Service Unavailable

Help!
1

Server unavailable
Hello,

I have a domain and subdomains.
My different servers have a private IP address and HAProxy has a public IP address.

I have put at my registrar the public address of my subdomain.

I configured HAProxy in ssl in Wildcard with Let’s Encryt .
When I try to go on my internet browser and put my subdomain I get a 503 error Service Unavailable.

I am a beginner in HAProxy, I am attaching my configuration.

global
        maxconn 2048
        #log /dev/log    local0
        #log /dev/log    local1 notice
        log 172.28.26.15:514 local0 info
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
# Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        ssl-server-verify none
        tune.ssl.default-dh-param 2048

# intermediate configuration, tweak to your needs

        ssl-default-server-ciphers CDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:EC$
        ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets


# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
    ssl-dh-param-file /etc/haproxy/dhparam.pem
defaults
        log     global
# Nous travaillons sur le flux http
        mode    http
        option  httplog
        option  dontlognull
# On ferme la connexion après la réponse au client
        option httpclose
# Délais de réponse client - serveur
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
frontend https-in
        bind :80 v4v6
        bind :443 v4v6 ssl crt-list /etc/ssl/crt-list alpn h2,http/1.1
        acl ACL_cas_univ-bfc_fr hdr_dom(Host) -i cas.univ-bfc.fr
        acl ACL_formation.univ_bfc.fr hdr_dom(host) -i formation.univ-bfc.fr
        http-request set-header X-Forwarded-Host %[req.hdr(Host)]
        http-request set-header X-Forwarded-Proto http
        http-request set-header X-Forwarded-Proto https
        #redirect scheme https code 301 if !{ ssl_fc }
        use_backend formation.univ_bfc.fr if ACL_formation.univ_bfc.fr
        use_backend cas.univ-bfc.fr if ACL_cas_univ-bfc_fr
        default_backend poubelle

frontend myapp_front
        bind *:80
        log 127.0.0.1 local0 info
        mode http
        default_backend pool_load
backend pool_load
        mode http
        server log 172.28.26.15:8888
backend formation.univ_bfc.fr
        server formation.univ-bfc.fr 172.28.26.14:443 ssl verify none check

However the site is reachable directly with its IP address.
Can you help me?
Thanks
Sincerely

2

Hello,

Can you help me please ?

Thank

3

You have two frontends listening on port 80, that’s wrong and will certainly cause issues, you can only listen on a port once.

Please share:

  • the complete and actual configuration (the configuration above is missing at the very least the formation.univ_bfc.fr backend configuration)
  • which of the subdomain has the problem
  • post the haproxy log message of the request failing (refer to proper logging configuration if you don’t see anything)
4

Hello,

Thank you for your answer.

I attach the complete file of mn HAProxy :


defaults
        log     global
# Nous travaillons sur le flux http
        mode    http
        option  httplog
        option  dontlognull
# On ferme la connexion après la réponse au client
	option httpclose
# Délais de réponse client - serveur
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend https-in
	bind :80 v4v6
	bind :443 v4v6 ssl crt-list /etc/ssl/crt-list alpn h2,http/1.1
	#http-request redirect scheme https unless { ssl_fc }

#Choix du backend
        acl ACL_cas_univ-bfc_fr hdr_dom(Host) -i cas.univ-bfc.fr
		acl ACL_formation.univ_bfc.fr hdr_dom(host) -i formation.univ-bfc.fr
        http-request set-header X-Forwarded-Host %[req.hdr(Host)]
        http-request set-header X-Forwarded-Proto http
        http-request set-header X-Forwarded-Proto https
        use_backend formation.univ_bfc.fr if ACL_formation.univ_bfc.fr
        use_backend cas.univ-bfc.fr if ACL_cas_univ-bfc_fr
        default_backend poubelle

frontend myapp_front
        bind *:80
	log 127.0.0.1 local0 info
        mode http
	default_backend pool_load

frontend formation.univ_bfc.fr
	bind *:80
	bind :443 v4v6 ssl crt-list /etc/ssl/crt-list alpn h2,http/1.1
	mode http

frontend cas.univ_bfc.fr
	bind *:80
	bind :443 v4v6 ssl crt-list /etc/ssl/crt-list alpn h2,http/1.1
	mode http

backend pool_load
	mode http
	server log 172.28.26.15:8888

backend cas.univ-bfc.fr
       server cas.univ-bfc.fr 172.28.26.15 ssl verify none check

backend formation.univ_bfc.fr	
	server formation.univ-bfc.fr 172.28.26.14:443 ssl verify none check
	
backend poubelle
    mode http
    http-request tarpit

listen stats # Define a listen section called "stats"
		bind :9000 # Listen on localhost:9000
        mode http
        #use_backend stats
        stats enable  # Enable stats page
        stats hide-version  # Hide HAProxy version
        stats realm Haproxy\ Statistics  # Title text for popup window
        stats uri /stats  # Stats URI
        stats auth xxx:xxx  # Authentication credentials
        stats admin if TRUE

If I understood correctly each time I put a backend for example

backend formation.univ-bfc.fr
server formation.univ-bfc.fr 172.28.26.15 ssl verify none check

I have to put a frontend :

frontend formation.univ_bfc.fr
bind *:80
bind :443 v4v6 ssl crt-list /etc/ssl/crt-list alpn h2,http/1.1
http mode

I still get an error message below

cas_service_unavailable

and

formation_service_unavailable
All subdomains have a problem

Here is a command line

echo "show stat" | socat stdio unix-connect:/var/run/haproxy/admin.sock | cut -d ',' -f1,2,18
# pxname,svname,status
https-in,FRONTEND,OPEN
myapp_front,FRONTEND,OPEN
formation.univ_bfc.fr,FRONTEND,OPEN
cas.univ_bfc.fr,FRONTEND,OPEN
pool_load,log,no check
pool_load,BACKEND,UP
cas.univ-bfc.fr,cas.univ-bfc.fr,no check
cas.univ-bfc.fr,BACKEND,UP
formation.univ_bfc.fr,formation.univ-bfc.fr,UP
formation.univ_bfc.fr,BACKEND,UP
trash,BACKEND,UP
stats,FRONTEND,OPEN
stats,BACKEND,UP

Here is the HAProxy log file :

root@proxer:/etc/haproxy# tail -f /var/log/haproxy.log
Jul 15 14:32:30 proxer haproxy[30042]: [ALERT] 195/143230 (30042): parsing [/etc/haproxy/haproxy.cfg:90]: server cas.univ-bfc.fr has neither service port nor check port nor tcp_check rule 'connect' with port information. Check has been disabled.
Jul 15 14:32:30 localhost haproxy [30042]: Proxy myapp_front started.
Jul 15 14:32:59 localhost haproxy[30043]: 10.248.2.233:63555 [15/Jul/2021:14:32:56.929] myapp_front pool_load/log 0/0/-1/-1/3005 503 465 - - SC-- 2/1/0/0/3 0/0 "GET / HTTP/1.1"
Jul 15 14:38:56 proxer haproxy[30042]: [WARNING] 195/143230 (30042): Exiting Master process...
Jul 15 14:38:56 proxer haproxy[30042]: [ALERT] 195/143230 (30042): Current worker 30043 exited with code 143
Jul 15 14:38:56 proxer haproxy[30042]: [WARNING] 195/143230 (30042): All workers exited. Exiting... (143)
Jul 15 14:38:56 proxer haproxy[30051]: [ALERT] 195/143856 (30051): parsing [/etc/haproxy/haproxy.cfg:95]: server cas.univ-bfc.fr has neither service port nor check port nor tcp_check rule 'connect' with port information. Check has been disabled.
Jul 15 14:38:56 proxer haproxy [30052]: [ALERT] 195/143856 (30052): parsing [/etc/haproxy/haproxy.cfg:95]: server cas.univ-bfc.fr has neither service port nor check port nor tcp_check rule 'connect' with port information. Check has been disabled.
Jul 15 14:38:56 localhost haproxy [30052]: Proxy myapp_front started.
Jul 15 14:51:10 localhost haproxy[30053]: 10.248.2.233:61445 [15/Jul/2021:14:51:07.713] myapp_front pool_load/log 0/0/-1/-1/3004 503 465 - - SC-- 1/1/0/0/3 0/0 "GET / HTTP/1.1"

Do you have an idea how to solve the problem?
thank
Alain

5

server cas.univ-bfc.fr 172.28.26.15

is missing the port, please add :443.

You are healthchecking which doesn’t make sense in a single server setup, I suggest you remove the check keyword from all server lines, so that you don’t unnecessarily use health checks.

6

If I remove the check keyword, the server is down

root@proxer:/etc/haproxy# echo "show stat" | socat stdio unix-connect:/var/run/haproxy/admin.sock | cut -d ',' -f1,2,18
# pxname,svname,status
https-in,FRONTEND,OPEN
myapp_front,FRONTEND,OPEN
formation.univ_bfc.fr,FRONTEND,OPEN
cas.univ_bfc.fr,FRONTEND,OPEN
pool_load,log,no check
pool_load,BACKEND,UP
cas.univ-bfc.fr,cas.univ-bfc.fr,UP
cas.univ-bfc.fr,BACKEND,UP
formation.univ_bfc.fr,formation.univ-bfc.fr,DOWN
formation.univ_bfc.fr,BACKEND,DOWN
trash,BACKEND,UP
stats,FRONTEND,OPEN
stats,BACKEND,UP

For information my server cas of apereo is on the port 8443 it functions with tomcat
How to do it ?
Thank
Alain

7

Are you sure you don’t have any older haproxy instances running in the background in parallel, with an old configuration? Please check and kill older processes.

8

This is my first haproxy.
I checked that port 443 is open with the command :
netstat - | grep http
I can see the http and https.

For my CAS server I have an error too.
Error 400

frontend cas.univ_bfc.fr
bind *:80
bind :443 v4v6 ssl crt-list /etc/ssl/crt-list alpn h2,http/1.1
http mode

backend cas.univ-bfc.fr
       server cas.univ-bfc.fr 172.28.26.15:443 ssl

Do you have an idea?

thank