Trying to use HAProxy and HTTP/1.1 403 Forbidden

Help!
1

I’m trying to configure and HAProxy to get HA to Kibana.
I’m using HAProxy 1.5.x although I tried as well with 1.6.3.

My config file is:
global
log 127.0.0.1 local2
maxconn 500 # Total Max Connections.
nbproc 2 # Number of processing cores.
defaults
timeout server 86400000
timeout connect 86400000
timeout client 86400000
timeout queue 1000s

listen http_web 0.0.0.0:80
mode http
balance leastconn
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server server1 xxx:5601 maxconn 512
server server2 xxx:5601 maxconn 512

If I just have one server, it works, but when I have two servers it doesn’t response and I get and 403 error. I can only see the header of the web.

Checking the logs I get:

0000000c:http_web.clihdr[0008:000d]: Referer: http://xxx/app/kibana
0000000c:http_web.clihdr[0008:000d]: Accept-Encoding: gzip, deflate
0000000c:http_web.clihdr[0008:000d]: Accept-Language: en-US,en;q=0.8,es;q=0.6
0000000c:http_web.srvrep[0008:000d]: HTTP/1.1 403 Forbidden
0000000c:http_web.srvhdr[0008:000d]: x-app-name: kibana
0000000c:http_web.srvhdr[0008:000d]: x-app-version: 4.3.0
0000000c:http_web.srvhdr[0008:000d]: content-type: application/json; charset=utf-8

I have checked the log in the explorer as well
Failed to load resource: the http://xxx/elasticsearch/.kibana/index-pattern/_search?fields= Failed to load resource: the server responded with a status of 403 (Forbidden)

2

Do you have any kind of source IP ACL in Kibana which may prevent you from accessing it throught a reverse-proxy?
Or maybe a simple question of virtual host configuration on your kibana server.

3

I changed the configuration to “balance first” and work. I guess that Kibana does different connections with javascript and redirect them to different servers.

It doesn’t make sense to me to get an 403 forbidden. I have tried with different algorithm to balance and say to HAProxy that all the communication goes through the same Kibana but it just worked “balance first”. Really, this algorithm doesn’t balance, it’s just HA to Kibana.