Here is your answer: Layer7 wrong status, code: 401, info: "Unauthorized"
Your health check is not providing the required credentials and failing. You can either fix that, or as you only have one backend, you might want to remove the check as it's not gaining you little with only one backend. On Sat, Feb 19, 2022 at 11:47 AM Moutasem Al Khnaifes < [email protected]> wrote: > ### Detailed Description of the Problem > > I use HAProxy to get access to NextCloud and Plex from outside the > network. but for some reason HAProxy thinks that Plex is down, and the > status page is inaccessible > > > ### Expected Behavior > > going to nextcloud.domain.com and plex.domain.com should redirect me to > each service respectively. however, only NextCloud is accessible: > ``` > Feb 19 16:18:21 localserver systemd[1]: Started HAProxy Load Balancer. > Feb 19 16:18:21 localserver haproxy[30087]: Proxy show-403 started. > Feb 19 16:18:21 localserver haproxy[30087]: Proxy letsencrypt started. > Feb 19 16:18:21 localserver haproxy[30087]: Proxy letsencrypt started. > Feb 19 16:18:21 localserver haproxy[30087]: Proxy nextcloud-http started. > Feb 19 16:18:21 localserver haproxy[30087]: Proxy nextcloud-http started. > Feb 19 16:18:21 localserver haproxy[30087]: Proxy plex-http started. > Feb 19 16:18:21 localserver haproxy[30087]: Proxy plex-http started. > Feb 19 16:18:22 localserver haproxy[30088]: [WARNING] 049/161822 (30088) : > Server plex-http/plex is DOWN, reason: Layer7 wron> > Feb 19 16:18:22 localserver haproxy[30088]: [ALERT] 049/161822 (30088) : > backend 'plex-http' has no server available! > ``` > trying to access Plex and the Status Page will always be redirected to an > error page: > ``` > 503 Service Unavailable > No server is available to handle this request. > ``` > > > ### Steps to Reproduce the Behavior > > 1. Run NextCloud Snap on port 81 > 2. Run Plex on port 32400 > 3. Use Haproxy with SSL termination > > > ### Do you have any idea what may have caused this? > > Plex is failing the Health Check preformed by HAProxy even when it is > running > I can not see why the Status Page is inaccessible > > ### Do you have an idea how to solve the issue? > > 1. Haproxy assumes always service is available > 2. HAProxy preforms different Health Check on Service > > ### What is your configuration? > > ```haproxy > global > log /dev/log local0 > log /dev/log local1 notice > chroot /var/lib/haproxy > stats socket /var/lib/haproxy/admin.sock mode 660 level admin > expose-fd listeners > stats timeout 30s > user haproxy > group haproxy > daemon > > > # Default SSL material locations > ca-base /etc/ssl/certs > crt-base /etc/ssl/private > > # See: > https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate > ssl-default-bind-ciphers xxx> > ssl-default-bind-ciphersuites xxx > ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets > > defaults > log global > mode http > option httplog > option dontlognull > timeout connect 5000 > timeout client 500000 > timeout server 500000 > errorfile 400 /etc/haproxy/errors/400.http > errorfile 403 /etc/haproxy/errors/403.http > errorfile 408 /etc/haproxy/errors/408.http > errorfile 500 /etc/haproxy/errors/500.http > errorfile 502 /etc/haproxy/errors/502.http > errorfile 503 /etc/haproxy/errors/503.http > errorfile 504 /etc/haproxy/errors/504.http > > frontend http > bind :::443 ssl crt /etc/haproxy/ssl-certs/cert.pem > reqadd X-Forwarded-Proto:\ https > > acl letsencrypt-req path_beg /.well-known/acme-challenge/ > use_backend letsencrypt if letsencrypt-req > > acl path_dav path_beg /.well-known/caldav || path_beg > /.well-known/carddav > redirect location "https://nextcloud.domain.com/remote.php/dav"; > if path_dav > > acl host_nextcloud hdr(host) -i nextcloud.domain.com > use_backend nextcloud-http if host_nextcloud > > acl host_plex hdr(host) -i plex.domain.com > use_backend plex-http if host_plex > > default_backend show-403 > > listen stats > bind localhost:1936 > mode http > log global > > maxconn 10 > > clitimeout 100s > srvtimeout 100s > contimeout 100s > timeout queue 100s > > stats enable > stats hide-version > stats refresh 30s > stats show-node > stats auth admin:password > stats uri /haproxy?stats > > backend show-403 > mode http > http-request deny deny_status 403 > > backend letsencrypt > mode http > server letsencrypt localhost:10500 > > backend nextcloud-http > mode http > balance roundrobin > option forwardfor > option httpchk HEAD / HTTP/1.1\r\nHost:localhost > server nextcloud localhost:81 check > > backend plex-http > mode http > balance roundrobin > option forwardfor > option httpchk HEAD / HTTP/1.1\r\nHost:localhost > server plex localhost:32400 check > ``` > > > ### Output of `haproxy -vv` > > ```plain > HA-Proxy version 2.0.13-2ubuntu0.3 2021/08/27 - https://haproxy.org/ > Build options : > TARGET = linux-glibc > CPU = generic > CC = gcc > CFLAGS = -O2 -g -O2 > -fdebug-prefix-map=/build/haproxy-jeVpgs/haproxy-2.0.13=. > -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time > -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement > -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare > -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers > -Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough > -Wno-stringop-overflow -Wno-cast-function-type -Wtype-limits > -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond > -Wnull-dereference > OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 > USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1 > > Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE > -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED > +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE > +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 > -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS > -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS > > Default settings : > bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 > > Built with multi-threading support (MAX_THREADS=64, default=24). > Built with OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020 > Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 > Built with Lua version : Lua 5.3.3 > Built with network namespace support. > Built with transparent proxy support using: IP_TRANSPARENT > IPV6_TRANSPARENT IP_FREEBIND > Built with zlib version : 1.2.11 > Running on zlib version : 1.2.11 > Compression algorithms supported : identity("identity"), > deflate("deflate"), raw-deflate("deflate"), gzip("gzip") > Built with PCRE2 version : 10.34 2019-11-21 > PCRE2 library supports JIT : yes > Encrypted password support via crypt(3): yes > Built with the Prometheus exporter as a service > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > Available multiplexer protocols : > (protocols marked as <default> cannot be specified using 'proto' keyword) > h2 : mode=HTX side=FE|BE mux=H2 > h2 : mode=HTTP side=FE mux=H2 > <default> : mode=HTX side=FE|BE mux=H1 > <default> : mode=TCP|HTTP side=FE|BE mux=PASS > > Available services : > prometheus-exporter > > Available filters : > [SPOE] spoe > [COMP] compression > [CACHE] cache > [TRACE] trace > ``` > > > ### Last Outputs and Backtraces > > ```plain > Feb 19 16:49:58 localserver systemd[1]: Starting HAProxy Load Balancer... > Feb 19 16:49:58 localserver haproxy[33386]: [WARNING] 049/164958 (33386) : > parsing [/etc/haproxy/haproxy.cfg:38] : 'bind :::443' : > Feb 19 16:49:58 localserver haproxy[33386]: unable to load default 1024 > bits DH parameter for certificate '/etc/haproxy/ssl-certs/cert.pem'. > Feb 19 16:49:58 localserver haproxy[33386]: , SSL library will use an > automatically generated DH parameter. > Feb 19 16:49:58 localserver haproxy[33386]: [WARNING] 049/164958 (33386) : > parsing [/etc/haproxy/haproxy.cfg:39] : The 'reqadd' directive is > deprecated in favor of 'http-request add-header' and will be removed in > next version. > Feb 19 16:49:58 localserver haproxy[33386]: [WARNING] 049/164958 (33386) : > parsing [/etc/haproxy/haproxy.cfg:45] : a 'redirect' rule placed after a > 'use_backend' rule will still be processed before. > Feb 19 16:49:58 localserver haproxy[33386]: [WARNING] 049/164958 (33386) : > parsing [/etc/haproxy/haproxy.cfg:62] : the 'clitimeout' directive is now > deprecated in favor of 'timeout client', and will not be supported in > future versions. > Feb 19 16:49:58 localserver haproxy[33386]: [WARNING] 049/164958 (33386) : > parsing [/etc/haproxy/haproxy.cfg:63] : the 'srvtimeout' directive is now > deprecated in favor of 'timeout server', and will not be supported in > future versions. > Feb 19 16:49:58 localserver haproxy[33386]: [WARNING] 049/164958 (33386) : > parsing [/etc/haproxy/haproxy.cfg:64] : the 'contimeout' directive is now > deprecated in favor of 'timeout connect', and will not be supported in > future versions. > Feb 19 16:49:58 localserver haproxy[33386]: Proxy http started. > Feb 19 16:49:58 localserver haproxy[33386]: Proxy http started. > Feb 19 16:49:58 localserver haproxy[33386]: Proxy stats started. > Feb 19 16:49:58 localserver haproxy[33386]: [NOTICE] 049/164958 (33386) : > New worker #1 (33387) forked > Feb 19 16:49:58 localserver haproxy[33386]: Proxy stats started. > Feb 19 16:49:58 localserver systemd[1]: Started HAProxy Load Balancer. > Feb 19 16:49:58 localserver haproxy[33386]: Proxy show-403 started. > Feb 19 16:49:58 localserver haproxy[33386]: Proxy show-403 started. > Feb 19 16:49:58 localserver haproxy[33386]: Proxy letsencrypt started. > Feb 19 16:49:58 localserver haproxy[33386]: Proxy letsencrypt started. > Feb 19 16:49:58 localserver haproxy[33386]: Proxy nextcloud-http started. > Feb 19 16:49:58 localserver haproxy[33386]: Proxy nextcloud-http started. > Feb 19 16:49:58 localserver haproxy[33386]: Proxy plex-http started. > Feb 19 16:49:58 localserver haproxy[33386]: Proxy plex-http started. > Feb 19 16:49:59 localserver haproxy[33387]: [WARNING] 049/164959 (33387) : > Server plex-http/plex is DOWN, reason: Layer7 wrong status, code: 401, > info: "Unauthorized", check duration: 0ms. 0 active and 0 backup servers > left. 0 sessions active, 0 requeued, 0 remaining in queue. > Feb 19 16:49:59 localserver haproxy[33387]: [ALERT] 049/164959 (33387) : > backend 'plex-http' has no server available! > ``` > > > ### Additional Information > > _No response_ >
