PfSense CE HA Proxy Half Working.

jayman · May 12, 2024, 10:30am

I’m using a pfsense CE latest version with DNS resolver and using multiple subdomains at *.ellisusa.net locally. I do own the domain name too for email. I used to serve plex, but decided to lock that in my network.

My pfsense box has a virtual ip 192.168.1.3 which my dns records all point to. I verified with pinging that they all point to the pfsense virtual ip. I have a shared frontend listening on 192.168.1.3:443. I am sharing this frontend among multiple configs. If host matches plex.ellisusa.net, ACL plex triggers to use the backend for plex. That works great. I have ai.ellisusa.net which points to my truenas scale backend 192.168.1.15:port1 in the backend. I have grafana.ellisusa.net which points to 192.168.1.15:port2. Those 2 aren’t working, and there are no logs from HA proxy I can see. I deleted the .log file in ssh because there were so many copies. So I likely messed that up. I keep getting a 503 server unavailable for these 2 sub domains. Does anybody have any ideas I can try? When the logs were working I wasn’t seeing any errors, but I probably need to fix the logs.

I did verify I have the correct ip and port combination on ha proxy. I can navigate to the address and it works.

tvcvt · May 12, 2024, 10:56am

Check the HAProxy stats page to see if the backends are shown as available. I’ve noticed that some web apps require turning off health checks in the HAProxy backend.

LTS_Tom · May 12, 2024, 11:05am

Yes, turn off health checks and if you still can not see the what is missing in the configuration you could delete the back and and set it up again. Also if you are following my guide, here is the latest version:

jayman · May 13, 2024, 12:06am

I never had http checks on. That seems to cause problems for some unknown reason. I uninstalled haproxy, installed haproxy-devel, the logs are now working. I verified I followed Tom’s procedure, and everything works, except the grafana.ellisusa.net still. Anything else you can think to try?

<131>1 2024-05-12T19:01:28.000000-05:00 pf.ellisusa.net haproxy 50769 - - 192.168.1.32:61644 [12/May/2024:19:01:25.294] EllisUSA~ grafana_ipvANY/grafana 0/0/-1/-1/3028 503 568 - - SC-- 2/2/0/0/3 0/0 "GET https://grafana.ellisusa.net/ HTTP/2.0" <131>1 2024-05-12T19:01:25.000000-05:00 pf.ellisusa.net haproxy 50769 - - 192.168.1.32:61644 [12/May/2024:19:01:22.282] EllisUSA~ grafana_ipvANY/grafana 0/0/-1/-1/2993 -1 0 - - CC-- 2/2/0/0/3 0/0 "GET https://grafana.ellisusa.net/ HTTP/2.0" <131>1 2024-05-12T19:01:22.000000-05:00 pf.ellisusa.net haproxy 50769 - - 192.168.1.32:61644 [12/May/2024:19:01:19.240] EllisUSA~ grafana_ipvANY/grafana 0/0/-1/-1/3012 -1 0 - - CC-- 2/2/0/0/3 0/0 "GET https://grafana.ellisusa.net/ HTTP/2.0" <131>1 2024-05-12T19:00:57.000000-05:00 pf.ellisusa.net haproxy 50769 - - 192.168.1.6:53086 [12/May/2024:19:00:57.440] EllisUSA~ EllisUSA/ -1/-1/-1/-1/0 503 217 - - SC-- 3/3/0/0/0 0/0 "GET / HTTP/1.1"

LTS_Tom · May 13, 2024, 10:12am

If the front end it matching, validate all the settings for the back end. Make sure the Encrypted SSL matches the server it’s attaching too (in my case no) and that SSL checks is off. Also when possible post text rather than screen shots as they are easier to parse.

My FreshRSS Back End

	Mode	Name	Forwardto	Address	Port	Encrypt(SSL)	SSL checks	Weight	Actions
	active	FreshRSS	Address+Port:	172.16.16.30	10010	no	no