I am new to this so I apologize in advance if this is a silly question. All I am trying to do is allow a request to hit the IP address for server1 in a browser, and have it reach server2 instead. Assume my HAproxy server is 10.10.16.124, server1 is 10.10.18.12, and server2 is 10.10.16.74 (I made up the addresses for security, but they are all on the same network). I have a very simple config file (below). After saving the .cfg file, I run a validation check on it, and restart haproxy. Then on my computer, which has access to all networks, I type the IP address for server1 into the browser and I expect it to bring up the web interface for server2. but nothing happens. It’s like entering an address which does not exist. Here’s the very basic config:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend server1
bind 10.10.18.12:80
default_backend http_back
backend http_back
balance roundrobin
server server2 10.10.16.74:80 check
I feel like I must be missing something very basic, maybe something on the network. 10.10.12.18 does not exist anywhere. It is a new IP address, but it is valid and is in the same network.
In the logs I see this:
Jun 11 15:16:29 rshq-haproxy haproxy[812]: [NOTICE] (812) : haproxy version is 3.0.0-1ppa1~jammy
Jun 11 15:16:29 rshq-haproxy haproxy[812]: [NOTICE] (812) : path to executable is /usr/sbin/haproxy
Jun 11 15:16:29 rshq-haproxy haproxy[812]: [WARNING] (812) : Exiting Master process…
Jun 11 15:16:29 rshq-haproxy haproxy[812]: [ALERT] (812) : Current worker (865) exited with code 143 (Terminated)
Jun 11 15:16:29 rshq-haproxy haproxy[812]: [WARNING] (812) : All workers exited. Exiting… (0)
Jun 11 15:16:30 rshq-haproxy haproxy[22975]: [NOTICE] (22975) : New worker (22977) forked
Jun 11 15:16:30 rshq-haproxy haproxy[22975]: [NOTICE] (22975) : Loading success.
Jun 11 15:42:17 rshq-haproxy haproxy[22977]: 10.10.100.27:63871 [11/Jun/2024:15:42:17.242] http_front http_back/server1 0/0/0/54/54 302 334 - - ---- 2/2/0/0/0 0/0 “GET / HTTP/1.1”
Jun 11 15:42:23 rshq-haproxy haproxy[22977]: 10.10.100.27:63871 [11/Jun/2024:15:42:23.558] http_front http_back/server1 0/0/1/56/57 302 491 - - ---- 2/2/0/0/0 0/0 “GET /login HTTP/1.1”
Jun 11 15:42:39 rshq-haproxy haproxy[22977]: 10.10.100.27:63871 [11/Jun/2024:15:42:39.085] http_front http_back/server1 0/0/0/53/53 302 334 - - ---- 2/2/0/0/0 0/0 “GET / HTTP/1.1”
Jun 11 15:46:26 rshq-haproxy haproxy[22977]: 10.10.100.27:64026 [11/Jun/2024:15:46:26.322] http_front http_back/server1 0/0/0/52/52 302 334 - - ---- 1/1/0/0/0 0/0 “GET / HTTP/1.1”
Jun 11 15:50:12 rshq-haproxy haproxy[22975]: [NOTICE] (22975) : haproxy version is 3.0.0-1ppa1~jammy
Jun 11 15:50:12 rshq-haproxy haproxy[22975]: [NOTICE] (22975) : path to executable is /usr/sbin/haproxy
Jun 11 15:50:12 rshq-haproxy haproxy[22975]: [WARNING] (22975) : Exiting Master process…
Just to note, 10.10.100.27 is my machine. I assume this reflects my attempt to go to 10.10.18.12 in the browser. I have access to all networks and can access other devices on the same network as those other IP’s.
Any idea what I am doing wrong? Is something left out of the .cfg file? I plan on doing more complex SSL termination and redirection (no load balancing) but I just want to know my haproxy machine is even working first. I will also note the haproxy machine has only one network interface.
That’s a networking question rather than a haproxy question.
If you want 10.10.18.12 on a haproxy server, you need to add it to the (network) configuration on the haproxy server, not necessarily the haproxy configuration.
Refer to our OS documentation how that is best achieved. Looking for keywords like “ip aliasing” or “secondary ip addresses”.
If iproute2 is available, you can probably test this with something like:
ip addr add dev eth0 10.10.18.12/24
However this will not survive a reboot.
According to your logs though the request arrives and there is a redirect. So perhaps you should check whether your browser URL points to somewhere else or better yet, run curl -vv url
against the destination.
For example, server2 redirects from port 80 to port 443, but you did not configure port 443 forwarding on the haproxy server, the request will fail when it tries to access 443 on the haproxy box.
But this depends on how the redirect looks like.
OK thank you! I suspected there must be some kind of network config I might be missing, but all the guides I have seen focused on the haproxy.cfg file.
I mentioned that I am new to haproxy. I don’t have a ton of linux experience in general. In this case the haproxy machine is running on Ubuntu 22.04 (you can probably tell from my logs). I know how to set up a static IP address in the .yaml file in /etc/netplan. Is this where I would add additional IP addresses? I looked through the documentation and could not find what you appear to be referring to. Eventually, I hope to be adding multiple virtual IP addresses that redirect to backend servers. It doesn’t seem realistic to me for one network interface to have 20 IP addresses (for example). Can you direct me to more specific documentation locations? I will dig further when I have more time.
You mentioned port 443. I didn’t configure it yet because for now, I just want to get a single port 80 forward working, and then build on that. I do plan to use this for SSL termination eventually, once I get my head around how to set it up.
See here:
In fact, I don’t know why you would do such a thing. Perhaps you want to elaborate why you think you need so many frontend IPs?
Why do you think haproxy needs to use the ip address of a switched off server1 in this scenario for example? Why can’t you use it’s primary IP 10.10.16.124?
OK, good point. Let me elaborate. I have been tasked with using haproxy to replace our Kemp appliances, which did the following:
- http redirect plus https redirect using 7 VIP’s for 7 backends
- SSL termination for those 7 https backends
- some load balancing (not needed anymore)
So I will just need to set up the http and https VIP’s. But first, just to demonstrate to myself this will work, I simply wanted to set up a simple redirect from server1 to server2 using just http.
I was able to just add the secondary IP (address of server1) to the NIC (10.10.18.12) and I can now ping it. So thank you for that part.
Browsing to server2 directly, by just entering the IP address of server2, it goes to https://10.10.16.74/login (https is in strikethrough format) and the login screen for server2 appears. (It has no SSL cert.) If I enter the IP address of server1, I now get https://10.10.18.12/login and a “refused to connect” error. So it somehow knows to redirect to the /login page in the URL, and the browser tries to add the https, but I was hoping to just be able to see the same non-SSL page I got by going directly to the server2 10.10.16.74 address. I hope this makes sense.
So anyway, I was first just trying to get that one redirect working in order to prove the concept to myself, and ultimately I need to understand how to configure haproxy’s NIC to handle all those VIP’s, as well as learn what to do to apply SSL certs to traffic destined for servers that don’t have SSL.
You don’t need 7 VIPs for this, not on Kemp and not with haproxy. You can route the request based on the Host header to the correct backend server, and just use the single haproxy IP address instead of 1 + 7 IPs.
The starter guide will help you get going with haproxy:
http://docs.haproxy.org/2.8/intro.html