:80	
	mode			http
	log			global
	option			socket-stats
	option			log-separate-errors
	option			httplog
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		7200000
	acl			DL_thorstenACL	var(txn.txnhost) -m str -i vpn.schulte-batenXXX.de
	http-request set-var(txn.txnhost) hdr(host)
	use_backend DLthorsten-ohne-passwort_ipvANY  if  DL_thorstenACL aclcrt_NachOpenVPN_HTTPS-aus_LAN


backend DLthorsten-ohne-passwort_ipvANY
	mode			http
	id			106
	log			global
	stick-table type ip size 50k expire 30m
	stick on src
	timeout connect		30000
	timeout server		30000
	retries			3
	server			DL_Thorsten 10.4.4.10:1731 id 111

Log from haproxy:

May 15 05:54:47 haproxy[92018]: 10.4.4.241:62950 [15/May/2020:05:54:47.424] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/0/5/5 400 130 - - ---- 6/6/5/5/0 0/0 "POST /socket.io/?EIO=3&transport=polling&t=N8MU63L&sid=ec5b759b878a4dfcac0b96b29893255b HTTP/1.1"
May 15 05:54:47 haproxy[92018]: 10.4.4.241:62881 [15/May/2020:05:54:17.061] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/0/-1/30027 504 218 - - sH-- 6/6/5/5/0 0/0 "GET /socket.io/?EIO=3&transport=polling&t=N8MT-fV&sid=2fc24b8c6e3d4a2d8ac1850799d3b1b7 HTTP/1.1"
May 15 05:54:46 haproxy[92018]: 10.4.4.241:62939 [15/May/2020:05:54:46.763] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/0/5/5 400 130 - - ---- 6/6/5/5/0 0/0 "POST /socket.io/?EIO=3&transport=polling&t=N8MU5va&sid=ec5b759b878a4dfcac0b96b29893255b HTTP/1.1"
May 15 05:54:46 haproxy[92018]: 10.4.4.241:62948 [15/May/2020:05:54:46.652] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/1/5/8 101 138 - - ---- 7/7/5/5/0 0/0 "GET /socket.io/?EIO=3&transport=websocket&sid=ec5b759b878a4dfcac0b96b29893255b HTTP/1.1"
May 15 05:54:46 haproxy[92018]: 10.4.4.241:62939 [15/May/2020:05:54:44.220] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/0/2242/2245 200 59965 - - ---- 6/6/5/5/0 0/0 "GET /socket.io/?EIO=3&transport=polling&t=N8MU3d3 HTTP/1.1"
May 15 05:54:44 haproxy[92018]: 10.4.4.241:62939 [15/May/2020:05:54:44.205] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/1/7/8 400 130 - - ---- 6/6/5/5/0 0/0 "POST /socket.io/?EIO=3&transport=polling&t=N8MU37u&sid=7fe4c58f5d7a4297a1f9ca307c0eef55 HTTP/1.1"
May 15 05:54:44 haproxy[92018]: 10.4.4.241:62868 [15/May/2020:05:54:14.142] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/0/-1/30028 504 218 - - sH-- 6/6/5/5/0 0/0 "GET /socket.io/?EIO=3&transport=polling&t=N8MTzxt&sid=0c793cecac2245c3b28d6ee7901c2f7f HTTP/1.1"
May 15 05:54:35 haproxy[92018]: 10.4.4.241:62921 [15/May/2020:05:54:34.965] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/0/4/44 400 130 - - ---- 6/6/5/5/0 0/0 "POST /socket.io/?EIO=3&transport=polling&t=N8MU31C&sid=7fe4c58f5d7a4297a1f9ca307c0eef55 HTTP/1.1"
May 15 05:54:34 haproxy[92018]: 10.4.4.241:62923 [15/May/2020:05:54:34.930] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/1/6/8 101 138 - - ---- 7/7/5/5/0 0/0 "GET /socket.io/?EIO=3&transport=websocket&sid=7fe4c58f5d7a4297a1f9ca307c0eef55 HTTP/1.1"

haproxy -vv

[2.4.4-RELEASE][root@pfSense.localdomain]/root: haproxy -vv
HA-Proxy version 2.0.14 2020/04/02 - https://haproxy.org/
Build options :
  TARGET  = freebsd
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -fno-strict-                                                                                                             aliasing -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wn                                                                                                             o-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-ignored-qualifiers -                                                                                                             Wno-missing-field-initializers -Wno-implicit-fallthrough -Wtype-limits -Wshift-n                                                                                                             egative-value -Wnull-dereference -DFREEBSD_PORTS
  OPTIONS = USE_PCRE=1 USE_PCRE_JIT=1 USE_REGPARM=1 USE_STATIC_PCRE=1 USE_GETADD                                                                                                             RINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ACCEPT4=1 USE_ZLIB=1 USE_CPU_AFFINITY=1

Feature list : -EPOLL +KQUEUE -MY_EPOLL -MY_SPLICE -NETFILTER +PCRE +PCRE_JIT -P                                                                                                             CRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM +STATIC_P                                                                                                             CRE -STATIC_PCRE2 +TPROXY -LINUX_TPROXY -LINUX_SPLICE +LIBCRYPT -CRYPT_H -VSYSCA                                                                                                             LL +GETADDRINFO +OPENSSL +LUA -FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINI                                                                                                             TY -TFO -NS -DL -RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER -PR                                                                                                             CTL -THREAD_DUMP -EVPORTS

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=4).
Built with OpenSSL version : OpenSSL 1.0.2t-freebsd  10 Sep 2019
Running on OpenSSL version : OpenSSL 1.0.2o-freebsd  27 Mar 2018 (VERSIONS DIFFE                                                                                                             R!)
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.5
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw                                                                                                             -deflate("deflate"), gzip("gzip")
Built with PCRE version : 8.43 2019-02-23
Running on PCRE version : 8.43 2019-02-23
PCRE library supports JIT : yes
Encrypted password support via crypt(3): yes

Available polling systems :
     kqueue : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTTP       side=FE        mux=H2
              h2 : mode=HTX        side=FE|BE     mux=H2
       <default> : mode=HTX        side=FE|BE     mux=H1
       <default> : mode=TCP|HTTP   side=FE|BE     mux=PASS

Available services : none

Available filters :
        [SPOE] spoe
        [COMP] compression
        [CACHE] cache
        [TRACE] trace

Log from Chrome:
VM41:1 POST https://vpn.schulte-batenXXX.de/socket.io/?EIO=3&transport=polling&t=N8MUv9n&sid=546c263979164fca9e7eae654fa4d92c 400 (BAD REQUEST)

I only open the page via http there are no problems.

2 posts - 2 participants

Read full topic