@jbuk wrote:

Hi, I’m running haproxy 1.5.18 on CentOS and it is load balancing a couple of Windows Server 2016 machines. I’m hitting an issue whereby if I try and run a vulnerability scan e.g. from Qualys, after a while the Windows Server becomes inaccessible to the HAProxy. I can’t ping it or access websites from the haproxy but connections to it are available from other devices. Then, when the scans stop, and after a while the connectivity returns. The config is similar to this:

global
    log       127.0.0.1 local2

    chroot	/var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     100000
    user        hap
    group	hap
    daemon

    stats socket /var/lib/haproxy/stats


defaults
    log                     global
    option                  dontlognull
    option http-server-close
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          60m
    timeout server          60m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 5000

frontend 1.2.3.4-http
        bind    1.2.3.4:80
        reqadd X-Forwarded-Proto:\ http
        mode    http
        option  forwardfor except 127.0.0.1/8
        option httplog
        option http-server-close
        timeout http-request    10s
        timeout http-keep-alive 10s
        use_backend scan-test

frontend 1.2.3.4-https
        bind    1.2.3.4:443 ssl crt /etc/certs/cert1.pem
        reqadd X-Forwarded-Proto:\ https
        mode    http
        option  forwardfor except 127.0.0.1/8
        option httplog
        option http-server-close
        timeout http-request    10s
        timeout http-keep-alive 10s
        use_backend scan-test

backend scan-test
        balance         leastconn
        cookie          serverid insert
    	mode http
        option httpchk GET /pagemonitor.txt
        http-check expect rstatus ([2-3][0-9][0-9])
    	server         server1_http 192.168.1.101:80 cookie 1 check inter 30000
	server         server2_http 192.168.1.102:80 cookie 2 check inter 30000

Has anyone experienced this issue before?

Posts: 3

Participants: 2

Read full topic

@TSupport wrote:

Hi,

We were trying to setup nginx for a reverse proxy for our network, but in my searching for answers to a problem I have been told that HAProxy would be the better tool. What we are trying to do is we have multiple servers behind 1 IP address that we want to serve via domains. The 2 main issues is 1 server is and exchange server which nginx does not pass the logins correctly. the 2nd server is no ssl only http but we want to have the HAProxy do ssl and then pass to http

From what I have read, for the exchange server we need to do SSL passthrough, but for the second server, we need to do SSLTermination. Can these be configured on one copy of HAProxy?

1. CLIENT (https) — > (https) HAPROXY — > (https) EXCHANGE SERVER

2 CLIENT (https) — > (https) HAPROXY — > (http) WEBSITE

I just wanted to find out if this is possible before I get too far. Any suggestions or examples would be welcomed.

Thanks.

Posts: 1

Participants: 1

Read full topic

@simonuk1 wrote:

We have an application that isnt stateless, but i still want to have some spreading of the load.
It has web and app servers behind web and app haproxy clusters.
I was going to load / stick the web frontend based on source ip. However the web servers have to talk to the same app servers for the whole of the user’s session.

Anyone have any thought on how to do this.?

Posts: 2

Participants: 2

Read full topic

@Gianfranco wrote:

Goodmorning everyone.

I have a problem with a machine behind a proxy configured with haproxy. In the haproxy I configured that http://example.com make a redirect to https://example.com and that https://example.com go to 192.168.2.11 on port 80. In the 192.168.2.11 machine I only opened port 80. On my machine 192.168.2.11, when I run

wget https://example.com

it gives me a refused connection. When I run the wget from outside, the connection is successful.

To solve I entered on /etc/ hosts of 192.168.2.11

192.168.2.11 example.com

I enabled port 443, added the virtualhost in apache. Now the connection works but I do not like this solution, it does not seem to me the correct one.

Posts: 1

Participants: 1

Read full topic

@crisrodrigues wrote:

Hi,

Does anybody knows if it’s possible to emit multiple “source” (for source IP binding) directives and have it used based on the outgoing family?

So we’d have:

source ipv4@<ipv4 address>
source ipv6@<ipv6 address>

And haproxy would smartly choose depending if the backend declaration (or resolver response) is AF_INET or AF_INET6?

Thanks!

Posts: 1

Participants: 1

Read full topic

@sbcsuman wrote:

Hi Team,

I want HAproxy with failover(distributed) nodes. could you please give me steps.

Posts: 3

Participants: 2

Read full topic

@rhada wrote:

Hello,

we are encountering some sorting issue with our haproxy logs.

Actually we are using this logformat line :
log-format %ci:%cp\ [%trl]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ \ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r

The logs are then shiped with filebeat to our ELK using %trl field to sort it.

Under high flow we can get a lots of request / sec and logs arrive to elastic in mis-ordered.

After a quick look in doc i see :

| | %t | date_time (with millisecond resolution) | date |

And

| H | %trl | local_date_time of start of HTTP request | date |

Can someone explain the difference between this 2 params ? as what we need is the date the request start.

Thank you for your help

Posts: 1

Participants: 1

Read full topic

@crisrodrigues wrote:

Hi,

We use http-request set-mark directive to add a mark to inform routing decisions.

But now we’re trying to check backend connections with the following:

defaults
    option tcp-check

backend b
    tcp-check connect
    server ...

But that tcp-check isn’t getting marked at all (obvious since we mark it using http-request set-mark) but we can’t seem to find a way to have those checks have the same mark as the requests.

Since without those mark the routing decision is wrong, the backend is always declared as DOWN…which wouldn’t happen if we could properly either mark the connection or have our source IP address set like we asked here:

https://discourse.haproxy.org/t/source-directive-based-on-outgoing-family/3501/2

Is there any way to achieve the Netfilter mark for TCP checks?

Posts: 1

Participants: 1

Read full topic

@kotarusv wrote:

Hi

We recently started seeing 100+ haproxy processes running. This is quite surprise and never saw this behaviour in the past. wondering what might caused this behaviour?

$ ps -ef | grep haproxy | wc -l
128

root 2888 21695 3 Feb11 ? 01:14:24 haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg -sf 355 356 28 49 47 29 116 115 44 97 48 7 26 57 341 342 80 41 337 338 43 19 234 24 70 50 13 37 16 23 225 228 223 152 154 224 151 153 226 318 315 316 149 142 150 312 147 35 36 145 69 141 303 304 31 61 299 14 205 146 295 296 293 294 291 292 289 137 138 288 25 59 283 284 281 282 279 280 134 133 129 132 196 130 191 128 187 127 27 192 265 131 263 264 186 185 183 188 257 184 255 20 8 52 119
root 2889 21695 3 Feb11 ? 01:06:51 haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg -sf 355 356 28 49 47 29 116 115 44 97 48 7 26 57 341 342 80 41 337 338 43 19 234 24 70 50 13 37 16 23 225 228 223 152 154 224 151 153 226 318 315 316 149 142 150 312 147 35 36 145 69 141 303 304 31 61 299 14 205 146 295 296 293 294 291 292 289 137 138 288 25 59 283 284 281 282 279 280 134 133 129 132 196 130 191 128 187 127 27 192 265 131 263 264 186 185 183 188 257 184 255 20 8 52 119
root 2929 21695 0 Feb06 ? 00:08:55 haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg -sf 143 144 141 142 61 31 137 138 25 59 133 134 131 132 129 130 127 128 27 57 20 8 52 29 119 7 49 47 115 116 80 28 48 26 24 43 41 23 44 50 69 13 16 70 37 19 97 35 36 14
root 2930 21695 0 Feb06 ? 00:09:22 haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg -sf 143 144 141 142 61 31 137 138 25 59 133 134 131 132 129 130 127 128 27 57 20 8 52 29 119 7 49 47 115 116 80 28 48 26 24 43 41 23 44 50 69 13 16 70 37 19 97 35 36 14
root 3423 21695 3 Feb02 ? 09:06:39 haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg -sf 17 18 15 16 13 14 8 7
root 3424 21695 4 Feb02 ? 10:31:45 haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg -sf 17 18 15 16 13 14 8 7
root 3894 21695 0 Feb08 ? 00:18:43 haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg -sf 289 290 287 288 25 59 283 284 281 282 279 280 134 133 129 132 196 130 191 128 187 127 27 192 265 131 263 264 186 185 183 188 257 184 255 20 8 52 119 57 7 29 47 115 116 49 44 28 97 48 26 80 41 23 19 37 43 234 24 70 50 13 16 228 225 226 223 224 154 152 153 151 142 149 150 147 35 145 36 69 141 14 31 61 205 146 137 138

Don’t understand what is numbers attached to processes after -sf? never saw these numbers in our environment so far.

global
daemon
pidfile /var/run/haproxy-ssl.pid
log 127.0.0.1 local0 info
log 127.0.0.1 local1 notice
maxconn 20000
stats socket /var/run/haproxy-ssl.stat mode 600 level admin
stats timeout 2m
nbproc 2
ca-base /opt/haproxy/ssl/ca/
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

defaults
log global
stats enable
mode http
option forwardfor except 127.0.0.0/8
option dontlognull
option httplog clf
balance roundrobin
retries 3
maxconn 20000
timeout http-keep-alive 60s
timeout client 10m
timeout server 10m
timeout queue 1m
timeout connect 10s
timeout check 10s
timeout http-request 10s

   errorfile 503 /opt/haproxy/errors/503.html
   errorfile 400 /opt/haproxy/errors/400.html
   errorfile 403 /opt/haproxy/errors/403.html
   errorfile 500 /opt/haproxy/errors/500.html
   errorfile 502 /opt/haproxy/errors/502.html
   errorfile 504 /opt/haproxy/errors/504.html
   errorfile 408 /dev/null

frontend ssl_server
mode http
# Redirect routes from 80 to 443 (in case they try to come in on http://)
bind *:80
# Disable TLS v1.0 for CAE-2676
bind *:443 ssl no-tlsv10 crt /opt/haproxy/ssl/certs alpn h2,http/1.1
monitor-uri /proxy.html
log-format [%pid]\ [%Ts.%ms]\ %ac/%fc/%bc/%bq/%sc/%sq/%rc\ %Tq/%Tw/%Tc/%Tr/%Tt\ %tsc\ %ci:%cp\ %fi:%fp\ %si:%sp\ %ft\ %sslc\ %sslv\ %{+Q}r\ %ST\ %b:%s\ “%CC”\ “%hr”\ “%CS”\ “%hs”\ req_size=%U\ resp_size=%B
unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
unique-id-header X-Unique-ID

Redirect routes from 80 to 443 (in case they try to come in on http://)

redirect scheme https code 308 if !{ ssl_fc }

default_backend apache_rp

backend apache_rp
default-server maxconn 3200 inter 2s fall 1 rise 3
server RP_0 server1:443 check ssl verify none
server RP_1 server2:443 check ssl verify none
server RP_2 server3:443 check ssl verify none

listen stats
bind *:8000
mode http
stats enable
stats hide-versio

The only changes recently we made was to enable http 2 support and nbproc to 2

Out of 16 GB memory, HAPROXY consuming 12 GB and that is surprise.

$ ps -eo rss,command --sort -size | grep haproxy | awk ‘{ hr=$1/1024 ; sum +=hr} END {print sum}’
15352.9

any idea what is happening here ? really appreciate for any pointers

Posts: 1

Participants: 1

Read full topic

@mathieuh wrote:

I’m trying to find a way to have HAProxy automatically bind to an address when the address is added to an interface by the system.
I want HAProxy to listen to all the addresses of an interface. I don’t want to listen to the wildcard address. I also know that bind can be restricted to accepting connections on a specific interface in Linux (BINDTODEVICE), but it wouldn’t accept connections coming in from an unbound interface for the address of the bound interface.

I’m looking for a solution similar to DNSMasq’s bind-dynamic option.
From what I understand it listens to Linux’s NetLink messages and automatically binds to addresses added to an interface.

Right now my current work around is to listen to address changes on the interface, pass the addresses as variables for HAProxy, and reload HAProxy on changes.
There are complications with this approach when the address isn’t yet available (interface down or the address wasn’t configured yet).

I’d also be happy with a solution that allows changing the bound address through a Unix socket command similar to the way a backend server address can be changed. The command could be something like set bind <frontend>/<so_id> addr <ip4 or ip6 address> [port <port>].
It would be nice in that case to allow a bind configuration that doesn’t actually bind to anything, but is just there waiting to be configured by the management socket.

The issue I see with this runtime binding is privileged ports and HAProxy dropping root. It would require HAProxy to keep the cap_net_bind_service capability.

Posts: 1

Participants: 1

Read full topic

@JensVanDeynse wrote:

Hello

I work in a company in which we use HAProxy for all our loadbalancing; frontend but also between application servers and replicated database servers. It’s with the latter that we’ve encountered some issues.

Our databaseservers work with master-master replication and in between these servers and the application servers there are two haproxy loadbalancers (active/passive) using sticky tables so that the same database server is used unless it is marked as down, then it should switch to the other database server. Most of the time this doens’t cause any issues but we’ve encountered that when we reload haproxy due to a new configuration the sticky tables are reset meaning that when for any reason what so ever the backup databaseserver was marked as the active one by haproxy after the reload this will switch back to the not backup one and this can and has caused issues for us.
The reason that this can cause issues is because we use connection pools on our application servers meaning that if haproxy does a switchover it can happen that the application server still has open connection to the previously active/now passive server. This in case breaks replication because the application servers can then write to both database servers.

Below you can find our HAProxy configuration, does anybody have any tips on how we can ensure that the sticky-tables are stored when doing a haproxy reload?

Thank you for your help!

Configuration

global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    user        haproxy
    group       haproxy
    daemon

    stats socket /var/lib/haproxy/stats  mode 666 level user
    stats socket /var/lib/haproxy/stats-admin mode 600 level admin

    ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

    ca-base  /etc/pki/tls/certs
    crt-base /etc/pki/tls/certs

    tune.ssl.default-dh-param 4096

defaults
    mode                    tcp
    log                     global
    retries                 2
    timeout connect         100ms
    timeout server          3600s
    timeout client          3600s

    log-format %ci:%cp\ |\ {|}\ |\ %ft\ %b/%s\ 0/%Tw/%Tc/0/%Tt\ %ST\ %B\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hs\ ""

listen mysql-cluster
    bind *:3306
    mode tcp
    option mysql-check user haproxy_check

    stick-table type ip size 100
    stick on dst
    server         db01a <ip>:3306 check inter 500 fall 5 on-marked-down shutdown-sessions
    server         db01b <ip>:3306 check inter 500 fall 5 backup on-marked-down shutdown-sessions

Posts: 1

Participants: 1

Read full topic

@bick wrote:

So I’ve been trying to take advantage of the higher precision timestamps in 1.9 for both our newrelic instumentation header, and our log timestamps. I did something like this:

log-format "%[date()]%[date_us()]"

and eventually noticed unbalanced timestamp lengths in the logs:
1550177696971084
1550177696991865
15501776973844
155017769714073

The documented type is integer, so I realize it is dropping the leading zeroes when converted to a string. Is there any way to pad with leading zeros?

Thanks!

Posts: 1

Participants: 1

Read full topic

@ykiran_k wrote:

Hi, i have a map in this format

/etc/haproxy/path_app.map
/abcd/ App1
/efgh/ App2

when i run this command, I am not able to see list of available maps. There is only 1 map reference in my config. can you please suggest the show map command to see the contents of path_app.map

 echo "show map" | socat stdio /var/run/haproxy/socket
 # id (file) description

Here is the version that i have

  haproxy -vv
  HA-Proxy version 1.9.2 2019/01/16 - https://haproxy.org/

Posts: 1

Participants: 1

Read full topic

@santory wrote:

Hello
I use Claudofler before loading Blancher Haproxy.
I would like to add a x-local header if the client IP was on a specific list.
It should be noted that the headers come from the side of the Coldflight server
Please advise.

defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
retries 2
maxconn 2000000
timeout client 60s
timeout server 60s
timeout queue 60s
timeout connect 4s
option httpclose
option abortonclose
timeout http-request 5s
option http-keep-alive
option tcp-smart-accept
option tcp-smart-connect
stats enable
stats refresh 10s
stats uri /stats
stats realm Authentication\ Required
stats auth admin:usetsels

frontend testsite_https
bind 192.168.0.31:443 ssl crt /etc/haproxy/certs/testsite.com/testsite.pem alpn h2,http/1.1 npn h2,http/1.1
mode http
option http-keep-alive
option forwardfor
acl is_cf req.hdr(cf-connecting-ip) -m found
acl from_eli_cf req.hdr_ip(cf-connecting-ip) -f /etc/haproxy/eli.subnets
acl whitelist src -f /etc/haproxy/WL.subnets
acl badbots hdr_reg(User-Agent) -i -f /etc/haproxy/badbots.lst
acl from_tr src -f /etc/haproxy/tr.subnets
acl from_eli src -f /etc/haproxy/eli.subnets
acl url_cdn hdr_end(host) -i cdn.testsite.com
acl url_cdn hdr_end(host) -i cdnx.testsite.com
acl m_testsite hdr_end(host) -i m.testsite.com
acl host_testsite hdr(host) -i testsite.com
acl host_testsite hdr_end(host) -i testsite.co
http-request deny if badbots !whitelist
http-request add-header X-Country %[req.hdr(Cf-Ipcountry)] if is_cf
http-request add-header X-Local Yes if from_eli_cf
reqirep ^cf-connecting-ip:(.) X-Forwarded-For:\1 if is_cf
reqadd X-Country:\ IR if from_tr
reqadd X-Forwarded-Proto:\ https
reqadd X-Local:\ Yes if from_eli
redirect code 301 prefix https://www.testsite.com if m_testsite
use_backend cdn-testsite if url_cdn
use_backend cdn-video if video_cdn
use_backend eli-weblog if url_weblog from_tr
use_backend eli-weblog-x if url_weblog !from_tr
default_backend testsite
rspidel ^X-.
rspirep ^Server:.* Server:\ testWeb\ 0.1
rspadd X-XSS-Protection:\ 1;\ mode=block
#rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload;
rspadd X-Content-Type-Options:\ nosniff

Posts: 2

Participants: 2

Read full topic

@swapnilm wrote:

I am a newbee to HAProxy world. I am testing HAProxy as Reverse Proxy(RP) as well as Load Balancer(LB) for our internal software environment. Please note that before posting this question, i checked other topics with httpchk health check issue and not found any solution.
I tried using Apache as RP and LB and it was working fine.
Can you please help me in this case? Kindly let me know if you need more information from myside.
#########################################
Information about setup:

• HAProxy as RP and LB (version 1.5.19)
• Backend is Tomcat setup with http ports
• 6 different Application in the environment

HAProxy with httpchk is working fine only for 1 application.
########################################
Here is output of ./haproxy -vv
HA-Proxy version 1.5.19 2016/12/25
Copyright 2000-2016 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing
OPTIONS = USE_OPENSSL=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built without PCRE support (using libc’s regex instead)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
#######################################

##Configuration(working)
frontend TEST1_FE
mode http
bind *:543 ssl crt /home/data/hacert/server1.pem
capture cookie SERVERID len 63

acl pass_node path_sub test1
use_backend TEST1_BE if pass_node
default_backend TEST1_BE

backend TEST1_BE
stats enable
balance roundrobin
mode http
option httpchk OPTIONS /test1/ HTTP/1.0
cookie SERVERID insert indirect nocache secure httponly

server server1 IP_of_machine1:8090 cookie node-sv1 check on-marked-down shutdown-sessions
server server2 IP_of_machine2:8090 cookie node-sv2 check on-marked-down shutdown-sessions

reqadd X-Forwarded-port:\ 543
reqadd X-Forwarded-proto:\ https

http-send-name-header x-dsp-client-node

For other applications httpchk is not working and causing error “backend has no server available!”. I tried various methods in httpchk, but they are not working and giving same error. If i remove httpchk other applications are working fine.

If i hit the URL from browser, it is givin 503 response with following configuration. URL is https like "https://test2-hostname.mydomain.com:545/test2. URL pattern is same for all applications
##Configuration(not working) -
frontend TEST2_FE
mode http
bind *:545 ssl crt /home/data/hacert/server1.pem

capture cookie SERVERID len 63
capture request header origin len 63
http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)]

acl test2_node path_sub test2
use_backend TEST2_BE if test2_node

default_backend TEST2_BE

backend TEST2_BE
stats enable
balance roundrobin
mode http
option httpchk OPTIONS /test2/ HTTP/1.0\r\nHOST:\test2-hostname.mydomain.com
cookie SERVERID insert indirect nocache secure httponly
http-send-name-header x-dsp-client-node

server members for load balancing - TOMCAT

server server1 IP_of_machine1:9020 cookie node-sv1 check on-marked-down shutdown-sessions
server server2 IP_of_machine2:9020 cookie node-sv2 check on-marked-down shutdown-sessions

reqadd X-Forwarded-port:\ 545

reqadd X-Forwarded-proto:\ https

Thank you in advance for your help.

Posts: 1

Participants: 1

Read full topic

@macmattias wrote:

This is my config:
https://pastebin.com/PQ4w1DNc

And this is the errors I get…
https://pastebin.com/nA3ZKsg5

It is mostly the no such ACL errors that I don’t grasp.
There are subdomains setup for those, the servers on the inside is up and running.

Still I have no idea. So please help.

Posts: 2

Participants: 2

Read full topic

@macmattias wrote:

Heres my config file: https://pastebin.com/S6mvfMrE

http/s backends work but none of the ones that point to other servers.

Why not?

Posts: 1

Participants: 1

Read full topic

@TSupport wrote:

Hi,

I have HAProxy setup with our exchange server and then one website behind working well all with letsencrypt ssl’s.

I have tried to add another web host which does connect, but the SSL is not working and only connect via HTTP. I have port 80 force to SSL and I have added the domain to my let’s encrypt certificate but when I connect to that domain via SSL, it seems to pass through the SSL rather than terminating at the HAProxy because the certificate is the self signed from the site.

The host that is not working in my config is the ovenmon, the workflow and exchange and auto hosts all work OK and give SSL.

Any suggestions as to what I have done wrong, it appears the same as the other setups but I can’t work out what’s missing?

Config Below:

Posts: 2

Participants: 1

Read full topic

@jobinau wrote:

I have HAProxy configuration like :

listen master
bind *:5000
option httpchk OPTIONS /master
http-check expect status 200
default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
server pg0 pg0:5432 maxconn 100 check port 8008
server pg1 pg1:5432 maxconn 100 check port 8008
server pg2 pg2:5432 maxconn 100 check port 8008

How to have Transparent IP configuration such that client IP is passed to Server rather than IP of the HAProxy server?

Posts: 1

Participants: 1

Read full topic

@Mbart wrote:

Hello,
I’m wuold like use haproxy in front of my IIS application ASP.net, which is in intranet.
My public dns must be change from www.myapp.com to myapp.intra.net so I’m using http-request set header to rewrite host header:
backend coappesed01
mode http
option http-server-close
option forwardfor
acl hdr_myapp req.hdr(host) -i www.myapp.com
http-request set-header Host myapp.intra.net if hdr_myapp
server server01 myapp.intra.net:80 cookie server01 check inter 60 fastinter 20 fall 3 rise 2 weight 100

Thi configuration doesn’t work because haproxy insert “set-cookie” on the reposnse cookie and not in the request cookie, so my application doesn’t work.
How can I configure haproxy to rewrite hostheader and leave unchanged cookies?
Thank a lot
Marco

Posts: 1

Participants: 1

Read full topic