Hi to community. Want to ask some help, but we are faced with a simple problem, i hope.
HaProxy must Implement SSL termination and turn http to https, and stands between Nginx and the World.
The problem:
HAProxy returns to the World:
503 Service Unavailable
No server is available to handle this request.
But the backend is working and returns all pages correctly.
My software: nginx 1.11.7
HA-Proxy 1.7.2
config:
global
log /path/to/log local0 #(inside of chroot dir)
log /path/to/log local1 debug #(inside of chroot dir)
chroot /chroot/dir
stats socket /path/to/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group www
daemon
ca-base /path/to/certs/dir
crt-base /path/to/certs/dir
ssl-default-bind-ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3D
ssl-default-bind-options no-sslv3 no-tlsv10
tune.ssl.default-dh-param 4096
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend www-https
bind public_IP:80
bind public_IP:443 ssl crt /usr/local/etc/nginx/ssl/shandycraft/haproxy.pem
acl secure dst_port eq 443
redirect scheme https if !{ ssl_fc }
# rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
default_backend www-backend
backend www-backend
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server www-backend unix@/path/to/haproxy.sock maxconn 32 #(inside of chroot dir)
# server www-backend backend_IP - the simular result
NGINX listening haproxy.sock socket, and socket has a correct permissions, readable & writeable for user and group
And haproxy listens the corresponding ports:
…
haproxy haproxy 1997 5 tcp4 public_IP:80
haproxy haproxy 1997 6 tcp4 public_IP:443
…
The answer of server :
HTTP status 503 Service Unavailable
Answer time 143 мs
IP public_IP
Encoding UTF-8(unicode-1-1-utf-8, UTF8)
Page size 106 Б
Cache-Control: no-cache
Connection: close
Content-Type: text/html
This request Log:
Note: setting global.maxconn to 2000.
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use kqueue.
Available filters :
[SPOE] spoe
[TRACE] trace
[COMP] compression
Using kqueue() as the polling mechanism.
00000000:www-https.accept(0006)=0009 from [93.158.152.108:61226]
00000000:www-https.clireq[0009:ffffffff]: GET /robots.txt HTTP/1.1
00000000:www-https.clihdr[0009:ffffffff]: Host: mydomain.com
00000000:www-https.clihdr[0009:ffffffff]: Connection: Keep-Alive
00000000:www-https.clihdr[0009:ffffffff]: user-agent: Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
00000000:www-https.clihdr[0009:ffffffff]: from: support@search.yandex.ru
00000000:www-https.clihdr[0009:ffffffff]: Accept-Encoding: gzip,deflate
00000000:www-https.clihdr[0009:ffffffff]: Accept-Language: ru, uk;q=0.8, be;q=0.8, en;q=0.7, *;q=0.01
00000000:www-https.clihdr[0009:ffffffff]: Accept: /
00000000:www-backend.clicls[0009:000a]
00000000:www-backend.closed[0009:000a]
00000001:www-https.accept(0006)=0009 from [141.8.184.104:52667]
00000002:www-https.accept(0006)=000a from [141.8.184.109:37854]
00000001:www-https.clireq[0009:ffffffff]: GET / HTTP/1.1
00000001:www-https.clihdr[0009:ffffffff]: Host: mydomain.com
00000001:www-https.clihdr[0009:ffffffff]: Connection: Keep-Alive
00000001:www-https.clihdr[0009:ffffffff]: user-agent: Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
00000001:www-https.clihdr[0009:ffffffff]: from: support@search.yandex.ru
00000001:www-https.clihdr[0009:ffffffff]: Accept-Encoding: gzip,deflate
00000001:www-https.clihdr[0009:ffffffff]: Accept-Language: ru, uk;q=0.8, be;q=0.8, en;q=0.7, *;q=0.01
00000001:www-https.clihdr[0009:ffffffff]: Accept: /
00000001:www-backend.clicls[0009:000b]
00000001:www-backend.closed[0009:000b]
I just in a deadlock, my brain does not working at all today …