@bmf7777 wrote:

i’m using haproxy 1.8…working well with termination and pass-through…i’m trying to no avail to add location servers with path name appended e.g. below is a front-end and back-end that is working … however … i’m using redir which is fine inside the firewall but i want to go through haproxy and be able to access this server outside the firewall (aka unifi-backend) … foobar-unifi.ddns.net is accesable via nslookup using no-ip.com

question: how to i change
server unifi 192.168.1.16:8443 redir https://192.168.1.16:8443/manage/site/kab9w4dv/dashboard check
to allow for access to server through haproxy by accessing https://foobar-unifi.ddns.net? thanks in advance

frontend https-front
        bind unix@/var/run/haproxy.sock ssl crt /etc/letsencrypt/live/foobar.ddns.net/haproxy.pem accept-proxy
        mode http

        use_backend home-assistant-backend if { ssl_fc_sni -i foobar-ha.ddns.net }
        use_backend nextcloud-backend if { ssl_fc_sni -i farbar-nc.ddns.net }
        use_backend blueiris-backend if { ssl_fc_sni -i foobar-bi.ddns.net }
        use_backend pihole-backend if { ssl_fc_sni -i foobar-dns.ddns.net }
        use_backend unifi-backend if { ssl_fc_sni -i foobar-unifi.ddns.net }
        use_backend unms-backend if { ssl_fc_sni -i foobar-unms.ddns.net }
        use_backend haproxy-backend if { ssl_fc_sni -i foobar-haproxy.ddns.net }
        default_backend blueiris-backend

backend unifi-backend
        mode http
        server unifi 192.168.1.16:8443 redir https://192.168.1.16:8443/manage/site/kab9w4dv/dashboard check
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https if { ssl_fc }

Posts: 1

Participants: 1

Read full topic

@bmf7777 wrote:

I’m using haproxy 1.8…working well with termination and pass-through…i’m trying to no avail to add additional servers with a path name appended e.g. below is a front-end and back-end that is working … however … i’m using redir which is fine inside the firewall but i want to go through haproxy and be able to access this server outside the firewall (aka unifi-backend) … foobar-unifi.ddns.net is accessible via nslookup using no-ip.com

question: how to i change
server unifi 192.168.1.16:8443 redir https://192.168.1.16:8443/manage/site/kab9w4dv/dashboard check
to allow for access to server through haproxy by accessing https://foobar-unifi.ddns.net? thanks in advance

frontend https-front
        bind unix@/var/run/haproxy.sock ssl crt /etc/letsencrypt/live/foobar.ddns.net/haproxy.pem accept-proxy
        mode http

        use_backend home-assistant-backend if { ssl_fc_sni -i foobar-ha.ddns.net }
        use_backend nextcloud-backend if { ssl_fc_sni -i farbar-nc.ddns.net }
        use_backend blueiris-backend if { ssl_fc_sni -i foobar-bi.ddns.net }
        use_backend pihole-backend if { ssl_fc_sni -i foobar-dns.ddns.net }
        use_backend unifi-backend if { ssl_fc_sni -i foobar-unifi.ddns.net }
        use_backend unms-backend if { ssl_fc_sni -i foobar-unms.ddns.net }
        use_backend haproxy-backend if { ssl_fc_sni -i foobar-haproxy.ddns.net }
        default_backend blueiris-backend

backend unifi-backend
        mode http
        server unifi 192.168.1.16:8443 redir https://192.168.1.16:8443/manage/site/kab9w4dv/dashboard check
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https if { ssl_fc }

Posts: 1

Participants: 1

Read full topic

@bmf7777 wrote:

i’m using haproxy 1.8.8-1ubuntu0.4. all is working well except (see configuration below) the following
https://foobar-dns.ddns.net which continues to forward to http://foobar-dns.ddns.net/admin versus
http://192.168.5.2/admin which is required … all other entries/back-ends work. what is wrong with my backend for https://foobar-dns.ddns.net … thanks in advance, dan

backend pihole-backend
    	mode http
    	server pi-hole 192.168.5.2 no-check
    	http-request redirect location /admin if { path / }
    	http-request set-header X-Forwarded-Port %[dst_port]
    	http-request add-header X-Forwarded-Proto https if { ssl_fc }

------------------------- full haproxy.cfg
global
maxconn 100
tune.ssl.default-dh-param 2048

defaults
	mode http
	log global
	timeout connect 20s
	timeout client 50s
	timeout server 50s
	timeout tunnel 1h

listen stats
	bind 192.168.1.235:9000
	mode http
	log global
	maxconn 10
	stats enable
	stats hide-version
	stats refresh 30s
	stats show-node
#	stats auth admin:password
	stats uri /haproxy?stats

frontend https
	bind *:443
	mode tcp
	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }
	use_backend openvpn-backend if { req_ssl_sni -i foobar.ddns.net }
	default_backend https-back

frontend https-front
	bind unix@/var/run/haproxy.sock ssl crt /etc/letsencrypt/live/foobar.ddns.net/haproxy.pem accept-proxy
	mode http

	use_backend home-assistant-backend if { ssl_fc_sni -i foobar-ha.ddns.net }
	use_backend nextcloud-backend if { ssl_fc_sni -i foobar-nc.ddns.net }
	use_backend blueiris-backend if { ssl_fc_sni -i foobar-bi.ddns.net }
	use_backend pihole-backend if { ssl_fc_sni -i foobar-dns.ddns.net }
	use_backend unifi-backend if { ssl_fc_sni -i foobar-unifi.ddns.net }
	use_backend unms-backend if { ssl_fc_sni -i foobar-unms.ddns.net }
	use_backend haproxy-backend if { ssl_fc_sni -i foobar-haproxy.ddns.net }
	default_backend blueiris-backend

frontend http
	bind :80
	acl letsencrypt-acl path_beg /.well-known/acme-challenge/
	use_backend letsencrypt-backend if letsencrypt-acl

backend letsencrypt-backend
	server letsencrypt 127.0.0.1:8888

backend https-back
	mode tcp
	server https-front unix@/var/run/haproxy.sock send-proxy-v2

backend openvpn-backend
	mode tcp
        timeout server 2h
	server openvpn 192.168.1.235:444

backend haproxy-backend
	mode http
	server haproxy 192.168.1.235:9000 no-ssl check
	http-request redirect location /haproxy?stats if { path / } 
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend pihole-backend
	mode http
	server pi-hole 192.168.5.2 no-check
	http-request redirect location /admin if { path / }
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend unifi-backend
	mode http
	server unifi 192.168.1.16:8443 ssl verify none check
	http-request redirect location /manage/site/kab9w4dv/dashboard if { path / } 
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend unms-backend
	mode http
	server unms 192.168.1.207 ssl verify none
	http-request redirect location /dashboard if { path / } 
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend home-assistant-backend
	mode http
	server home-assistant 192.168.1.123:8123 check
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend nextcloud-backend
	mode http
	server nextcloud 192.168.1.123:80 check
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend blueiris-backend
	mode http
	server blueiris 192.168.1.36:1050 check
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

Posts: 1

Participants: 1

Read full topic

@bmf7777 wrote:

i’m using HA-Proxy version 1.8.8-1ubuntu0.4 2019/01/24 … config file is working, i want to add the capability to select a server based on a url parameter e.g. https://foobar-nd.ddns.net/?netdata_server=openvpn -> 192.168.1.235:19999

the key sections are below with the full config file at the end as well as the traceback … i’m new to haproxy so i’m not sure what is wrong however the trace show the initial GET causing an issue … all other portions of the config file are working

acl is-netdata-server-set-properly urlp_reg(netdata_server) ^(openvpn|poolside|rosegarden|stage|ha|pihole|unifi|unms|firepit|greenhouse|fireplace|genmon)
	http-request set-var(req.netdata_server) urlp(netdata_server) if is-netdata-server-set-properly

	use_backend backend-%[var(req.netdata_server)] if is-netdata-server-set-properly { ssl_fc_sni -i foobar-nd.ddns.net } 

backend backend-openvpn
	mode http
	server default-netdata 192.168.1.235:19999 check no-ssl
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

----------------- output
00000009:https.accept(0005)=000a from [192.168.1.1:54494] ALPN=
0000000a:https-front.accept(0006)=000c from [192.168.1.1:54494] ALPN=
0000000a:https-front.clireq[000c:ffffffff]: GET /dashboard.js?v20181211-1 HTTP/1.1
0000000a:https-front.clihdr[000c:ffffffff]: Host: foobar-nd.ddns.net
0000000a:https-front.clihdr[000c:ffffffff]: Connection: keep-alive
0000000a:https-front.clihdr[000c:ffffffff]: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
0000000a:https-front.clihdr[000c:ffffffff]: Accept: /
0000000a:https-front.clihdr[000c:ffffffff]: Referer: https://foobar-nd.ddns.net/?netdata_server=openvpn
0000000a:https-front.clihdr[000c:ffffffff]: Accept-Encoding: gzip, deflate, br
0000000a:https-front.clihdr[000c:ffffffff]: Accept-Language: en-US,en;q=0.9
0000000a:https-front.clihdr[000c:ffffffff]: Cookie: session=05213fd425d0545d2533307a0ae60fa6
0000000a:blueiris-backend.srvrep[000c:adfd]: HTTP/1.1 404 Not Found
0000000a:blueiris-backend.srvhdr[000c:adfd]: Server: BlueServer/4.8.6.3
0000000a:blueiris-backend.srvhdr[000c:adfd]: Date: Sat, 25 May 2019 14:51:20 GMT
0000000a:blueiris-backend.srvhdr[000c:adfd]: P3P: CP=“CAO COR CURa ADMa DEVa OUR IND ONL COM DEM PRE”
0000000a:blueiris-backend.srvhdr[000c:adfd]: Access-Control-Allow-Origin: *
0000000a:blueiris-backend.srvhdr[000c:adfd]: Set-Cookie: session=05213fd425d0545d2533307a0ae60fa6; path=/
0000000a:blueiris-backend.srvhdr[000c:adfd]: Connection: Close

---------------------- haproxy.cfg
global
maxconn 100
tune.ssl.default-dh-param 2048

defaults
	mode http
	log global
	timeout connect 20s
	timeout client 50s
	timeout server 50s
	timeout tunnel 1h

listen stats
	bind 192.168.1.235:9000
	mode http
	log global
	maxconn 10
	stats enable
	stats hide-version
	stats refresh 30s
	stats show-node
#	stats auth admin:password
	stats uri /haproxy?stats

frontend https
	bind *:443
	mode tcp


	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }
	use_backend openvpn-backend if { req_ssl_sni -i foobar.ddns.net }
	default_backend https-back

frontend https-front
	bind unix@/var/run/haproxy.sock ssl crt /etc/letsencrypt/live/foobar.ddns.net/haproxy.pem accept-proxy
	mode http

	acl is-netdata-server-set-properly urlp_reg(netdata_server) ^(openvpn|poolside|rosegarden|stage|ha|pihole|unifi|unms|firepit|greenhouse|fireplace|genmon)
	http-request set-var(req.netdata_server) urlp(netdata_server) if is-netdata-server-set-properly

	use_backend backend-%[var(req.netdata_server)] if is-netdata-server-set-properly { ssl_fc_sni -i foobar-nd.ddns.net }

	use_backend home-assistant-backend  if { ssl_fc_sni -i foobar-ha.ddns.net }
	use_backend nextcloud-backend if { ssl_fc_sni -i foobar-nc.ddns.net }
	use_backend blueiris-backend if { ssl_fc_sni -i foobar-bi.ddns.net }
	use_backend pihole-backend if { ssl_fc_sni -i foobar-dns.ddns.net }
	use_backend unifi-backend if { ssl_fc_sni -i foobar-unifi.ddns.net }
	use_backend unms-backend if { ssl_fc_sni -i foobar-unms.ddns.net }
	use_backend haproxy-backend if { ssl_fc_sni -i foobar-haproxy.ddns.net }
	default_backend blueiris-backend

frontend http
	bind :80
	acl letsencrypt-acl path_beg /.well-known/acme-challenge/
	use_backend letsencrypt-backend if letsencrypt-acl

backend letsencrypt-backend
	server letsencrypt 127.0.0.1:8888

backend https-back
	mode tcp
	server https-front unix@/var/run/haproxy.sock send-proxy-v2

backend backend-openvpn
	mode http
	server default-netdata 192.168.1.235:19999 check no-ssl
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }
	
backend openvpn-backend
	mode tcp
        timeout server 2h
	server openvpn 192.168.1.235:444

backend haproxy-backend
	mode http
	server haproxy 192.168.1.235:9000 no-ssl check
	http-request redirect location /haproxy?stats if { path / } 
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend pihole-backend
	mode http
	server pi-hole 192.168.5.2:80 check no-ssl
	rspadd X-Frame-Options:\ SAMEORIGIN
	http-request redirect location /admin/ if { path / }
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend unifi-backend
	mode http
	server unifi 192.168.1.16:8443 ssl verify none check
	http-request redirect location /manage/site/kab9w4dv/dashboard if { path / } 
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend unms-backend
	mode http
	server unms 192.168.1.207 ssl verify none
	http-request redirect location /dashboard if { path / } 
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend home-assistant-backend
	mode http
	server home-assistant 192.168.1.123:8123 check
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend nextcloud-backend
	mode http
	server nextcloud 192.168.1.123:80 check
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend blueiris-backend
	mode http
	server blueiris 192.168.1.36:1050 check
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

Posts: 1

Participants: 1

Read full topic

@bmf7777 wrote:

using HA-Proxy version 1.8.8-1ubuntu0.4 2019/01/24

the following backend tests for a url query and selects server … however none of the tests work and the default is always selected

e.g. https://foobar-nd.ddns.net?netdata_server=openvpn should select
use-server netdata-openvpn if { urlp(netdata_server) -m str openvpn }
server netdata-openvpn 192.168.1.235:19999 check weight 0

any ideas what i’m doing wrong ? thanks in advance

backend netdata-backend
	mode http
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

	use-server netdata-openvpn  if { urlp(netdata_server) -m str openvpn }
	server netdata-openvpn  192.168.1.235:19999  check weight 0

	use-server netdata-poolside  if { urlp(netdata_server) -m str poolside }
	server netdata-poolside  192.168.1.18:19999 check weight 0

	use-server netdata-rosegarden  if { urlp(netdata_server) -m str rosegarden }
	server netdata-rosegarden  192.168.1.170:19999 check weight 0

	use-server netdata-stage  if { urlp(netdata_server) -m str stage }
	server netdata-stage  192.168.1.174:19999 check weight 0

	use-server netdata-ha  if { urlp(netdata_server) -m str ha }
	server netdata-ha  192.168.1.123:19999 check weight 0

	use-server netdata-pihole  if { urlp(netdata_server) -m str pihole }
	server netdata-pihole  192.168.5.2:19999 check weight 0

	use-server netdata-unifi  if { urlp(netdata_server) -m str unifi }
	server netdata-unifi  192.168.1.16:19999 check weight 0

	use-server netdata-unms  if { urlp(netdata_server) -m str unms }
	server netdata-unms  192.168.1.207:19999 check weight 0

	use-server netdata-firepit  if { urlp(netdata_server) -m str firepit }
	server netdata-firepit  192.168.1.200:19999 check weight 0

	use-server netdata-greenhouse  if { urlp(netdata_server) -m str greenhouse }
	server netdata-greenhouse  192.168.1.187:19999 check weight 0

	use-server netdata-fireplace  if { urlp(netdata_server) -m str fireplace }
	server netdata-fireplace 192.168.1.201:19999 check weight 0

	use-server netdata-genmon  if { urlp(netdata_server) -m str genmon }
	server netdata-genmon  192.168.1.198:19999 check weight 0

	use-server netdata-gym  if { urlp(netdata_server) -m str gym }
	server netdata-gym  192.168.1.158:19999 check weight 0

	server default 192.168.1.207:19999 check

Posts: 1

Participants: 1

Read full topic

@SmoothRunnings wrote:

I wonder if its possible to use the config file from Haproxy 1.7.11_1 on the latest pfsense on 1.8.x of HAProxy or can someone recommend a good opensource GUI to allow me to configure HAProxy?

Thanks,

Posts: 1

Participants: 1

Read full topic

@pyrogoth wrote:

Hi there,
I’m really struggling to find an answer to this on the forums - there’s a few answers that are close to what I’m looking for but nothing has worked so far!

So, basically I want the server IP that HAProxy is on to forward port 80 traffic to a single backend file which is located in an s3 bucket.

I can get really close with just:

frontend example
bind *:80
default_backend example

backend example
server test 192.168.X.X:80 redir https://s3.bucket.url/path/thefile.js

But forwarded traffic arrives at “https://s3.bucket.url/path/thefile.js/” and I can’t see a way of removing the trailing slash on a redirected backend - even though it’s pointing directly at a file.

I am using a compiled HA-Proxy v1.8.8

Any help/advise would be greatly appreciated!

Posts: 1

Participants: 1

Read full topic

@amiee wrote:

Hello,
I am using HAproxy with version 1.5.18.
There is a weird pattern for timeout client value which cause HAproxy works or return 408/504 error when added it to the fronted section.

frontend http_vip
mode http
bind x.x.x.x:80 transparent
option httplog clf
log global

timeout client 25d
default_backend http-pool

For example:
Values equal or above 1us and below 25d are working (application behind the HAproxy can be accessed).
Values equal or above 25d and below 50d are NOT working (application behind the HAproxy can NOT be accessed).
Values equal or above 50d and below 75d are working
Values equal or above 75d and below 100d are NOT working
Values equal or above 100d and below 125d are working
Values equal or above 125d and below 150d are NOT working
and this pattern continues forever every 25 days.

When the application cannot be accessed, a 408 or 504 error is returned.
In the access log, the session is terminated with “cC” state as following:
“GET /index.html HTTP/1.1” 504 194 “” “” 58568 614 “http_vip” “http-pool” “m1” 0 0 0 -1 0 cC-- 0 0 0 0 0 0 0 “” “”

I have tried with tcp mode, still has the same result.

Pls help to debug on this.

Thanks.

Posts: 1

Participants: 1

Read full topic

@c1s wrote:

Need to have an admin user and a non admin user for a display board. This is to allow a team to view current load balancer/node status. Is this possible?

Posts: 1

Participants: 1

Read full topic

@williamchiew wrote:

Hi all,

Need help here.

Currently I’m using HAProxy version 1.5.18, as load balancing for my two server, and each server there are three tomcat, Tomcat1(version 8), Tomcat2(version 6), and Tomcat3(version 8)

All these while this set of configuration are working fine, and until recently, tomcat2 are unable to route, whenever we access, it will return 503 error. After we comment out the option httpchk GET , the site will back to normal.

When I tried to curl for extra information, I found that the only different was the location, whereby tomcat1 and tomcat3 will return the /path , while tomcat2 will return full path including IP, but I’m not sure whether this was the root cause as before this the cofiguration was working fine.

Here are my cfg file.

Global settings

#---------------------------------------------------------------------
global
log 127.0.0.1 local0
log /dev/log local0 info
log /dev/log local0 notice
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
timeout http-request 10000
timeout connect 5000
timeout client 20000
timeout server 20000
timeout http-keep-alive 5000
timeout check 10000

#---------------------------------------------------------------------
frontend http
bind *:80
option httplog
log global
acl is_root path -i /
acl is_domain hdr(host) -i test.abc123.com.my
redirect code 301 location /terminal if is_domain is_root

acl url_tacs path_beg /tacs
use_backend web if url_tacs
default_backend web

acl url_terminal path_beg /terminal
use_backend web1 if url_terminal
default_backend web1

#---------------------------------------------------------------------

round robin balancing between the various backends

#---------------------------------------------------------------------
backend web
mode http
balance roundrobin
option forwardfor
option httpchk GET /tacs/login
http-check expect status 200

cookie JSESSIONID prefix nocache
server  app1 172.222.111.3:8080 cookie app1 check inter 2000 rise 2 fall 2
server  app2 172.222.111.4:8080 cookie app2 check inter 2000 rise 2 fall 2

backend web1
mode http
balance source
option forwardfor
option httpchk GET /terminal/public/internet/index.jsp
http-check expect status 200

cookie JSESSIONID prefix nocache
server  app1 172.222.111.3:9067 cookie app1 check inter 2000 rise 2 fall 2
server  app2 172.222.111.4:9067 cookie app2 check inter 2000 rise 2 fall 2

__________________________________*******************

Curl Tomcat2 Result
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://172.222.111.4:9067/terminal/
Transfer-Encoding: chunked
Date: Wed, 29 May 2019 03:45:40 GMT

Curl Tomcat1 Result
HTTP/1.1 302
Location: /tacs/
Transfer-Encoding: chunked
Date: Wed, 29 May 2019 03:49:51 GMT

Thanks in advance for your help

Posts: 1

Participants: 1

Read full topic

@Brizoo wrote:

Hi community,

I’m trying to build an HAProxy setup to make available some LAN Servers from external. The majority is HTTP/HTTPS ports to forward but I also have some TCP ports to forward

I have this basic setup in place and working:
HAProxy server is in my DMZ, I have a firewall between WAN <-> DMZ and DMZ <-> LAN. Servers are in LAN.

The goal here is to go further and enhance my configuration as well as fix bugs I have. Currently all HTTPS redirects are working fine, but not TCP. I also have a problem to identify my sources correctly. For example, if I have two different source to redirect on the two different backend but on same port (this is the case with 8443, I need to add a new backend on 8443), I’m not able to make the difference between them and redirect them on the good backend.

Servers and ports that need to be accessed from outside:

• ITAM1 TCP: 8027 HTTPS: 8383 8022 8020 8021 8443 8444 8031
• ITAM2 HTTPS: 8443
• ITSM TCP: 9000 HTTPS: 443
• AV TCP: 8013 8014
• OTHER HTTPS: 8085 9443

My configuration file, looks like this so far. This is my first use at HAProxy and the conf I have done is really basic. Please be indulgent!

global
    maxconn 4096
    user haproxy
    group haproxy
    daemon
    # Default SSL material locations
    #ca-base /etc/ssl/certs
    # tune & ssl params to force diffie-hellman defaults, disallow most tls/poodle attacks, and restrict binders to secure ciphers
    #tune.ssl.default-dh-param 4096
    #ssl-default-bind-options no-sslv3 no-tls-tickets
    #ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:EECDH+AES

defaults
    mode tcp
    log 127.0.0.1 local0 notice
    timeout connect  5000
    timeout client  50000
    timeout server  50000

frontend tcpServers
    bind *:8013
    bind *:8014
    bind *:8027
    bind *:8383
    bind *:8022
    bind *:8020
    bind *:8021
    bind *:8443
    bind *:8444
    bind *:8031
    bind *:443
    bind *:9000
    bind *:8085
    bind *:9443
    #bind *:443 ssl crt /etc/haproxy/certs/ no-sslv3

    #ACL by Port
    acl tcp_8013 dst_port 8013
    acl tcp_8014 dst_port 8014
    acl tcp_8027 dst_port 8027
    acl https_8383 dst_port 8383
    acl http_8022 dst_port 8022
    acl https_8020 dst_port 8020
    acl https_8021 dst_port 8021
    acl https_8443 dst_port 8443
    acl https_8444 dst_port 8444
    acl https_8031 dst_port 8031
    acl https_443 dst_port 443
    acl tcp_9000 dst_port 9000
    acl http_8085 dst_port 8085
    acl https_9443 dst_port 9443

    tcp-request inspect-delay 5s

# Start SSL Passthrough Backend #
backend fortiemstcp8013
    server fortiems X.X.X.X:8013

backend fortiemstcp8014
    server fortiems X.X.X.X:8014

backend itamtcp8027
    server itam X.X.X.X:8027

backend itamhttps8383
    server itam X.X.X.X:8383

backend itamhttp8022
    server itam X.X.X.X:8022

backend itamhttps8020
    server itam X.X.X.X:8020

backend itamhttps8021
    server itam X.X.X.X:8021

backend itamhttps8443
    server itam X.X.X.X:8443

backend itamhttps8444
    server itam X.X.X.X:8444

backend itamhttps8031
    server itam X.X.X.X:8031

backend supportcenterhttps443
    server supportcenter X.X.X.X:443

backend supportcentertcp9000
    server supportcenter X.X.X.X:9000

backend assetshttp8085
    server assets X.X.X.X:8085

backend assetshttps9443
    server assets X.X.X.X:9443

Posts: 1

Participants: 1

Read full topic

@wontbeherelong wrote:

First, apologies if I’m being a fool but am new to HAproxy. I’m using it in PFsense as a reverse proxy and want an ACL that checks for the presence of a cookie, and only forwards to the backend if it’s present.

After searching, I created the ACL in the frontend like so: “req.cook(organizrLanguage) -m found”

I did try to add has_cookie but it threw an error when loading the config of "unknown fetch method ‘has_cookie’ in ACL expression. Is that neede? If I use this ACL I only get a 503 error. What am I doing wrong? Eventually I want to replace that cookie with the value of a token, but if I can get this working I’ll have taken the first step.

Posts: 1

Participants: 1

Read full topic

@kfoozminus wrote:

We are reloading HAProxy by the following command in our program (doing exec in Go):
haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -x /var/run/haproxy.sock -sf <pidlist>

So inside the container, we inspected the reload. It is showing that there are 2 haproxy process running - the old process takes some time to close. Although there aren’t supposed to be any active sessions that can hold it.

  726 root      0:00 haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -x /var/run/haproxy.sock -sf 723                                                                                                 
  750 root      0:00 haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -x /var/run/haproxy.sock -sf 745                                                                                                 

A crucial details here - this is ps aux output after 2 reload - one immediately after another (inside kubernetes cluster - scaling down/up). So 726 is original process, 745 is pid after first reload and 750 is pid after second reload. Second process isn’t showed here, because after second reload 745 closes almost immediately, but the original process 726 is still ongoing. (closes after about 20s).

Does it usually take so long (around 20 s) or are we using the parameters wrong?
Also, is it possible in any case that old haproxy process never closes using this command?

Posts: 1

Participants: 1

Read full topic

@SunnyLo wrote:

Here is my config file

listen minecraft
bind :25565
mode tcp
balance leastconn
option tcp-check
server minecraft1 example.com:25570 send-proxy

But it fails to start with this error

systemctl status haproxy.service

● haproxy.service - HAProxy Load Balancer

Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)

Active: failed (Result: exit-code) since Sat 2019-06-01 23:43:48 HKT; 5s ago

Docs: man:haproxy(1)

file:/usr/share/doc/haproxy/configuration.txt.gz

Process: 3190 ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=1/FAILURE)

Process: 3183 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=0/SUCCESS)

Main PID: 3190 (code=exited, status=1/FAILURE)

Jun 01 23:43:48 vps1 systemd[1]: haproxy.service: Main process exited, code=exited, status=1/FAILURE

Jun 01 23:43:48 vps1 systemd[1]: haproxy.service: Failed with result ‘exit-code’.

Jun 01 23:43:48 vps1 systemd[1]: Failed to start HAProxy Load Balancer.

Jun 01 23:43:48 vps1 systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.

Jun 01 23:43:48 vps1 systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 5.

Jun 01 23:43:48 vps1 systemd[1]: Stopped HAProxy Load Balancer.

Jun 01 23:43:48 vps1 systemd[1]: haproxy.service: Start request repeated too quickly.

Jun 01 23:43:48 vps1 systemd[1]: haproxy.service: Failed with result ‘exit-code’.

Jun 01 23:43:48 vps1 systemd[1]: Failed to start HAProxy Load Balancer.

Posts: 1

Participants: 1

Read full topic

@praveenkumar.2608 wrote:

Hi,

I have a haproxy setup as follow:

Client --> Haproxy (LOCATION A)------> HAProxy(LOCATION B)----> Server.

I am uploading a file to the server, once the upload is completed, Server responds immediately with ACK which I can see it in pcap. But the ACK between Location B and LOCATION A is taking more than 10 secs which delays the response to a real client.

Is there any settings which need to be tweaked in HA Proxy or is there any kernal parameters need to be changed.

Posts: 1

Participants: 1

Read full topic

@bmf7777 wrote:

i have a working configuration (HA-Proxy version 1.8.8-1ubuntu0.4 2019/01/24) and i’ve been trying every conceivable technique to use the path after the domain to select a specific server e.g.
foobar-nd-ha.ddns.net/ha -> 192.168.1.123:19999
foobar-nd-ha.ddns.net/pihole -> 192.168.5.2:19999
foobar-nd-ha.ddns.net/unifi -> 192.168.1.16:19999
i need to remove the path as the server doesn’t recognise it using reqrep ^([^\ ]\ /)ha[/]?(.) \1\2 then using use-server to the select the correct server which fails with 503 Service Unavailable due to some lack of understand of the inner workings of haproxy… the backend that isn’t work is called backend “backend-nd”

below is my cfg and trace … any help is appreciated

haproxy

SCCS: @(#)haproxy.cfg 1.5 06/01/19

global
maxconn 100
daemon
tune.ssl.default-dh-param 2048
defaults
mode http
log global
# option tcplog
# option httplog
# option logasap
option http-keep-alive
timeout connect 5000
timeout client 50000
timeout server 50000
timeout tunnel 1h

listen stats
bind 192.168.1.235:9000
mode http
log global
maxconn 10
stats enable
stats hide-version
stats refresh 30s
stats show-node
# stats auth admin:password
stats uri /haproxy?stats

frontend https
bind *:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend openvpn-backend if { req.ssl_sni -i foobar.ddns.net }
default_backend https-back

frontend https-front
bind unix@/var/run/haproxy.sock ssl crt /etc/letsencrypt/live/foobar.ddns.net/haproxy.pem accept-proxy
mode http
use_backend home-assistant-backend if { ssl_fc_sni -i foobar-ha.ddns.net }
use_backend nextcloud-backend if { ssl_fc_sni -i foobar-nc.ddns.net }
use_backend genmon-backend if { ssl_fc_sni -i foobar-genmon.ddns.net }
use_backend blueiris-backend if { ssl_fc_sni -i foobar-bi.ddns.net }
use_backend pihole-backend if { ssl_fc_sni -i foobar-dns.ddns.net }
use_backend unifi-backend if { ssl_fc_sni -i foobar-unifi.ddns.net }
use_backend unms-backend if { ssl_fc_sni -i foobar-unms.ddns.net }
use_backend haproxy-backend if { ssl_fc_sni -i foobar-haproxy.ddns.net }

# Netdata
use_backend backend-nd if { ssl_fc_sni -i foobar-nd-ha.ddns.net }

frontend http
bind *:80 
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl

backend letsencrypt-backend
server letsencrypt 127.0.0.1:8888

backend https-back
mode tcp
server https-front unix@/var/run/haproxy.sock send-proxy-v2

# Openvpn
backend openvpn-backend
mode tcp
timeout server 2h
server openvpn 192.168.1.235:444

# Netdata backend
backend backend-nd
mode http
http-request set-var(txn.server) path
reqrep ^([^\ ]*\ /)ha[/]?(.*) \1\2
reqrep ^([^\ ]*\ /)pihole[/]?(.*) \1\2
reqrep ^([^\ ]*\ /)unifi[/]?(.*) \1\2

use-server ha if { path_beg -i var(txn.server) /ha }
use-server pihole if { path_beg -i var(txn.server) /pihole }
use-server unifi if { path_beg -i var(txn.server) /unifi }

server ha 192.168.1.123:19999 check weight 0
server pihole 192.168.5.2:19999 check weight 0
server unifi 192.168.1.16:19999 check weight 0

# Haproxy Stats
backend haproxy-backend
mode http
server haproxy 192.168.1.235:9000 no-ssl check
http-request redirect location /haproxy?stats if { path / } 
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

# Pi-hole DNS Ad-blocker
backend pihole-backend
mode http
server pi-hole 192.168.5.2:80 check no-ssl
rspadd X-Frame-Options:\ SAMEORIGIN
http-request redirect location /admin/ if { path / }
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

# Genmon
backend genmon-backend
mode http
server unifi 192.168.1.198:8000 no-ssl check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

# Unifi 
backend unifi-backend
mode http
server unifi 192.168.1.16:8443 ssl verify none check
http-request redirect location /manage/site/kab9w4dv/dashboard if { path / } 
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

# UNMS
backend unms-backend
mode http
server unms 192.168.1.207 ssl verify none
http-request redirect location /dashboard if { path / } 
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

# Home Assistant
backend home-assistant-backend
mode http
server home-assistant 192.168.1.123:8123 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

# Nextcloud
backend nextcloud-backend
mode http
server nextcloud 192.168.1.123:80 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

# Blue Iris Security Server
backend blueiris-backend
mode http
server blueiris 192.168.1.36:1050 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc } 

---------------- trace
Available filters :

[SPOE] spoe
[COMP] compression
[TRACE] trace
Using epoll() as the polling mechanism.
00000000:https.accept(0005)=000a from [192.168.1.1:59162] ALPN=
00000001:https.accept(0005)=000d from [192.168.1.1:59163] ALPN=
00000002:https-front.accept(0006)=000c from [192.168.1.1:59162] ALPN=
00000003:https-front.accept(0006)=000f from [192.168.1.1:59163] ALPN=
00000002:https-front.clireq[000c:ffffffff]: GET /ha HTTP/1.1
00000002:https-front.clihdr[000c:ffffffff]: Host: foobar-nd-ha.ddns.net
00000002:https-front.clihdr[000c:ffffffff]: Connection: keep-alive
00000002:https-front.clihdr[000c:ffffffff]: Upgrade-Insecure-Requests: 1
00000002:https-front.clihdr[000c:ffffffff]: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
00000002:https-front.clihdr[000c:ffffffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
00000002:https-front.clihdr[000c:ffffffff]: Purpose: prefetch
00000002:https-front.clihdr[000c:ffffffff]: Accept-Encoding: gzip, deflate, br
00000002:https-front.clihdr[000c:ffffffff]: Accept-Language: en-US,en;q=0.9
00000002:https-front.clihdr[000c:ffffffff]: Cookie: _ga=GA1.3.592449160.1559126922; _gid=GA1.3.690682874.1559491313
00000002:backend-nd.clicls[adfd:ffffffff]
00000002:backend-nd.closed[adfd:ffffffff]
00000000:https-back.srvcls[adfd:adfd]
00000000:https-back.clicls[adfd:adfd]
00000000:https-back.closed[adfd:adfd]
00000004:https.accept(0005)=000a from [192.168.1.1:59166] ALPN=
00000005:https-front.accept(0006)=000c from [192.168.1.1:59166] ALPN=
00000003:https-front.clireq[000f:ffffffff]: GET /favicon.ico HTTP/1.1
00000003:https-front.clihdr[000f:ffffffff]: Host: foobar-nd-ha.ddns.net
00000003:https-front.clihdr[000f:ffffffff]: Connection: keep-alive
00000003:https-front.clihdr[000f:ffffffff]: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
00000003:https-front.clihdr[000f:ffffffff]: Accept: image/webp,image/apng,image/,/*;q=0.8
00000003:https-front.clihdr[000f:ffffffff]: Referer: https://foobar-nd-ha.ddns.net/ha
00000003:https-front.clihdr[000f:ffffffff]: Accept-Encoding: gzip, deflate, br
00000003:https-front.clihdr[000f:ffffffff]: Accept-Language: en-US,en;q=0.9
00000003:https-front.clihdr[000f:ffffffff]: Cookie: _ga=GA1.3.592449160.1559126922; _gid=GA1.3.690682874.1559491313
00000003:backend-nd.clicls[adfd:ffffffff]
00000003:backend-nd.closed[adfd:ffffffff]
00000001:https-back.srvcls[adfd:adfd]
00000001:https-back.clicls[adfd:adfd]
00000001:https-back.closed[adfd:adfd]

Posts: 1

Participants: 1

Read full topic

@arashad wrote:

Hello,

I currently use haproxy 1.5.18 that has a backend of two servers running Nginx listening on port 80 & 443 and i’m trying to drop haproxy but every time i try it i get “broken header while reading proxy protocol” and i think the issue might be with “send-proxy” option.
Any recommendations will be helpful.

Posts: 1

Participants: 1

Read full topic

@liuzhenasdfa wrote:

we use haproxy before redis,

listen 22001
bind :22001
balance roundrobin
maxconn 16384
server 1 10.18.8.14:1041 check

which enables check.

mostly the check works fine, but sometimes it burst to 1000ms (or a few ms plus);
to worsen it, clients through haproxy see the same 1000ms hang;

if the clients connect directly to redis, they see no hang at all.

we have looked up the haproxy manual, suspecting if there is a timeout default to 1s;
but no satisfactory answers.

Any idea why there is 1000 check duration?

Posts: 1

Participants: 1

Read full topic

@mysticalunicorn wrote:

Trying to use haproxy to balance requests to a few urls in aws cloud from inside our business network. I keep getting 404 not found for the host IP where haproxy is running if i remove the acl’s, if leave the acl’s i get 502 bad gateway

here is the config.

global
log 127.0.0.1 local2
maxconn 500
daemon
#ssl-server-verify none

defaults
log global
option dontlognull
option redispatch
timeout connect 30000
timeout client 60000
timeout server 60000
default-server init-addr none
retries 999

resolvers dnsserver
nameserver public-0 1.1.1.1:53
hold valid 100ms
resolve_retries 3

frontend https
bind *:443 npn spdy/2 alpn h2,http/1.1
option tcplog
mode tcp
acl oauth path_end -i /oauth
acl devices path_end -i /devices

use_backend back_oauth if oauth
use_backend back_devices if devices

backend back_oauth
mode tcp
#option ssl-hello-chk
server host1 https://test.io:443/oauth/token?grant_type=client_credentials resolvers dnsserver check ssl

backend back_devices
mode http
#option ssl-hello-chk
server host1 https://test.io:443/devices resolvers dnsserver check

listen stats
bind *:8080
mode http
stats enable

---

just to verify a few things
im using haproxy 1.7

DNS seems to be working fine.
I can use ACL’s with tcp mode right ?
does everything look ok above ?
Eventually I have to use a certificate but for now im just trying to hit with postman and ignore cert.

thanks for any help

Posts: 3

Participants: 2

Read full topic

@Cyberfusion wrote:

I have a few HAProxy installs and some scripts to automate stuff.

When I restart HAProxy manually, everything is ok:

root@hapxtest:~# systemctl restart haproxy
root@hapxtest:~# echo $?
0

However, when I execute the same command from either bash, I get return code 2:

haproxy -c -V -f $HAPROXYCONFIG

if [ $? -eq 0 ]; then
    echo Reloading HAProxy

    systemctl restart haproxy

# TODO: For some reason we always get rc 2
#        if [ $? -eq 0 ]; then
#            echo SOS: Something went wrong while reloading HAProxy
#            exit 2
#        fi

I really cannot figure out why. Any idea?

Posts: 1

Participants: 1

Read full topic