HAProxy Virtual IP Bind Issue

[authelia]

Whenever I add a virtual ip and configure haproxy to listen to it on ports 80/443, I can't start:

1. haproxy (when webui is running) or
2. webui (when haproxy is running)

This issue seems very similar to the one reported for v22.1.

Patch 9a618ba6 doesn't seem to work on OPNsense 22.7.2-amd64.
Error message:

Code Select Expand

root@OPNsense:/var/log/system # opnsense-patch 9a618ba6
Found local copy of 9a618ba6, skipping fetch.
2 out of 6 hunks failed while patching etc/inc/interfaces.inc

Virtual ip is attached to lo0 with service binding disabled. I was trying to follow the haproxy tutorial

[franco]

I'm not aware of issues with 22.7. If you add a patch from 22.1 you will most likely remove the actual fix.

If you want to grab port 80 make sure to disable the web GUI redirect.


Cheers,
Franco

[Bunch]

It's not the same issue reported in 22.1.
The issue in 22.1 have nothing related to webui.

If you find only one of them can survive in your setting
Please make sure that only one of below statements can be true (If both statement true, your thing won't work)
1. In HAProxy, one of your frontends is binding to 0.0.0.0:80, or 0.0.0.0:443 or (WAN_IP):80 or (WAN_IP):443
2. In webui, you haven't changed the port and haven't disabled auto redirect, i.e. it's still using port 443 or 80

BTW, I'm afraid applying patches from totally different versions will break the code. (You might have strange issue even you have your HAProxy and webui setup correctly)

[authelia]

How can I reverse the wrong patch? Reapplying the same command doesn't seem to work.

Please make sure that only one of below statements can be true (If both statement true, your thing won't work)
1. In HAProxy, one of your frontends is binding to 0.0.0.0:80, or 0.0.0.0:443 or (WAN_IP):80 or (WAN_IP):443
2. In webui, you haven't changed the port and haven't disabled auto redirect, i.e. it's still using port 443 or 80

In my case, only (2) is true. I haven't changed the standard port and HTTP Redirect is unchecked.

Do I still need (1) if I have defined virtual ip?

[Bunch]

How can I reverse the wrong patch? Reapplying the same command doesn't seem to work.

Code Select Expand

Please make sure that only one of below statements can be true (If both statement true, your thing won't work)
1. In HAProxy, one of your frontends is binding to 0.0.0.0:80, or 0.0.0.0:443 or (WAN_IP):80 or (WAN_IP):443
2. In webui, you haven't changed the port and haven't disabled auto redirect, i.e. it's still using port 443 or 80

In my case, only (2) is true. I haven't changed the standard port and HTTP Redirect is unchecked.

Do I still need (1) if I have defined virtual ip?

It is advised to, as we don't know the config of your HAProxy, so we are unable to guess how it failed.
And it is better to ask in that tutorial thread.

[authelia]

Thanks Bunch and Franco for your assistance thus far.

It is advised to, as we don't know the config of your HAProxy, so we are unable to guess how it failed.

I have added the frontend listener for 0.0.0.0 as per the tutorial. However, as soon as I enable the frontend listener for the virtual ip, haproxy refuses to start.

What I am noticing is that as soon as the webgui starts up, lighttpd binds port 80 and 443 to the virtual ip (even though "Allow Services Binding" option is unchecked).

I even tried using a completely brand new subnet as the new virtual ip (unrelated to any of the interfaces). However, the same symptoms appear.

For example, changing the virtual ip to 192.168.10.65 (from 192.168.1.65 - LAN subnet is 192.168.1.0/24), I see the following as soon as the webgui is restarted.

Virtual IP in LAN Subnet

Code Select Expand

root@OPNsense:~ # sockstat -4 -l | grep lighttpd
root     lighttpd   28364 6  tcp4   192.168.1.65:443      *:*
root     lighttpd   28364 8  tcp4   192.168.1.1:443       *:*
root     lighttpd   28364 10 tcp4   192.168.1.65:80       *:*
root     lighttpd   28364 12 tcp4   192.168.1.1:80        *:*
root     sshd       84263 5  tcp4   192.168.1.1:22        *:*

root@OPNsense:~ # /usr/local/etc/rc.d/haproxy start
Starting haproxy.
[ALERT]    (2036) : Starting frontend 1_HTTP_frontend: cannot bind socket (Can't assign requested address) [192.168.1.65:80]
[ALERT]    (2036) : Starting frontend 1_HTTPS_frontend: cannot bind socket (Can't assign requested address) [192.168.1.65:443]
[ALERT]    (2036) : [/usr/local/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting.
/usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy

Virtual IP in Brand New Subnet

Code Select Expand

root@OPNsense:~ # /usr/local/etc/rc.restart_webgui
Starting web GUI...done.
Generating RRD graphs...done.

root@OPNsense:~ # sockstat -4 -l | grep lighttpd
root     lighttpd   64654 6  tcp4   192.168.10.65:443     *:*
root     lighttpd   64654 8  tcp4   192.168.1.1:443       *:*
root     lighttpd   64654 10 tcp4   192.168.10.65:80      *:*
root     lighttpd   64654 12 tcp4   192.168.1.1:80        *:*
root     sshd       84263 5  tcp4   192.168.1.1:22        *:*

root@OPNsense:~ # /usr/local/etc/rc.d/haproxy start
Starting haproxy.
[ALERT]    (18033) : Starting frontend 1_HTTP_frontend: cannot bind socket (Address already in use) [192.168.10.65:80]
[ALERT]    (18033) : Starting frontend 1_HTTPS_frontend: cannot bind socket (Address already in use) [192.168.10.65:443]
[ALERT]    (18033) : [/usr/local/sbin/haproxy.main()] Some protocols failed to start their listeners! Exiting.
/usr/local/etc/rc.d/haproxy: WARNING: failed to start haproxy

[authelia]

As advised, I have also cross posted on the original support thread.

[Patrick M. Hausen]

Your web UI is listening on that port already. I suggest you move it to something different like 4443. That's what we do.