HAProxy delivers stats page instead of proxied server

crobitaille · March 4, 2023, 3:56pm

Hi,

I have this simple setup

Internet <-> pfsense + HAProxy <-> Docker Apache

All appears to be good, except that the clients receive the HAproxy stats page instead of the proxied pages.

The HAProxy frontend (thre is only 1 defined) is configured to support HTTPS on port 443. The certificate is from Lets’s encrypt and this works as it should. The frontend ACL is configured with 1 backend

There is only 1 backend with 1 server configured in HAProxy. There is no SSL here. And I am using port 83

The backend server is Up (as reported by the Health check and seen in the Stat page and by verifying with a packet capture). Access from the LAN to the Apache server also works as it should; I am seeing the whoami dummy load that I have at the moment.

The firewall is properly configured too. Using a client on the Internet, I see the correct Let’s Encrypt certificate so this confirms that 443 is open.

But, on the client, what I see is the HAProxy stat page.

What I tried:

1 - Try to configured HAProxy to use the local syslog (/var/run/log). But I only see the transactions without detail on where the data came from
2 - I toggled the Not check box in the ACL in the frontend. When I do this, I get HTTP Error code 503 Service Unavailable. I have no default backend defined. But if I set a default backend, then the client again sees the stat page.

Looking at the data on the stats page I see the frontend counters moving each time I refresh the client. I also see the total counters in the Backend section to move at the same time (and the values matches what I see in the Frontend section). But, the counters on the line corresponding the backend I defined stay at 0. All of this means:

that haproxy sees the traffic coming in the frontend
it delivers it to the overall backend logic
select the correct backend (as per the test 2 above, when the Not box is not checked, or with a default backend that selects the one and only backend defined).

But somehow, the specific backend does not deliver to the external backend server despite the Health check being positive.

At this stage, I am running out of option on how to diagnose this. Any suggestions?

xMAXIMUSx · March 4, 2023, 8:18pm

You’ll need to post your config here for anyone top help you.

Go to Services > HAProxy > Settings and scroll all the way to the bottom and click on the Show button next to “automatically generated configuration.”

LTS_Tom · March 4, 2023, 10:21pm

I have a few setup video on HAProxy and a troubleshooting one here:

crobitaille · March 4, 2023, 11:08pm

Here it is (and thanks for telling me where to get it!!)

global
maxconn 100
log /var/run/log local1 debug
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats refresh 10
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend whoamiFrontEnd
bind x.x.x.x:443 name x.x.x.x:443 ssl crt-list /var/etc/haproxy/whoamiFrontEnd.crt_list
mode http
log global
option httplog
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl whoami var(txn.txnhost) -m str -i test.aaaa.com
acl aclcrt_whoamiFrontEnd var(txn.txnhost) -m reg -i ^test.aaaa.com(:([0-9]){1,5})?$
http-request set-var(txn.txnhost) hdr(host)
use_backend whoamiBackend_ipvANY if whoami aclcrt_whoamiFrontEnd

backend whoamiBackend_ipvANY
mode http
id 102
log global
stats enable
stats uri /
stats realm .
stats show-node NODE1
stats refresh 10
stats scope .
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server whoami 192.168.70.32:83 id 101 check inter 1000

xMAXIMUSx · March 5, 2023, 12:08am

That is a pretty interesting config file. Are you trying to expose a service running on 192.168.70.32:83?

If so here is what I would do

Backend

name = whoami
server list
- Mode = Active
- Name = whoami
- forwardto = Address+port
- port = 83
- leave the rest default

frontend

Access Control list
- name = whoami
- Expression = host match
- CS = no
- not = no
- value = test.aaaa.com
actions
- action = use backend
- condition acl names = whoami
- backend = whoami

I wouldn’t add anything else special to your config. Only what I posted above and leave everything else default. Here is a sample of my frontend and backend.

frontend frontend-80
	bind			xxx.xxx.xxx.xxx:80 name xxx.xxx.xxx.xxx:80   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	http-request redirect scheme https code 301 if !{ ssl_fc } 

frontend web
	bind			xxx.xxx.xxx.xxx:443 name xxx.xxx.xxx.xxx:443   ssl crt-list /var/etc/haproxy/web.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	acl			server1	var(txn.txnhost) -m str -i server1.example.com
	acl			server2 var(txn.txnhost) -m str -i server2.example.com
	acl			server3	var(txn.txnhost) -m str -i server3.example.com
	acl			server4	var(txn.txnhost) -m beg -i server4.example.com
	acl			server5	var(txn.txnhost) -m str -i server5.example.com
	acl			aclcrt_web	var(txn.txnhost) -m reg -i ^([^\.]*)\.example\.com(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	use_backend server1_ipvANY  if  server1 aclcrt_web
	use_backend server2_ipvANY  if  server2 aclcrt_web
	use_backend server3_ipvANY  if  server3 aclcrt_web
	use_backend server4_ipvANY  if  server4 aclcrt_web
	use_backend server5_ipvANY  if  server5 aclcrt_web

Single backend config

backend server1_ipvANY
	mode			http
	id			110
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			server1 192.168.13.101:80 id 106 check inter 1000

crobitaille · March 5, 2023, 2:50pm

It is always easier when you can compare…

It is the stats section in the backend config. I did not understood that it was for serving a stats page in addition to the backend pages. In the context of pfsense I wrongly assumed that it related to some page in the pfsense’s GUI. When thinking about it with an haproxy only perspective then it makes sense.

So, by simply disabling or moving the stats to another URI (different than / that is!!) then all is good.

Thanks.