• 8

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Gitlab behind Haproxy(SSL)

we have a virtualized server (esxi) with the typical configuration:

[Client] https -> [pfsense -> haproxy] - http -> [vm]

And now I am trying to configure a new virtual server with gitlab, and I can not find the correct configuration, inside the private network gitlab works correctly, but when I try to access from outside haproxy responds with a 503 error. After reading and trying several Configurations I can not make it work, I am sure that it is nginx problem (or so I think), since if on the same server I install apache (just to test) that server works correctly from outside.

The target is something like this:

[Client] https -> [pfsense -> haproxy] - http -> [gitlab]

Pfsense has ipen ports 80 and 443(I'm not sure if we need to open another to ssh or unicorn)

Some configurations:

external_url 'https://mydomain.extension'

Haproxy(works fine to others vms)

maxconn         10000
stats socket /tmp/haproxy.socket level admin
uid         80
gid         80
nbproc          1
chroot          /tmp/haproxy_chroot
tune.ssl.default-dh-param   2048
server-state-file /tmp/haproxy_server_state

frontend http_redirectTo_https
    bind            publicIP:80 name publicIP:80   
    mode            http
    log         global
    option          httpclose
    option          forwardfor
    acl https ssl_fc
    http-request set-header     X-Forwarded-Proto http if !https
    http-request set-header     X-Forwarded-Proto https if https
    timeout client      30000
    redirect scheme https code 301 if !{ ssl_fc }

frontend https_input
    bind            publicIP:443 name publicIP:443 ssl ssl  crt /certs/certific.pem no-sslv3 crt /var/etc/haproxy/https_frontend.pem  
    mode            http
    log         global
    option          http-keep-alive
    timeout client      30000
    acl         aclAdm  hdr(host) -i adm.domain.ext
    acl         aclOne  hdr(host) -i one.domain.ext
    acl         aclTwo  hdr(host) -i two.domain.ext
    acl         aclGit  hdr(host) -i git.domain.ext
    use_backend adm_backend_http_ipvANY  if  aclAdm 
    use_backend one_backend_http_ipvANY  if  aclOne 
    use_backend two_backend_http_ipvANY  if  aclTwo
    use_backend git_backend_http_ipvANY  if  aclGit

I remove the others backends

backend git_backend_http_ipvANY
    mode            http
    log         global
    balance         leastconn
    timeout connect     30000
    timeout server      30000
    retries         3
    option          httpchk OPTIONS / 
    option forwardfor
    option http-server-close
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    server          gitServer private_ip:80 check inter 1000

I guess the problem is with nginx, thanks!

      • 2
    • Probably unrelated, but note this: check inter 100 ... that's configured to do a health check every 100 milliseconds... a bit aggressive. To troubleshoot HAProxy connections, reading the HAProxy log is the first thing you need to do.
    • Well, seeing the stats, haproxy shows the server like DOWN "Layer 7 wrong: Not found" but the server is running correctly, the logs doesn't show any error
      • 1
    • Well, it appears to be returning a 404, whether it's logging it or not. Why are you using the argument OPTIONS / for option httpchk? That seems unusual.
    • You are COMPLETELY right, I really don't know why, I'm using the pfsense frontend to write the configuration, I changed the httpchk to basic in haproxy and everything works, it's possible that when haproxy check the server if haproxy don't detect, simply close the door? for me doesn't make sense the error only for the check protocol... Thanks a lot!

The problem was, haproxy doesn't detect the server up so we suspect the health check configuration it's wrong:

option          httpchk OPTIONS / 

I just change it to basic check and haproxy detect correctly the server, and in fact, works fine.

  • 0
Reply Report

Trending Tags