HAProxy community

Newbie setting up a not to easy proxy


#1

This is my config:
https://pastebin.com/PQ4w1DNc

And this is the errors I get…
https://pastebin.com/nA3ZKsg5

It is mostly the no such ACL errors that I don’t grasp.
There are subdomains setup for those, the servers on the inside is up and running.

Still I have no idea. So please help.


#2

The ACL’s are usable only in the forentend / backend / listen section they were defined in.

Thus the error you receive is for the usage in the frontend https_homes section, because the ACL in question is_unifi is actually defined in frontend homes.

Thus, you’ll have to re-define the is_unifi ACL also in the second frontend.


That said, I would strongly suggest merging the two frontends in a single one, with the two bind statements. (To my knowledge in HAProxy this is the recommended way as opposed to NGinx/Apache.)

By quickly looking at your config, I think you can safely just merge the two sections without an issue.

Ciprian.


#3

Thank you!
I have done as you told me but I still get errors… different this time though!
The thing is it complains about that it can’t find the .pem file.
defined like this:
bind *:443 ssl crt /etc/haproxy/certs/domain.internet.pem

That uri is exactly where that .pem file is located.
It is root permissions. on it but is that the problem?


#4

Because you are using chroot /var/lib/haproxy, any paths inside your config file must take into account that they are “under” the /var/lib/haproxy folder.

I.e. move that file under /var/lib/haproxy/domain.internet.pem and use it as crt /domain.internet.pem.

Also I think they should be owned at least by the group haproxy, and it should be readable at least by the group. Namely chown root:haproxy /var/lib/haproxy/domain.internet.pem and chmod 0640 /var/lib/haproxy/domain.internet.pem.

However if you don’t have a high-value / high-risk deployment I would just skip the chroot setting.


#5

Ive made those changes. Now I need to figure out why only the https requests work and not the http ones… should be something simple.