HAProxy community

Configure HA Proxy for domain name

Hi,
I have a scenario,
I have the domain myapp.com (Appointed to HA PROXY server) and two other domains (myapp1.com and myapp2.com running on other servers)

In my configuration I am trying to add them as:
frontend www_frontend
bind *:80
acl host_web1 hdr(host) -i myapp.com
use_backend myapp if host_web1

frontend www_frontend_https
bind *:443
acl host_web1 hdr(host) -i myapp.com
use_backend myapp if host_web1

backend myapp
balance leastconn
http-request set-header X-Client-IP %[src]
server node1 myapp1.com cookie A check
server node2 myapp2.com cookie A check

But it gives me error that
server node1 has neither service port nor check port nor tcp_check rule ‘connect’ with port information. Check has been disabled.

myapp1.com and myapp2.com are only exessible through domain names not by IP addresses.

Also in my /etc/hosts I have the IP addresses and host names in all three server.

All the servers are running nginx.

My HAPROXY domain myapp.com is also using nginx.

This is my first time working with HA Proxy and help will be much appreciated.

Thank you!

Now I added port against check as the error suggest by error message

server node1 myapp1.com cookie A check port 443
server node2 myapp2.com cookie A check port 443

and tried to run haproxy in debug mode with command haproxy -db -f /path/to/haproxy.cfg
it gives me error
[ALERT] 099/191218 (28649) : Starting frontend www_frontend: cannot bind socket [0.0.0.0:80]
[ALERT] 099/191218 (28649) : Starting frontend www_frontend_https: cannot bind socket [0.0.0.0:443]

You can’t have another application running on port 80 and 443 if you want to bind haproxy to it, and you also need to start it as root for haproxy to be able to bind to privileged ports.

Regarding the configuration there are multiple configurations that are incompatible with each other and you need to provide some additional information’s and make some decision first, before we go any further:

  • do your backend servers serve the same or a different application/service?
  • would you like to load-balance incoming request between the two?
  • do both your your backends listen on port 80 for HTTP and port 443 for HTTPS? or …
  • would you like haproxy to terminate SSL on port 443 and forward it unencrypted to your backend servers?
  • you cannot do things like accessing Host headers or setting the X-Client-IP, unless you are in http mode and are terminating SSL at haproxy (putting the SSL certificate into the haproxy configuration).

Not sure what that means. Are you saying the Host header and SNI value in HTTPS needs to be filled? This needs to be configured separately.

Hi

Thank you for quick response

Regarding the ports I understand that I cant have other application on same port. But how I can appoint a domain name myapp.com to HA Proxy without using a web server?

  • do your backend servers serve the same or a different application/service?

I have multiple applications running on my backed servers. All of them are listening to port 80 using nginx. And internally are bind to local 127.0.0.1

  • would you like to load-balance incoming request between the two?

Yes i just want to load balance between two. My haproxy server does not have any applications running. It is just meant for balancing.

  • do both your your backends listen on port 80 for HTTP and port 443 for HTTPS? or
    would you like haproxy to terminate SSL on port 443 and forward it unencrypted to your backend servers?

No I donot want HAProxy to terminate SSL. Yes both backends listen to 80 and 443 But how I can differentiate which application to open using HAProxy

.

  • you cannot do things like accessing Host headers or setting the X-Client-IP, unless you are in http mode and are terminating SSL at haproxy (putting the SSL certificate into the haproxy configuration).

Yes I am in http mode.

[/quote]

Then your configuration is wrong. If you have nginx bound to 127.0.0.1:80 you cannot bind haproxy to the same port.

If nginx really only listens on 127.0.0.1, then at the very least you need to specify your real IP address when binding with haproxy, instead of everything.

Like for example:

frontend www_frontend
 bind 192.168.1.5:80

Why do you need to differentiate? Are you running different applications? You can just specify the backend with the default_backend directive.

Which is incompatible with what you are trying to do. You cannot use http mode, because port 443 is encrypted. If you just pass encrypted traffic to your backend 443 port then you cannot access plaintext traffic or insert HTTP client.

The entire point of Haproxy is that intermediates cannot access or modify the data, whithout decryption, which is what you are trying to do.