[FIXED] how to prevent 502 status code as response by haproxy as load balancer

Issue

I have 3 server:

server (A)= a nginx(port 80) as reverse proxy to kestler (5000 port)
server (B)= a nginx(port 80) as reverse proxy to kestler (5000 port)
server (C)= a HAProxy as load balancer for port 80 of server (A) and (B)
and server A & B are quite similar.

every things works very well and haproxy forwards requests to server (A) & (B), but if kestrel in one of servers (e.g. A) be killed, nginx respond 502 bad gateway error and haproxy not detect this issue and still redirect requests to it, and this is mistake! it must redirect requests to server (B) in this time.

global
    log 127.0.0.1 local2 info
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

defaults
    log global
    mode http
    option httplog
    option dontlognull
    option redispatch
    retries 3
    timeout connect 5s
    timeout client 50s
    timeout server 50s
    stats enable
    stats hide-version
    stats auth admin:admin
    stats refresh 10s
    stats uri /stat?stats

frontend http_front
    bind *:80
    mode http
    option httpclose
    option forwardfor
    reqadd X-Forwarded-Proto:\ http
    default_backend http_back

backend http_back
    balance roundrobin
    mode http
    cookie SERVERID insert indirect nocache
    server ServerA 192.168.1.2:80 check cookie ServerA
    server ServerB 192.168.1.3:80 check cookie ServerB

How Can I resolve this issue? thanks very much.

Solution

You are only checking whether nginx is running, not whether the application is healthy enough to use.

In the backend, add option httpchk.

option httpchk GET /some/path HTTP/1.1\r\nHost:\ example.com

Replace some path with a path that will prove whether the application is usable on that server if it returns 200 OK (or any 2xx or 3xx response), and replace example.com with the HTTP Host header the application expects.

option httpchk

By default, server health checks only consist in trying to establish a TCP connection. When option httpchk is specified, a complete HTTP request is sent once the TCP connection is established, and responses 2xx and 3xx are considered valid, while all other ones indicate a server failure, including the lack of any response.

This will mark the server as unhealthy if the app is not healthy, so HAProxy will stop sending traffic to it. You will want to configure a check interval for each server using inter and downinter and fastinter options on each server entey to specify how often HAProxy should perform the check.

Answered By - Michael - sqlbot

Answer Checked By - Terry (PHPFixing Volunteer)

Read More

[FIXED] How to proxy requests from client to another server

Issue

I am working on a mobile app that will get some information from 3rd party API. API only accepts requests from certain IPs, that's why I am trying to build a proxy server that will work like below:

A -> Mobile Clients (IP: 1.1.1.1)
B -> Proxy Server (IP: 2.2.2.2)
C -> 3rd Party API (myapisite.com/*)

Basically, every request from A to C needs to go through B since C only accepts requests from B's IP. I've tried to build it via HAProxy but couldn't manage with domain names. I need a routing mechanism like below:

HTTP requests to 2.2.2.2/myapi should be forwarded to myapisite.com/api
HTTP requests to 2.2.2.2/myotherapi should be forwarded to myapisite.com/otherapi

What would be the simplest solution? Right now, I am thinking about using Ubuntu as a proxy server.

Solution

Minimal config

listen fe_http
  mode tcp
  timeout client  60s
  timeout connect 2s
  timeout server  5s
  bind :::80 v4v6
  server destservr myapisite.com:80 check

Answered By - Aleksandar

Answer Checked By - David Marino (PHPFixing Volunteer)

Read More

[FIXED] How to run jupyter notebook behind haproxy and make its content public?

Issue

How to run jupyter notebook behind haproxy? I tried to find an answer on the Internet but there are solutions only for Ngix and Apache and I think that using haproxy as a reverse proxy can be even a simple solution that does not involve creating special Virtual servers.

Solution

The following solution run successfully and also does load balancing.

Assuming that you have a site jupyter.example.com the following code inserted in the /etc/haproxy/haproxy.cfg will solve your problem of making the jupyter notebook public:

backend jupyter
        option forwardfor
        http-request set-header X-Client-IP %[src]
        reqrep ^([^\ :]*)\ /mez/(.*) \1\ /\2
        reqadd X-Script-Name:\ /jupyter
        option http-server-close
        server Server12 10.0.0.12:8888 weight 40 check
        server Server14 10.0.0.14:8888 weight 20 check

Answered By - Bogdan

Answer Checked By - Clifford M. (PHPFixing Volunteer)

Read More

[FIXED] How does a double layer of reverse proxy pass through invalid SSL cert?

Issue

I have the following server setup:

                 +----------+        +-----------+
                 |          |        |           |
internet ----->  |   Kong   | -----> |  HAProxy  | -----> backend servers
                 |          |        |           |
                 +----------+        +-----------+

• Kong is set port 443 binding with a valid SSL cert
• HAProxy is set up with port 443 binding and a redirect from port 80 to 443

Now I just found that the SSL cert installed in the HAProxy expired. However, it's not visible through the internet because they access through Kong and Kong has a valid SSL cert. Accessing the HAProxy directly gives a SSL certificate problem: certificate has expired error. What is the explanation for this? How does the first layer of reverse proxy's SSL cert suppress the error on the second layer?

Solution

How does the first layer of reverse proxy's SSL cert suppress the error on the second layer?

The clients create a SSL connection to Kong and will only check the certificate from Kong. Kong creates an independent SSL connection to HAProxy and should check the certificate from HAProxy. Then only the application payload gets passed through between client and server via Kong and HAProxy, but not any SSL related information.

How does the first layer of reverse proxy's SSL cert suppress the error on the second layer?

It does not suppress anything. There is no mechanism to pass thru SSL errors at the application level. Proper validation of the certificate from HAProxy by Kong should lead to a connection close, i.e. not forwarding any of the application data between client and server. But if the certificate is not properly validated by Kong then certificate errors will not be noticed and the application data will be forwarded between client and server. The client will not notice anything since it sees only the certificate by Kong.

Answered By - Steffen Ullrich

Answer Checked By - Cary Denson (PHPFixing Admin)

Read More

[FIXED] How to Configure Pfsense HAProxy HTTP HealthCheck Failover

Issue

I have two backend web servers, and i need to monitor them using httpcheck by checking the URL and looking for a string to be present in the response of the request. if the string is not available switch the backend to another server.

Status:

• Server1 - Active
• Server2 - Backup

Configuration Details:

• Health Check Method : HTTP
• HTTP Check Method : GET
• Url used by http check requests: /jsonp/FreeForm&maxrecords=10&format=XML&ff=223
• Http check version : HTTP/1.0\r\nAccept:\ XS01

Result of the http Request is

{"d":{"__type":"Response","Version":"4.5.23.1160","ResultCode":"XS01","ErrorString":"","Results":[{"__type":"Result",

so, I am expecting the string ResultCode":"XS01" in the response from the server, if the string found the server1 is up, if not bring the Server2 from the backup.

how can i achieve this in HAProxy Backend Health Check?

Solution

This can be done under Advanced Settings--> Backend Pass thru using the expect string,

http-check expect string XS01

Answered By - karhtik

Answer Checked By - Timothy Miller (PHPFixing Admin)

Read More