Dear all,
I’m using HAProxy plugin for OPNSense and I followed few online tutorials and all of these ended up in the same way:
503 Service Unavailable
No server is available to handle this request.
I want to ue the reverse proxy for home hosted web apps on apache server listening on port 80/443
For the below setting I followed this tutorial using the LAN network rather the WAN
Below the actual setup:
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 4
hard-stop-after 60s
no strict-limits
maxconn 10000
tune.ssl.default-dh-param 4096
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 warning
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
maxconn 5000
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: 0_SNI_Frontend (listening on LAN address port 80/443)
frontend 0_SNI_Frontend
bind lan_ip:80 name lan_ip:80
bind lan_ip:443 name lan_ip:443
mode tcp
default_backend SSL_Backend
# logging options
# Frontend: 1_HTTP_frontend (Listening on lo_ip:80)
frontend 1_HTTP_frontend
bind lo_ip:80 name lo_ip:80 accept-proxy
mode http
option http-keep-alive
option forwardfor
# logging options
option dontlognull
option log-separate-errors
option httplog
# ACL: NoSSL_condition
acl acl_6462b25dd3fc08.98092716 ssl_fc
# ACTION: HTTP2HTTPS_r
http-request redirect scheme https code 301 if !acl_6462b25dd3fc08.98092716
# Frontend: 2_HTTPS_frontend (Listening on lo_ip:443)
frontend 2_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind lo_ip:443 name lo_ip:443 accept-proxy ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6463bbbf543239.59805119.certlist
mode http
option http-keep-alive
option forwardfor
timeout client 15m
# logging options
option dontlognull
option log-separate-errors
option httplog
# ACTION: PUBLIC_SUBDOMAINS_r
# NOTE: actions with no ACLs/conditions will always match
use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/645151c9cb3ae5.07476878.txt)]
# Backend: s1_backend (s1 server backend)
backend s1_backend
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server s1_server server_ip
# Backend: SSL_Backend (SNI backend)
backend SSL_Backend
# health checking is DISABLED
mode tcp
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
server SSL_Server lo_ip send-proxy-v2 check-send-proxy
# statistics are DISABLED
I’m new to reverse proxy and HAProxy which thoretically seams straight forward but the amount of options make it difficult but flexible.
I also tried a more simple setup:
LAN_User ->LAN FW IP (Frontend) → DMZ Server IP
ending agin to same lending error 503
Trying to reduce to the bare minimum setup I tried also to use the reverse proxy only on port 80 but same error.
Can someone pass some hint from where I can start to investigate?
Anybody with opnsense experience to help?
thanks
