HAProxy community

L6rsp health-check error and 503 error from backend

Good day! I have some problems with backend and receive 503 response from web. We used http mode by default. All incoming requests checked and forwarded to 443 ssl. But one of them (backend) not worked on http mode. It requires only tcp mode for background. Can i use frontend http and forward it ti backend with tcp mode?

HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

 #log local2
 log /dev/log local0 info
 log /dev/log local0 notice
 chroot /var/lib/haproxy
 pidfile /var/run/haproxy.pid
 maxconn 4000
 user haproxy
 group haproxy
 stats socket /var/lib/haproxy/stats
 tune.ssl.default-dh-param 2048

 mode http
 log global
 log-format {“haproxy_clientIP”:"%ci",“haproxy_clientPort”:"%cp",“haproxy_dateTime”:"%t",“haproxy_frontendNameTransport”:"%ft",“haproxy_backend”:"%b",“haproxy_serverName”:"%s",“haproxy_Tw”:"%Tw",“haproxy_Tc”:"%Tc",“haproxy_Tt”:"%Tt",“haproxy_bytesRead”:"%B",“haproxy_terminationState”:"%ts",“haproxy_actconn”:%ac,“haproxy_FrontendCurrentConn”:%fc,“haproxy_backendCurrentConn”:%bc,“haproxy_serverConcurrentConn”:%sc,“haproxy_retries”:%rc,“haproxy_srvQueue”:%sq,“haproxy_backendQueue”:%bq,“haproxy_backendSourceIP”:"%bi",“haproxy_backendSourcePort”:"%bp",“haproxy_statusCode”:"%ST",“haproxy_serverIP”:"%si",“haproxy_serverPort”:"%sp",“haproxy_frontendIP”:"%fi",“haproxy_frontendPort”:"%fp",“haproxy_capturedRequestHeaders”:"%hr",“haproxy_httpRequest”:"%r"}
 option httplog
 option dontlognull
 option forwardfor except
 option redispatch
 retries 3
 timeout http-request 10s
 timeout queue 1m
 timeout connect 10s
 timeout client 1m
 timeout server 1m
 timeout http-keep-alive 10s
 timeout check 10s
 maxconn 3000

listen stats
 bind vip:8404
 mode http
 stats enable
 stats hide-version
 stats uri /stats
 option httpclose
 stats auth haproxy:Qazwsx!@

frontend https
 bind vip:80
 bind vip:443 ssl crt /etc/haproxy/ssl/cbar.cer ca-file /etc/haproxy/ssl/cbar-ca.cer crt /etc/haproxy/ssl/ecbar.cer ca-file /etc/haproxy/ssl/ecbar-ca.cer crt /etc/haproxy/ssl/bizimpullar.az.cer ca-file /etc/haproxy/ssl/bizimpullar.az-ca.cer
 http-request set-header X-SSL %[ssl_fc]
 http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
 http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
 http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
 http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
 http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
 http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
 http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
 http-request redirect scheme https code 301 if !{ ssl_fc }
 acl url_accr hdr_dom(host) -i accr.cbar.az
 acl url_accr hdr_dom(host) -i www.accr.cbar.az
 use_backend backend_accr if url_accr

backend backend_accr
 balance roundrobin
 mode http
 option tcp-check
 #redirect location [https://accr.cbar.az](https://accr.cbar.az/) ##!/login
 cookie SERVERID insert indirect nocache
 backend backend_accr
 balance roundrobin
 mode http
 option tcp-check
 cookie SERVERID insert indirect nocache
 server accr-act mybackip:443 check port 443 fall 3 rise 2 ssl ca-file /etc/haproxy/ssl/cbar-ca.cer

Maybe the backend server needs SNI?

Does it work without health checks?

no it doesnt

Either your backend requires SNI, uses a certificate that cannot be authenticated with the ca file /etc/haproxy/ssl/cbar-ca.cer or there is some other SSL related problem.

Try verify none on the server line. If that also doesn’t work, try capturing the SSL traffic between haproxy and the backend, also make a curl -vvl https://.. request against that backend server from the haproxy instance.