SSL termination, listening but not working


Hi to community. Want to ask some help, but we are faced with a simple problem, i hope.
HaProxy must Implement SSL termination and turn http to https, and stands between Nginx and the World.

The problem:
HAProxy returns to the World:

503 Service Unavailable
No server is available to handle this request.

But the backend is working and returns all pages correctly.

My software: nginx 1.11.7
HA-Proxy 1.7.2


log /path/to/log local0 #(inside of chroot dir)
log /path/to/log local1 debug #(inside of chroot dir)
chroot /chroot/dir
stats socket /path/to/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group www

    ca-base /path/to/certs/dir
    crt-base /path/to/certs/dir

    ssl-default-bind-options no-sslv3 no-tlsv10
    tune.ssl.default-dh-param 4096

log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend www-https
bind public_IP:80
bind public_IP:443 ssl crt /usr/local/etc/nginx/ssl/shandycraft/haproxy.pem
acl secure dst_port eq 443
redirect scheme https if !{ ssl_fc }
# rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
default_backend www-backend

backend www-backend
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server www-backend unix@/path/to/haproxy.sock maxconn 32 #(inside of chroot dir)
# server www-backend backend_IP - the simular result

NGINX listening haproxy.sock socket, and socket has a correct permissions, readable & writeable for user and group

And haproxy listens the corresponding ports:

haproxy haproxy 1997 5 tcp4 public_IP:80
haproxy haproxy 1997 6 tcp4 public_IP:443

The answer of server :

HTTP status 503 Service Unavailable
Answer time 143 мs
IP public_IP
Encoding UTF-8(unicode-1-1-utf-8, UTF8)
Page size 106 Б

Cache-Control: no-cache
Connection: close
Content-Type: text/html

This request Log:

Note: setting global.maxconn to 2000.
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use kqueue.

Available filters :
[SPOE] spoe
[TRACE] trace
[COMP] compression
Using kqueue() as the polling mechanism.

00000000:www-https.accept(0006)=0009 from []
00000000:www-https.clireq[0009:ffffffff]: GET /robots.txt HTTP/1.1
00000000:www-https.clihdr[0009:ffffffff]: Host:
00000000:www-https.clihdr[0009:ffffffff]: Connection: Keep-Alive
00000000:www-https.clihdr[0009:ffffffff]: user-agent: Mozilla/5.0 (compatible; YandexBot/3.0; +
00000000:www-https.clihdr[0009:ffffffff]: from:
00000000:www-https.clihdr[0009:ffffffff]: Accept-Encoding: gzip,deflate
00000000:www-https.clihdr[0009:ffffffff]: Accept-Language: ru, uk;q=0.8, be;q=0.8, en;q=0.7, *;q=0.01
00000000:www-https.clihdr[0009:ffffffff]: Accept: /
00000001:www-https.accept(0006)=0009 from []
00000002:www-https.accept(0006)=000a from []
00000001:www-https.clireq[0009:ffffffff]: GET / HTTP/1.1
00000001:www-https.clihdr[0009:ffffffff]: Host:
00000001:www-https.clihdr[0009:ffffffff]: Connection: Keep-Alive
00000001:www-https.clihdr[0009:ffffffff]: user-agent: Mozilla/5.0 (compatible; YandexBot/3.0; +
00000001:www-https.clihdr[0009:ffffffff]: from:
00000001:www-https.clihdr[0009:ffffffff]: Accept-Encoding: gzip,deflate
00000001:www-https.clihdr[0009:ffffffff]: Accept-Language: ru, uk;q=0.8, be;q=0.8, en;q=0.7, *;q=0.01
00000001:www-https.clihdr[0009:ffffffff]: Accept: /

I just in a deadlock, my brain does not working at all today …


You should check your logs, but at first glance what is happening is that nobody is listening for incoming connections on your unix socket at /path/to/haproxy.sock. I suspect the logs will report “sC” flags confirming a failure to connect to the server.

I guess you expected your nginx to listen there, you should double-check that you’re using the correct path. And you can even check by hand using “ls -l” that this socket really exists.