pfSense HAProxy 1 backend working 1 is not

Networking & Firewalls
1

image
image547×586 31.9 KB

I am using a free ddns service and have a wildcard cert through Lets Encrypt.

I recently configured HAProxy with one frontend *.abc.org (obviously not my real domain) and two backends.

I can successfully reach my prtg backend from inside and outside of my network. However when attempting to reach my cams backend I get unable to reach it from inside or outside, I get “This site cannot be reached” timeout errors from outside, and interestingly I get “ERR_HTTP2_SERVER_REFUSED_STREAM” when trying to reach it from inside. I can reach both from inside by using their IP addresses directly.

I have quadruple checked that the HAProxy configurations for both backends are set up the same, and that the cams backend points to the correct IP. I’ve also quadruple checked that the frontend is configured correctly, the certificate is correct, the rule for cams mirrors the rule for prtg and points to the correct backend, and that all spelling is correct. The certificate is a wildcard and both backends use the same domain, and the firewall rule is working because I can reach prtg.

If additional troubleshooting or logs would be helpful please let me know.

2

image
image1168×815 64 KB

3

image
image1138×255 18.8 KB

4

image
image1138×255 18.9 KB

5

The issue has come up before with some services not working with HAProxy, but I don’t know the fix

6

The only thing I could find all day on this ended up saying this is related to LibreSSL, and that when someone with this same issue changed to OpenSSL the issue cleared up. But, for the life of me I can’t find how to do that.

7

I am pretty sure pfsense already uses openSSL, but what I think it happening is there is something that the service is requesting that is not compatible with HAProxy using the standard config, perhaps the service uses more than just port 443.

8

It’s hard to tell if this is what you’re running into here, but I’ve noticed that many services don’t respond correctly to HAProxy health checks, which leads to HAProxy marking them as “down.”

You can check that status in the HAProxy stats page, but one of the first things I’ll try when I run into an error is to turn off health checks on that backend.