Absolute newbie here to HAP.
Trying to setup a very simple HTTPS frontend, and access a simple webserver
that is http only on the backend.
But always get “503 service unavailable” error while trying.
Any basic guidelines for doing this or what is likely to cause the 503 error?
I’m stumbling through trying many things on my end.
Trying to just use the default public facing self-signed certificate.
I also tried a local PFSense CA and generating my own certificate.
But same problem.
This does not appear (to me) to be a certificate error. causing the 503.
The backend is not https and appears to be working properly.
But I am unable to reach it from the front-end.
Get the 503 error.
Backend appears to be “up” with black checkmarks in status.
Testing with http frontend only works fine.
And reaches backend as expected.
Clicking on related logs for HAProxy only shows “Log file started.”
I’m not sure where to turn up logging for find related logging for the 503 issue.
this here is always a good point to start - and remember - go from easy to hard und split up your problem into multiple steps. This will help you identify wrong configuration in particular.
Thanks!!
Oddly I didn’t find that quickly on my own!
I will give that a good long read. (maybe it will explain what I don’t understand)
This is my first ever experience with HAProxy so I jumped in knowing absolutely nothing specific about it or how it works.
We did get it all sorted and working the way we wanted after about 3-4 hours of picking and poking.
And just for entertainment:
While trying to use the PFSense built in self-signed WebConfigurator certificate:
I expected a certificate error in the client/browser but also would expect the backend should still be proxied and workable.
Not knowing how it actually works and why it behaves this way and how to work around it is our issue.
I ended up creating a self-signed certificate authority in PFSense then creating a certificate that matched the hostname and signing it with the internal authority and everything worked fine.
HAProxy is somehow looking at the hostname within the certificate and not passing anything through if the http request from the browser does not match the name on the certificate.
But this does not seem to be documented or explained clearly anywhere.
HaProxy is documented very well - it helped me out several times. Indeed the documentation is so extensive that a quick glance is not enough. You got to read it carefully.
Here you can find a detailed explanation, how the linking between certificate and hosted domain/website is realized and which conditions should be met to get it working as desired.
