Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
HAproxy not starting after upgrading firmware
« previous
next »
Print
Pages: [
1
]
Author
Topic: HAproxy not starting after upgrading firmware (Read 1856 times)
hv-tech
Newbie
Posts: 29
Karma: 1
HAproxy not starting after upgrading firmware
«
on:
December 07, 2022, 10:41:43 pm »
Hi Forum,
If I was more technical I wouldn't post, but after upgrading from 22.7.7 to 22.7.8, since I've upgraded to 22.7.9 without fixing the problem. Here is the output for when I manually try to start the service;
root@ctgwfw01:~ # service haproxy restart
haproxy not running? (check /var/run/haproxy.pid).
Starting haproxy.
[ALERT] (21092) : Starting frontend External-Pub: cannot bind socket (Can't assign requested address) [72.10.1.x:443]
[ALERT] (21092) : Starting frontend External-Pub: cannot bind socket (Can't assign requested address) [72.10.2.x:443]
[ALERT] (21092) : [/usr/local/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting.
/usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy
root@ctgwfw01:~ #
Note I have a PPPoe IP from my ISP. So each time I reboot, it seems to be binding to the old IP that is no longer being used. I am not sure if there is a cache I need to wipe out?
Any help would be great
Thanks
Logged
hv-tech
Newbie
Posts: 29
Karma: 1
Re: HAproxy not starting after upgrading firmware
«
Reply #1 on:
December 13, 2022, 03:41:50 pm »
Anyone has any advise as to what I can do to fix this?
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: HAproxy not starting after upgrading firmware
«
Reply #2 on:
December 13, 2022, 04:09:18 pm »
how are you binding to the wan ip? Normally you would bind to 0.0.0.0:port if you have dynamic public ips. 127.0.0.1:port is also a possibility.
Logged
hv-tech
Newbie
Posts: 29
Karma: 1
Re: HAproxy not starting after upgrading firmware
«
Reply #3 on:
December 20, 2022, 04:38:58 pm »
So I am using DDNS/Cloudflare and am binding to those DNS entries that are pointing to my PPPoe address assigned by the ISP which always worked flawlessly until the upgrade.
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: HAproxy not starting after upgrading firmware
«
Reply #4 on:
December 20, 2022, 05:22:44 pm »
I mean how are you binding it in your haproxy configuration in OPN.
Logged
hv-tech
Newbie
Posts: 29
Karma: 1
Re: HAproxy not starting after upgrading firmware
«
Reply #5 on:
December 20, 2022, 05:46:21 pm »
Here is my config.
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
nbproc 1
nbthread 1
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log 172.16.10.6:514 local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Resolver: HV-DNS
resolvers 60d520816d7b32.78243365
nameserver 8.8.8.8:53 8.8.8.8:53
parse-resolv-conf
resolve_retries 3
timeout resolve 1s
timeout retry 1s
# Frontend: External-Pub ()
frontend External-Pub
bind ctlgmon01.hvnoclabs.com:443 name ctlgmon01.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
bind ctauth02.hvnoclabs.com:443 name ctauth02.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
bind ctitools01.hvnoclabs.com:443 name ctitools01.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
bind ctlgmon02.hvnoclabs.com:443 name ctlgmon02.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
bind ctcoms01.hvnoclabs.com:443 name ctcoms01.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
mode http
option http-keep-alive
# tuning options
timeout client 30s
# stickiness
stick-table type ip size 50k expire 30m
tcp-request connection track-sc0 src
# logging options
option httplog
# ACL: Netbox
acl acl_60dea475186677.51330295 hdr(host) -i ctitools01.hvnoclabs.com
# ACL: Graylog
acl acl_61208941d9bf35.04710772 hdr(host) -i ctlgmon01.hvnoclabs.com
# ACL: Keycloak
acl acl_61209978a36e65.49477166 hdr(host) -i ctauth02.hvnoclabs.com
# ACL: Mattermost
acl acl_612d2c6c0e9208.90351294 hdr(host) -i ctcoms01.hvnoclabs.com
# ACTION: Netbox
use_backend External-Netbox if acl_60dea475186677.51330295
# ACTION: Graylog
use_backend External-Graylog if acl_61208941d9bf35.04710772
# ACTION: Keycloak
use_backend External-Keycloak if acl_61209978a36e65.49477166
# ACTION: Zabbix
# NOTE: actions with no ACLs/conditions will always match
use_backend External-Zabbix
# ACTION: Mattermost
use_backend External-Mattermost if acl_612d2c6c0e9208.90351294
# Backend: External-Netbox (Pool to Internet)
backend External-Netbox
option log-health-checks
# health check: Monitoring Profile
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ctitools01 172.16.10.11:80 check inter 2s
# Backend: External-Graylog (Pool to Internet)
backend External-Graylog
option log-health-checks
# health check: Monitoring Profile
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ctlgmon01 172.16.10.8:443 check inter 2s ssl verify none
# Backend: External-Keycloak (Pool to Internet)
backend External-Keycloak
option log-health-checks
# health check: Monitoring Profile
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ctauth02 172.16.10.25:443 check inter 2s ssl alpn h2,http/1.1 verify none
# Backend: External-Zabbix (Pool to Internet)
backend External-Zabbix
option log-health-checks
# health check: Monitoring Profile
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ctlgmon02 172.16.10.9:80 check inter 2s
# Backend: External-Mattermost (Pool to Internet)
backend External-Mattermost
option log-health-checks
# health check: Monitoring Profile
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ctcoms01 172.16.10.24:80 check inter 2s
# Backend: External-ctcoms01 (Pool to Internet)
backend External-ctcoms01
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ctcoms01 172.16.10.75:443
listen local_statistics
bind 127.0.0.1:8822
mode http
stats uri /haproxy?stats
stats realm HAProxy\ statistics
stats admin if TRUE
# remote statistics are DISABLED
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: HAproxy not starting after upgrading firmware
«
Reply #6 on:
December 21, 2022, 11:57:19 pm »
I thought so. You are binding your front end to a name and that needs to be resolved, and after a reboot the ip might have changed. So I think your suspicion is correct, it's in a loop: your public ip has changed, the public dns record hasn't been updated, haproxy queries the name and gets the old one back.
A long delay might be an unworkable workaround but I can't explain why it was working before the upgrades. All versions of OPN wouldn't deal with this.
I would investigate the option needed to bind to your interface ip, as I said earlier 0.0.0.0:port "should" work but you'll need to test.
Logged
hv-tech
Newbie
Posts: 29
Karma: 1
Re: HAproxy not starting after upgrading firmware
«
Reply #7 on:
December 22, 2022, 05:45:30 pm »
You are 100% correct, I guess I didn't understand before. So removing all other entries and adding a external binding of 0.0.0.0/24 worked. Thanks so much for the help!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
HAproxy not starting after upgrading firmware