Hi, It seems the error is related to acl and I don’t yet understand why.
I have done additional tests with configuration: ——————————————————————————————————————— frontend https bind 0.0.0.0:443 ssl crt /data/ssl_certs no-sslv3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES mode http option dontlognull reqadd X-Forwarded-Proto:\ https option http-server-close option forwardfor acl host_piwigo.example.org hdr(host) -i piwigo.example.org use_backend piwigo.example.org if host_piwigo.example.org acl host_wordpress.example.com hdr(host) -i wordpress.example.com use_backend wordpress.example.com if host_wordpress.example.com # adding redirection on https tcp/443 fronted: acl host_influxdb-drp.example.net hdr(host) -i influxdb-drp.example.net use_backend influxdb-drp.example.net if host_influxdb-drp.example.net frontend https_influxdb bind 192.168.246.17:8086 ssl crt /data/ssl_certs no-sslv3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES mode http option dontlognull reqadd X-Forwarded-Proto:\ https option http-server-close option forwardfor #default_backend influxdb-drp.example.net # to test later with a default backend as acl seems not working acl host_influxdb-drp.example.net hdr(host) -i influxdb-drp.example.net use_backend influxdb-drp.example.net if host_influxdb-drp.example.net backend influxdb-drp.example.net mode http server https_8086 127.0.0.1:8086 check ssl verify none ——————————————————————————————————————— Backend is answering on https on tcp/8086. Testing against frontend https on tcp/443, it is working: #curl -G https://influxdb-drp.example.net:443/query -u admin:'xxx' --data-urlencode "q=SHOW DATABASES" {"results":[{"statement_id":0,"series":[{"name":"databases","columns":["name"],"values":[["_internal"]]}]}]} Jul 9 15:46:32 kalinga haproxy[50375]: 192.168.246.17:59154 [09/Jul/2017:15:46:31.900] https~ influxdb-drp.example.net/https_8086 0/1/132 332 -- 5/5/0/0/0 0/0 The acl has matched to forward to the expected backend. Testing against frontend https_influxdb on tcp/8086, it is failing: #curl -G https://influxdb-drp.example.net:8086/query -u admin:'xxx' --data-urlencode "q=SHOW DATABASES" <html><body><h1>503 Service Unavailable</h1> No server is available to handle this request. </body></html> Jul 9 15:46:16 kalinga haproxy[50375]: 192.168.246.17:57242 [09/Jul/2017:15:46:16.665] https_influxdb~ https_influxdb/<NOSRV> -1/-1/135 212 SC 4/0/0/0/0 0/0 The acl is not matching under this frontend :-( When testing by uncommenting following line: #default_backend influxdb-drp.example.net in order to add a default backend, it is working: #curl -G https://influxdb-drp.example.net:8086/query -u admin:'xxx' --data-urlencode "q=SHOW DATABASES" {"results":[{"statement_id":0,"series":[{"name":"databases","columns":["name"],"values":[["_internal"]]}]}]} Jul 9 15:46:32 kalinga haproxy[50375]: 192.168.246.17:59154 [09/Jul/2017:15:46:31.900] https~ influxdb-drp.example.net/https_8086 0/1/132 332 -- 5/5/0/0/0 0/0 Why acl is matching only on frontend https and not on frontend https_influxdb? Haproxy version is the latest stable 1.7.8. Regards, M. > Le 8 juil. 2017 à 22:19, M <m...@mannu.net> a écrit : > > Hi, > > I don't understand why http mode is no able provide a backend server whereas > at same time tcp mode is able to do it. > > I am trying to setup Haproxy in front of an Influxdb database running on > HTTPS. > > When frontend is configured on http mode, requests are failing with NOSRV > error. > When fronted is configure on tcp mod, requests are working. > > Example below with http mode on tcp/8086 port and tcp mode on tcp/8087 with > same backend: > > #curl -G https://influxdb-drp.example.net:8086/query -u admin:'xxxx' > --data-urlencode "q=SHOW DATABASES" > <html><body><h1>503 Service Unavailable</h1> > No server is available to handle this request. > </body></html> > > Haproxy log showing NOSRV and SC: > Jul 8 19:59:44 kalinga haproxy[26228]: 192.168.246.17:52946 > [08/Jul/2017:19:59:44.661] https_influxdb~ https_influxdb/<NOSRV> -1/-1/136 > 212 SC 0/0/0/0/0 0/0 > > > #curl -G https://influxdb-drp.example.net:8087/query -u admin:'xxxx' > --data-urlencode "q=SHOW DATABASES" > {"results":[{"statement_id":0,"series":[{"name":"databases","columns":["name"],"values":[["_internal"]]}]}]} > > Haproxy log: > Jul 8 20:00:16 kalinga haproxy[26228]: 192.168.246.17:37142 > [08/Jul/2017:20:00:16.672] https_influxdb_tcp~ > influxdb-drp.example.net/https_8086 0/2/123 332 -- 1/1/0/0/0 0/0 > > Haproxy configuration file: > > ------------------------------------------------------------------------------- > > global > log /dev/log local1 debug > maxconn 4096 > debug > tune.ssl.default-dh-param 4096 > > defaults > log global > mode tcp > option tcplog > retries 3 > option redispatch > maxconn 4000 > timeout connect 5000ms > timeout client 50000ms > timeout server 50000ms > > frontend https_influxdb > bind 192.168.246.17:8086 ssl crt /data/ssl_certs no-sslv3 ciphers > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES > mode http > option dontlognull > > reqadd X-Forwarded-Proto:\ https > > option http-server-close > option forwardfor > > acl host_influxdb-drp.example.net hdr(host) -i influxdb-drp.example.net > use_backend influxdb-drp.example.net if host_influxdb-drp.example.net > > frontend https_influxdb_tcp > bind 192.168.246.17:8087 ssl crt /data/ssl_certs no-sslv3 ciphers > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES > mode tcp > option dontlognull > option http-server-close > option tcplog > > default_backend influxdb-drp.example.net > > backend influxdb-drp.example.net > mode http > server https_8086 127.0.0.1:8086 check ssl verify none > > ------------------------------------------------------------------------------- > > How can I configure Haproxy to work on http mode? > > M.
