HAProxy community

Connection refused


#1

Goodmorning everyone.

I have a problem with a machine behind a proxy configured with haproxy. In the haproxy I configured that http://example.com make a redirect to https://example.com and that https://example.com go to 192.168.2.11 on port 80. In the 192.168.2.11 machine I only opened port 80. On my machine 192.168.2.11, when I run

wget https://example.com

it gives me a refused connection. When I run the wget from outside, the connection is successful.

To solve I entered on /etc/ hosts of 192.168.2.11

192.168.2.11 example.com

I enabled port 443, added the virtualhost in apache. Now the connection works but I do not like this solution, it does not seem to me the correct one.


#2

Please show that configuration. It is difficult and most likely inaccurate to guess what your configuration looks like, based solely on your high level description.


#3

Hi, thi is my configuration:

global
        log /dev/log    local0
        log /dev/log    local1 debug
        daemon
        ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
        ssl-default-bind-options no-sslv3
defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option http-server-close
        option forwardfor
        timeout connect 5000
        timeout check 5000
        timeout client 30000
        timeout server 90000

frontend www-http
    bind *:80
    mode http
     #This is the virtual URL to access the stats page
    stats uri /haproxy_stats
   
    #Authentication realm. This can be set to anything. Escape space characters with a backslash.
    stats realm HAProxy\ Statistics
   
    #The user/pass you want to use. Change this password!
    stats auth admin:1qaz2wsx3edc
   
    #This allows you to take down and bring up back end servers.
    #This will produce an error on older versions of HAProxy.
    stats admin if TRUE
   
   option httpclose
   option http-server-close
   option forwardfor
   reqadd X-Forwarded-Proto:\ http

   ##REDIRECT RULES HTTP  TO HTTPS
   redirect prefix https://example.com code 301 if { hdr(host) -i example.com }
   redirect prefix https://example.com code 301 if { hdr(host) -i www.example.com }
   redirect prefix https://example2.com code 301 if { hdr(host) -i example2.com }
   redirect prefix https://example3.com code 301 if { hdr(host) -i example3.com }
   ##END REDIRECT RULES HTTP  TO HTTPS

    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl

    ##START-DEFINEHOST##
    acl www_host_example_com hdr(host) -i www.example.com
    acl host_example_com hdr(host) -i example.it
    acl host_example2_com hdr(host) -i example2.com
    acl host_example3_com hdr(host) -i example3.com
    ##END-DEFINEHOST##

    ##START-DEFINEBACKEND##
    use_backend web11 if www_host_example_com
    use_backend web11 if host_example_com
    use_backend web11 if host_example2_com
    use_backend web12 if host_example3_com
    ##END-DEFINEBACKEND##


   default_backend www-backend

frontend www-https
   bind *:443 ssl crt /etc/haproxy/ssl/www.example.com.pem crt /etc/haproxy/ssl/www.example2.com.pem crt /etc/haproxy/ssl/www.example3.com.pem
   reqadd X-Forwarded-Proto:\ https

   #ADDED 21-08-2018 FOR SSL RENEW - TO TEST<-->
   acl letsencrypt-acl path_beg /.well-known/acme-challenge/
   use_backend letsencrypt-backend if letsencrypt-acl

   ##START-DEFINEHOST##
   acl www_host_example_com hdr(host) -i www.example.com
   acl host_example_com hdr(host) -i example.it
   acl host_example2_com hdr(host) -i example2.com
   acl host_example3_com hdr(host) -i example3.com
   ##END-DEFINEHOST##

   ##START-DEFINEBACKEND##
   use_backend web11 if www_host_example_com
   use_backend web11 if host_example_com
   use_backend web11 if host_example2_com
   use_backend web12 if host_example3_com
   ##END-DEFINEBACKEND##

   default_backend www-backend

backend web11
    balance leastconn
    option httpclose
    option forwardfor
    server www-1 192.168.2.11:80 check

backend web12
    balance leastconn
    option httpclose
    option forwardfor
    server www-1 192.168.2.12:80 check



backend www-backend
   server apache1 www.mysite.it:80 check

backend letsencrypt-backend
    server letsencrypt 127.0.0.1:54321

#4

I don’t think this has anything to do with haproxy. Where does example.com point to without the host entry? A public IP addess? If that doesn’t work from the internal network, the likely reason is that your NAT gateway does not enable or support NAT loopback.

This has nothing to do with haproxy, but with the way how NAT and DNS is handled in your network. And if you want to fix this problem, either use a NAT gateway with “NAT loopback” enabled or make your host (via hosts file or internal DNS resolution) point to the private IP address of haproxy (as opposed to the backend server - which bypasses haproxy).


#5

You are right. If I make the host point to the private IP address of haproxy works.
Thank you.