Text only | Text with Images

OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: browne on June 23, 2020, 01:13:41 PM

Title: HAProxy: 2nd server not accessible
Post by: browne on June 23, 2020, 01:13:41 PM
Hello,

I am currently setting up haproxy in my network.
I got the acme automation working and was also able to configure the first server.

I then cloned each setting of the first server (MEX1) and adapted them to match the 2nd server (SQLHOST - esweb).

Somehow I am unable to access the 2nd server via haproxy, it just gives me a 404 error. The first still works fine.
What makes me curious are the log entries, it seems that the config for my SQLHOST is pointing to the backend / frontend of my MEX1 server, which makes no sense at all.

Code Select
haproxy[3465]: 192.168.223.215:57161 [23/Jun/2020:13:41:54.003] MEX1_frontend~ MEX1_backend/MEX1 1/0/0/2/3 404 118 - - ---- 1/1/0/0/0 0/0 "GET /esweb/ HTTP/1.1"

If I disable the server entry of MEX1 I get a 503 error when trying to access it, which makes sense, but in the same time the 2nd server now also gives a 503 error.

Below is my haproxy config.

Code Select

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    # NOTE: Could be a security issue, but required for some feature.
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    tune.ssl.default-dh-param   1024
    spread-checks               0
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Frontend: redirect_acme_challenge ()
frontend redirect_acme_challenge
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode http
    option http-keep-alive
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Forward_80_to_443
    acl acl_5ede30aae5ac13.40527538 req.ssl_ver gt 0
    # ACL: no_acme_challenge
    acl acl_5ede30ead9bc68.54961199 path_beg -i /.well-known/acme-challenge/

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if !acl_5ede30aae5ac13.40527538 !acl_5ede30ead9bc68.54961199

# Frontend: MEX1_frontend (my.domain.net/owa)
frontend MEX1_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 0.0.0.0:80 name 0.0.0.0:80 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5edfa47f551f80.62983715.certlist
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5edfa47f551f80.62983715.certlist
    mode http
    option http-keep-alive
    default_backend MEX1_backend
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: MEX1_condition
    acl acl_5ede305aa428f7.91112437 path_beg -i /owa

    # ACTION: MEX1_rule
    use_backend MEX1_backend if acl_5ede305aa428f7.91112437

# Frontend: LetsEncrypt_Frontend ()
frontend LetsEncrypt_Frontend
    bind 192.168.223.181:80 name 192.168.223.181:80
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: Forward_80_to_443
    acl acl_5ede30aae5ac13.40527538 req.ssl_ver gt 0
    # ACL: no_acme_challenge
    acl acl_5ede30ead9bc68.54961199 path_beg -i /.well-known/acme-challenge/
    # ERROR: unsupported action type
    # ACTION INVALID:

    # ACTION: redirect_acme_challenges
    use_backend acme_challenge_backend if !acl_5ede30aae5ac13.40527538 !acl_5ede30ead9bc68.54961199

# Frontend: ESWEB_frontend (my.domain.net/esweb)
frontend ESWEB_frontend
    http-response set-header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    bind 0.0.0.0:80 name 0.0.0.0:80 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5ee21963e60ff8.23840091.certlist
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl no-sslv3 no-tlsv10 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 crt-list /tmp/haproxy/ssl/5ee21963e60ff8.23840091.certlist
    mode http
    option http-keep-alive
    default_backend ESWEB_backend
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    option httplog
    # ACL: ESWEB_condition
    acl acl_5ee219894dbd78.15910750 path_beg -i /esweb

    # ACTION: ESWEB_rule
    use_backend ESWEB_backend if acl_5ee219894dbd78.15910750

# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: MEX1_backend ()
backend MEX1_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server MEX1 192.168.200.12:443 ssl verify none

# Backend: ESWEB_backend ()
backend ESWEB_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server SQLHOST 192.168.200.21:443 ssl verify none


I hope you guys can help me out here.
browne
Title: Re: HAProxy: 2nd server not accessible
Post by: cmdr.adama on June 23, 2020, 05:43:12 PM
So... Two key things that I would do differently. 1. have a separate front end for HTTP and HTTPS. 2. Have both the HTTP and HTTPS frontends redirect to the relevant server as you have configured with the ACL's. That would be my way of solving your problem.

As you can see with the logs, it's hitting the first front end, failing the ACL check and using the default backend anyway.

With the above... You first hit the relevant front end for that port then you determine where you want traffic to head to after that point.
Title: Re: HAProxy: 2nd server not accessible
Post by: browne on June 29, 2020, 10:33:22 AM
That was the solution! thanks
Text only | Text with Images