Unable to access my container services via haproxy

Help!
1

Hi, I am running docker containers services on my host ‘host-192-168-1-100.example.com’ which i can access like ‘host-192-168-1-100.example.com:port’.

global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    # utilize system-wide crypto-policies
    ssl-default-bind-ciphers PROFILE=SYSTEM
    ssl-default-server-ciphers PROFILE=SYSTEM

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend http_front
    bind *:80
    redirect scheme https code 301 if !{ ssl_fc }

#frontend https_front
#    bind *:443 ssl crt /etc/ssl/private/haproxy.pem

    acl is_serviceone path_beg /node-1/serviceone
    acl is_servicetwo path_beg /node-1/servicetwo
    acl is_servicethree path_beg /node-1/servicethree

    use_backend serviceone if is_serviceone
    use_backend servicetwo if is_servicetwo
    use_backend servicethree if is_servicethree

backend serviceone
    server node-1 host-192-168-1-100:7443 check ssl verify none

backend servicetwo
    server node-1 host-192-168-1-100:443 check ssl verify none

backend servicethree
    server node-1 host-192-168-1-100:8443 check ssl verify none

all i see is this in my haproxy status

[WARNING]  (25359) : Server servicetwo/node1 is DOWN, reason: Layer6 invalid response, info: "SSL handshake failure", check duration: 2ms. 0 active and 0 backup>
 (25359) : haproxy version is 2.4.22-f8e3218
haproxy[25359]: [NOTICE]   (25359) : path to executable is /usr/sbin/haproxy
haproxy[25359]: [ALERT]    (25359) : backend 'servicetwo' has no server available!

This is how i am trying to do it and so when i try to access it using haproxy hostname which is a separate VM like host-192-168-1-102.example.com/node-1/serviceone similarly other two services but i cannot access it. I am very new to this and this is my first setup any help would be greatly appreciated.

2

Hello,

The log looks clear :

servicetwo/node1 is DOWN, reason: Layer6 invalid response, info: “SSL handshake failure”

The backend server is considered down as healthcheck is failing on SSL handshake.
On your backends, are you using the same config for all ports ? With the same cert ?

Check ssl config on your backend. Maybe you need to adjust your haproxy config to match your backend ssl config

3

Hi @rhada Thank you for your response.

But why am i not able to reach my other services.

In the browser when i try to access the service other than the one which is down.

like host-192-168-1-102.example.com/node-1/serviceone

i get this 404 page not found

I have generated a self signed certificate for testing purposes and using that as can be seen above in haproxy.cfg I am trying commenting out this service but still not able to access other services.

4

The 404 error is sent by the backend. Check your logs to see which backend take the request and why it responds with a 404.

Looking at your config, you redirect http to https but https frontend is commented. Is this the config you are trying to get to run ?

5

I don’t see any errors and sorry about that it just spilled over from my lab i am uncommenting that

Starting HAProxy Load Balancer...
haproxy[27439]: [WARNING]  (27439) : parsing [/etc/haproxy/haproxy.cfg:54] : a 'http-request' rule placed after a 'use_backend' rule will still be processed before.
haproxy[27439]: [WARNING]  (27439) : parsing [/etc/haproxy/haproxy.cfg:55] : a 'http-request' rule placed after a 'use_backend' rule will still be processed before.
haproxy[27439]: [WARNING]  (27439) : parsing [/etc/haproxy/haproxy.cfg:56] : a 'http-request' rule placed after a 'use_backend' rule will still be processed before.
haproxy[27439]: [NOTICE]   (27439) : New worker #1 (27441) forked
systemd[1]: Started HAProxy Load Balancer.


 Health check for server serviceone/node1 succeeded, reason: Layer7 check passed, code: 200, check duration: 5ms, status: 3/3 UP.
 haproxy[27523]: [WARNING]  (27523) : Health check for server servicetwo/node1 succeeded, reason: Layer7 check passed, code: 302, check duration: 12ms, status: 3/3 UP.
 haproxy[27523]: [WARNING]  (27523) : Health check for server servicethree/node1 succeeded, reason: Layer7 check passed, code: 302, check duration: 19ms, status: 3/3 UP.
6

I think you need to debug from the backend side. This does not look like a haproxy problem. Double check hostname, port, firewall.

Until the backend is not staying UP from haproxy view, you can’t have any request served by this backend.

Maybe you can try to curl your backend and see the complete response.

7

Hi @rhada

I think the problem is with striping the path.

I have added this with which i can access service one as /node-1/

http-request set-path %[path,regsub(^/node-1/,/)]

and i am trying to do the same for the others but i am not able to access them with these.

http-request set-path %[path,regsub(^/node-1/servicetwo,/)]
http-request set-path %[path,regsub(^/node-1/servicethree,/)]