@ScottUFR wrote:

Hi,

I have inherited an existing reverse proxy configuration I’m trying to change that seems simple enough, but something isn’t working. The configuration that works uses port 9000 on the backend. I’m trying to change that to 9443, but when I do I am getting the following in the Chrome console:

"Failed to load the resource: the server responded with a status of 503 (Service Unavailable)"

I’ve used tcpdump -A -s 0 ‘tcp port 9443’ to try to verify that the server is seeing the request, but none appears.

My servers are using HAProxy 1.5.18 on CentOS 7.

The proxy server’s firewall accepts HTTPS on port 443.

The server’s firewall accepts TCP connections from the proxy server on ports 443 and 9000 (or 9443 as necessary).

The app’s functionality works fine in this configuration.

I’m not sure what to try next and would appreciate any help.

Thanks,
Scott

Here’s my HAProxy configuration:

#---------------------------------------------------------------------

Global settings

#---------------------------------------------------------------------
global
#Set the protocol
ssl-default-bind-options no-sslv3 force-tlsv12

#set the acceptable ciphers
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
#debug
log         127.0.0.1 local2

chroot      /var/lib/haproxy/haproxy    pidfile     /var/run/haproxy.pidfile
# max per-process number of connections
maxconn     256

# process's user and group
user        haproxy    group       haproxy
# make the process fork into background
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048

#---------------------------------------------------------------------

common defaults that all the ‘listen’ and ‘backend’ sections will

use if not designated in their block

#---------------------------------------------------------------------
defaults mode http
log global # the following enables logging of HTTP requests
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
# allow SSE and WebSocket connections to stay open for longer
timeout tunnel 8h
maxconn 3000

#---------------------------------------------------------------------

main frontend which proxys to the backends

#---------------------------------------------------------------------
frontend main bind *:80
bind *:443 ssl crt /usr/local/glads/ssl/web.glads.stk.com.bundle.pem ca-file /usr/local/glads/ssl/ca-chain.cert.pem verify required crl-file /usr/local/glads/crl/combined.crl.pem
# allow access to the keycloak admin console to a select few ips or subnets.
acl network_allowed src 192.168.100.10/32
acl restricted_page path_beg -m beg -i /auth/admin/master/console http-request deny if restricted_page !network_allowed
http-request set-header X-SSL-Client-Cert %{+Q}[ssl_c_der,base64]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]

#for logging purposes STIG V-69385
capture request header referer len 64
capture request header user-agent len 64
capture request header host len 100
capture request header connect len 20

#log-format %Tl\ %ci:%cp\ requestHeader=%hrl\ httpRequest=%redispatch
# Force SSL only
redirect scheme https if !{ ssl_fc }

acl acl-glads-id            path_beg        /identity /auth/admin/master/console    acl acl-glads-app           path_beg        /favicon.ico /glads-web    acl acl-glads-app           path_beg        /glads    acl acl-glads-app           path_beg        /help
acl acl-glads-wx            path_beg        /geoserver /geowebcache
acl acl-terrain             path_beg        /stk-terrain    acl acl-chat                path_beg        /http-bind
use_backend glads-id        if acl-glads-id    use_backend glads-app       if acl-glads-app    use_backend stk-terrain     if acl-terrain    use_backend glads-wx        if acl-glads-wx    use_backend chat-srv        if acl-chat

#---------------------------------------------------------------------

glads-id backend for serving identity

#---------------------------------------------------------------------
backend glads-id server glads_id c0007150-00.stk.com:443 ssl ca-file /usr/local/glads/ssl/ca-chain.cert.pem
#---------------------------------------------------------------------

glads-web backend for serving all things GLADS

#---------------------------------------------------------------------
backend glads-app server glads_app c0007151-00.stk.com:443 ssl ca-file /usr/local/glads/ssl/ca-chain.cert.pem
#---------------------------------------------------------------------

backend for serving terrain

#---------------------------------------------------------------------
backend stk-terrain server glads_terrain assets.agi.com:443 ssl ca-file /usr/local/glads/ssl/ca-chain.cert.pem
#---------------------------------------------------------------------

glads-wx backend for serving WMTS

#---------------------------------------------------------------------
backend glads-wx server glads_wx c0007151-00.stk.com:8443 ssl ca-file /usr/local/glads/ssl/ca-chain.cert.pem
#---------------------------------------------------------------------

chat-srv backend for serving EjabberD

#---------------------------------------------------------------------
backend chat-srv server ejabberd c0007151-00.stk.com:9443 ssl ca-file /usr/local/glads/ssl/ca-chain.cert.pem timeout server 90s

Posts: 1

Participants: 1

Read full topic