Valid config invalid

Help!
1

I just installed HAProxy 2.5.1 on a new system planing to move it there, compilation was error-free on the first try, first time I get it right on the first time too. The system, runs Red Hat Enterprise Linux 8.5, same as the last one, the configuration file, certificates, errorpages all were rsynced from the other system in the same locations but when HAProxy attempts to start basically most keywords are unrecognized.

Terminal output 
[root@approuter ~]# hapchk ; hapstart ; hapinfo
Configuration file is valid
Job for haproxy.service failed because the control process exited with error code.
See "systemctl status haproxy.service" and "journalctl -xe" for details.
â—Ź haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2022-01-21 15:58:18 MST; 23ms ago
  Process: 6979 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $OPTIONS (code=exited, status=1/FAILURE)

Jan 21 15:58:18 approuter.domain1.tld haproxy[6979]: [ALERT] 020/155818 (6979) : parsing [/etc/haproxy/haproxy.cfg:187] : 'frontend' cannot handle unexpected argument 'from'.
Jan 21 15:58:18 approuter.domain1.tld haproxy[6979]: [ALERT] 020/155818 (6979) : parsing [/etc/haproxy/haproxy.cfg:187] : please use the 'bind' keyword for listening addresses.
Jan 21 15:58:18 approuter.domain1.tld haproxy[6979]: [ALERT] 020/155818 (6979) : parsing [/etc/haproxy/haproxy.cfg:193] : 'frontend' cannot handle unexpected argument 'from'.
Jan 21 15:58:18 approuter.domain1.tld haproxy[6979]: [ALERT] 020/155818 (6979) : parsing [/etc/haproxy/haproxy.cfg:193] : please use the 'bind' keyword for listening addresses.
Jan 21 15:58:18 approuter.domain1.tld haproxy[6979]: [ALERT] 020/155818 (6979) : parsing [/etc/haproxy/haproxy.cfg:198] : unknown keyword 'errorfiles' in 'frontend' section
Jan 21 15:58:18 approuter.domain1.tld haproxy[6979]: [ALERT] 020/155818 (6979) : parsing [/etc/haproxy/haproxy.cfg:209]: 'http-request' expects 'allow', 'deny', 'auth', 'redirect', 'tarpit', 'add-header', 'set-header', 'replace-header', 'replace-value', 'set-nice', 'set-tos', 'set-mark', 'set-log-level', 'add-acl', 'del-acl', 'del-map', 'set-map', 'track-sc*', 'wait-for-handshake', 'capture', 'reject', 'set-method', 'set-path', 'set-query', 'set-uri', 'use-service', 'send-spoe-group', 'sc-inc-gpc0(*)', 'sc-set-gpt0(*)', 'silent-drop', 'set-src', 'set-src-port', 'set-dst', 'set-dst-port', 'cache-use', 'set-var(*)', 'unset-var(*)', but got 'disable-l7-retry'.
Jan 21 15:58:18 approuter.domain1.tld haproxy[6979]: [ALERT] 020/155818 (6979) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
Jan 21 15:58:18 approuter.domain1.tld systemd[1]: haproxy.service: Control process exited, code=exited status=1
Jan 21 15:58:18 approuter.domain1.tld systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jan 21 15:58:18 approuter.domain1.tld systemd[1]: Failed to start HAProxy Load Balancer.

Despite an error- and warning-free validation of the file it won’t start. Could PCRE be generating this error?

Compared to the last server I there are two things I did differently; (1) I changed to the newer version 2.5.1 but only a point update from 2.5.0. Going from 2.4 to 2.5 didn’t break things so I doubt this is it. The second is that I compiled the server with PCRE2; the site says the last PCRE — 1 — is EOL, it made sense to go for the next number up. The release I got from the package manager is dated from 2018 so not bleeding edge either.

haproxy -vv 
HAProxy version 2.5.1-86b093a 2022/01/11 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2023.
Known bugs: http://www.haproxy.org/bugs/bugs-2.5.1.html
Running on: Linux 4.18.0-348.12.2.el8_5.x86_64 #1 SMP Mon Jan 17 07:06:06 EST 2022 x86_64
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_PCRE2=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1
  DEBUG   = 

Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 -PCRE2_JIT +POLL +THREAD +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +ACCEPT4 -CLOSEFROM -ZLIB +SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC -PROMEX -MEMORY_PROFILING

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=4).
Built with OpenSSL version : OpenSSL 1.1.1k  FIPS 25 Mar 2021
Running on OpenSSL version : OpenSSL 1.1.1k  FIPS 25 Mar 2021
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.4
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Support for malloc_trim() is enabled.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.32 2018-09-10
PCRE2 library supports JIT : no (USE_PCRE2_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 8.5.0 20210514 (Red Hat 8.5.0-4)

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTTP       side=FE|BE     mux=H2       flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
            fcgi : mode=HTTP       side=BE        mux=FCGI     flags=HTX|HOL_RISK|NO_UPG
       <default> : mode=HTTP       side=FE|BE     mux=H1       flags=HTX
              h1 : mode=HTTP       side=FE|BE     mux=H1       flags=HTX|NO_UPG
       <default> : mode=TCP        side=FE|BE     mux=PASS     flags=
            none : mode=TCP        side=FE|BE     mux=PASS     flags=NO_UPG

Available services : none

Available filters :
	[SPOE] spoe
	[CACHE] cache
	[FCGI] fcgi-app
	[COMP] compression
	[TRACE] trace

I also thought for a minute that the file’s encoding could the issue but both systems are configured nearly identical. I stay away from encoding, SSH configuration, locales, etc bc I use macOS and Windows to connect from and it gets messy fast first with line break errors. Neither cat or vim or the basic GNOME text editor show anything in the lines nor in the lines surrounding where the errors are supposed to be (…and the validation passes.)

Thanks in adv for your help.

2

Provide the output of:

which haproxy
ls -l `which haproxy`
ls -l /usr/sbin/haproxy
haproxy -f /etc/haproxy/haproxy.cfg -c
/usr/sbin/haproxy -vv
/usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c
3

Woah! You’re a genius. There I was creating a script so the log file would file big chunky headers so they were easier to spot, I ran it to get an idea, then the `which haproxy` syntax caught my eye. I didn’t know is the same for $(blah…) I went back to my terminal and spotted this:

Screen Shot 2022-01-24 at 13.04.18
Screen Shot 2022-01-24 at 13.04.18961Ă—358 78.8 KB

They are mismatched! You caught it. I issued ln -sf /usr/local/sbin/haproxy /usr/sbin/haproxy it’s rudimentary, not the best fix I’m sure. But the service restarted successfully, loaded the correct config too and everything seems as before so far. I’ll have to keep an eye so it’s not broken by an update on dnf but that’s fine. :slight_smile:

Thank you!

1 Like
4

Yeah, you should uninstall haproxy in the package manager first, before installing haproxy from source, that way the package manager won’t be trying to update haproxy.