Configuration ssl <NOSRV> -1/-1/-1/-1/0 503 212 - - SC--

Configuration Samples
1

Hi All,
We have HAproxy running perfectly until there is a need to add 2 services that use SSL, calling web1 and web2. We have installed a wild-child SSL certificate in te server.

This is an example of our configs:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
nbproc 12
cpu-map 1 1
cpu-map 2 2
cpu-map 3 3
cpu-map 4 4
cpu-map 5 5
cpu-map 6 6
cpu-map 7 7
cpu-map 8 8
cpu-map 9 9
cpu-map 10 10
cpu-map 11 11
cpu-map 12 12
stats bind-process 12

    maxconn 500
    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
     ssl-default-bind-ciphers ECDHE-RSA-AES256-GCM -HA384:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
     tune.ssl.default-dh-param 4096
     ssl-default-bind-options  no-sslv3 no-tlsv10 no-tlsv11

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend frontweb
maxconn 800
option http_proxy
bind *:443 ssl crt /etc/ssl/web.abc.com

acl web1 hdr(host) -i abc1.abc.com
use_backend web1b if web1

acl web2 hdr(host) -i abc2.abc.com
use_backend web2b if web2

      option          forwardfor
      default_backend   www

backend www
mode http
server ipx x.x.x.x:80 check maxconn 500

backend web1b
mode http
server ipx1 y.y.y.y.y:80 check maxconn 500
backend web2b
mode http
server ipx2 z.z.z.z:80 check maxconn 500

After making some tests we are in this situation :

  • abc2.abc.com is routed into the backend www
    -If we remove the default_bakcend the abc2.abc.com can not be served and we have this errors :
    -1/-1/-1/-1/0 503 212 - - SC–
    In all the tests above we confirmed that abc1.abc.com is served ok in both situations.

Can everyone help us please to dig more in order we can solve this situation?
Thanks in advance

2

Greetings!
HAProxy version 2.6.8-4 - Configuration Manual - Session state at disconnection:

     SC   The server or an equipment between it and HAProxy explicitly refused
          the TCP connection (the proxy received a TCP RST or an ICMP message
          in return). Under some circumstances, it can also be the network
          stack telling the proxy that the server is unreachable (e.g. no route,
          or no ARP response on local network). When this happens in HTTP mode,
          the status code is likely a 502 or 503 here.

It sounds like HAProxy cannot reach the backend servers. When you start the HAProxy service, the logs should show if the server is up or down, something like:

Feb  9 21:12:32 --hostname-- haproxy[--pid--]: [WARNING]  (--pid--) : Server web1b/ipx1 is DOWN, reason: Layer4 timeout, check duration: 2001ms. 2 active and 0 backup servers left. 1 sessions active, 0 requeued, 0 remaining in queue.
Feb  9 21:12:32 --hostname-- haproxy[--pid--]: Server web1b/ipx1 is DOWN, reason: Layer4 timeout, check duration: 2001ms. 2 active and 0 backup servers left. 1 sessions active, 0 requeued, 0 remaining in queue.

OR

Feb  9 21:12:34 --hostname-- haproxy[--pid--]: [WARNING]  (--pid--) : Server web1b/ipx1 is UP, reason: Layer7 check passed, code: 0, check duration: 0ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
Feb  9 21:12:34 --hostname-- haproxy[--pid--]: Server web1b/ipx1 is UP, reason: Layer7 check passed, code: 0, check duration: 0ms. 3 active and 0 backup servers online. 0 sessions requeued, 0 total in queue.
3

Hi Stormrover,
Many thanks for your post, was really helpful. You are right some backends are not started and we noticed some errors :
haproxy-systemd-wrapper[4021]: haproxy-systemd-wrapper: SIGTERM → 4040.
Feb 13 15:33:35 lh40675 haproxy-systemd-wrapper[4021]: haproxy-systemd-wrapper: SIGTERM → 4041.
Feb 13 15:33:35 lh40675 haproxy-systemd-wrapper[4021]: haproxy-systemd-wrapper: SIGTERM → 4042.
Feb 13 15:33:35 lh40675 haproxy-systemd-wrapper[4021]: haproxy-systemd-wrapper: SIGTERM → 4043.
Feb 13 15:33:35 lh40675 haproxy-systemd-wrapper[4021]: haproxy-systemd-wrapper: SIGTERM → 4044.
Feb 13 15:33:35 lh40675 haproxy-systemd-wrapper[4021]: haproxy-systemd-wrapper: SIGTERM → 4045.
Feb 13 15:33:35 lh40675 haproxy-systemd-wrapper[4021]: haproxy-systemd-wrapper: SIGTERM → 4046.
Feb 13 15:33:35 lh40675 haproxy-systemd-wrapper[4021]: haproxy-systemd-wrapper: SIGTERM → 4047.
Feb 13 15:33:35 lh40675 haproxy-systemd-wrapper[4021]: haproxy-systemd-wrapper: SIGTERM → 4048.
Feb 13 15:33:35 lh40675 haproxy-systemd-wrapper[4021]: haproxy-systemd-wrapper: SIGTERM → 4049.
Feb 13 15:33:35 lh40675 haproxy-systemd-wrapper[4021]: haproxy-systemd-wrapper: SIGTERM → 4050.
Feb 13 15:33:35 lh40675 haproxy-systemd-wrapper[4021]: haproxy-systemd-wrapper: SIGTERM → 4051.
Feb 13 15:33:36 lh40675 haproxy-systemd-wrapper[4021]: haproxy-systemd-wrapper: exit, haproxy RC=0
and
haproxy-systemd-wrapper[10896]: [ALERT] 043/153336 (10898) : sendmsg logger #2 failed: Resource temporarily unavailable (errno=11).

We are running HA-Proxy version 1.7.5-2+deb9u1 2022/05/30

4

I would strongly recommend upgrading to a more recent version. 1.7.4 could have bugs that, though not critical, could still cause problems.

5

Hi Stormover,
Many thanks for your fast reply. In this installation, we have running some other running services so we will make some tests in some other test instance and will come back with feedback.
Best regards