-1

I have a HAProxy setup where the backend server is running a webserver non standard port.The config is as follows

global

    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    tune.ssl.default-dh-param 2048
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    ssl-default-bind-options no-sslv3
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

    ssl-default-server-options no-sslv3
    ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

    tune.ssl.default-dh-param 2048

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    stats enable
    stats auth someuser:somepassword
    stats uri /hpstats
    option forwardfor       except 127.0.0.0/8
    option http-server-close
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

frontend  http-in
    bind *:80
    bind *:443 ssl crt /etc/ssl/certs/test.pem no-sslv3

    #define hosts
    acl host_demo       hdr(host)       -i testing.domain.com

    #usage rules
    use_backend demo    if      host_demo
    default_backend             demo

backend demo
    server      demo 192.168.XX.XX:4873 check verify none

With this setup HAProxy always complained with the following error. 

Message from syslogd@localhost at Nov  2 12:31:58 ...
 haproxy[24266]: backend demo has no server available!

When I changed the backend server to port 80 from 4873 everything works fine

backend demo
    server      demo 192.168.XX.XX:80 check verify none

I am running Centos 7 on both machines. I have tried to enable the http_t_port using semanage on both machines but that didn't have any effect. Only when I changed the port from 4873 on the server to 80 or 443 that the HAProxy load balancing worked and it stopped complaining.

Can anyone point out why is that and how should I resolve it so that I can run the HTTP on non-standard port?I am pretty sure I am missing setting somewhere considering I am using SELinux.

andthereitgoes
  • 125
  • 1
  • 8
  • This is because there is probably no service listening on port 4873. So the health check fails, and HAProxy considers the server as down. – Mo3m3n Nov 03 '17 at 13:12
  • There is a service listening. I can go to `192.168.XX.XX:4873` in the browser directly and it works but `testing.domain.com` returns 503 which is ofcourse because HAProxy thinks that the server is down. I even tried adding `tcp_check` to add a custom check for port `4873` in the `backend` configuration but that didn't work either. – andthereitgoes Nov 03 '17 at 14:48
  • If you suspect sellinux, check the audit log and/or use semanage to switch haproxy_t to permissive. – fuero Nov 04 '17 at 17:50

1 Answers1

0

@andthereitgoes

It seems that the service is not listening on the port 4873 or its being blocked by iptables at source or destination.

navmarwaha
  • 21
  • 3