Can't change lighttpd's port for HaProxy reverse proxy

Joulinar · 8 June 2020 23:27

yes that would be possible to create a wildcard certificate using cerbot. However you need to be able to mange your DynDNS record and add a TXT record under the name _acme-challenge. There are a couple of guides on the web how this could be archived.

https://community.letsencrypt.org/t/wildcard-domain-step-by-step/58250/4

I guess renewing the certificate might be a challenge as well as you would need to update DynDNS record again.

It might be easier to have a look into capabilities to use lighttpd as reverse-proxy

Rilic · 9 June 2020 08:11

OK, so after learning a few things I realised that HaProxy isn’t launching because it doesn’t see the binary??

root@Ouroboros:~# systemctl status haproxy.service
● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/etc/systemd/system/haproxy.service; disabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2020-06-09 09:07:28 BST; 15s ago
  Process: 1175 ExecStartPre=/usr/local/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=203/EXEC)

Jun 09 09:07:27 Ouroboros systemd[1175]: haproxy.service: Failed at step EXEC spawning /usr/local/sbin/haproxy: No such file or directory
Jun 09 09:07:27 Ouroboros systemd[1]: haproxy.service: Control process exited, code=exited, status=203/EXEC
Jun 09 09:07:27 Ouroboros systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jun 09 09:07:27 Ouroboros systemd[1]: Failed to start HAProxy Load Balancer.
Jun 09 09:07:28 Ouroboros systemd[1]: haproxy.service: Service RestartSec=100ms expired, scheduling restart.
Jun 09 09:07:28 Ouroboros systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 5.
Jun 09 09:07:28 Ouroboros systemd[1]: Stopped HAProxy Load Balancer.
Jun 09 09:07:28 Ouroboros systemd[1]: haproxy.service: Start request repeated too quickly.
Jun 09 09:07:28 Ouroboros systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jun 09 09:07:28 Ouroboros systemd[1]: Failed to start HAProxy Load Balancer.

I’m sure this isn’t meant to happen, right?

Joulinar · 9 June 2020 08:18

did you reinstall HaProxy using dietpi-software after you deleted it?

Rilic · 9 June 2020 08:22

Yeah, I did. Would the binary be in a different place, or?

Joulinar · 9 June 2020 08:53

can you run dietpi-software reinstall 98

Rilic · 9 June 2020 11:48

Reinstalling it returns the same problem:

root@Ouroboros:~# systemctl status haproxy.service
● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/etc/systemd/system/haproxy.service; disabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2020-06-09 12:39:07 BST; 3min 37s ago
  Process: 5039 ExecStartPre=/usr/local/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=203/EXEC)

Jun 09 12:39:07 Ouroboros systemd[1]: haproxy.service: Service RestartSec=100ms expired, scheduling restart.
Jun 09 12:39:07 Ouroboros systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 5.
Jun 09 12:39:07 Ouroboros systemd[1]: Stopped HAProxy Load Balancer.
Jun 09 12:39:07 Ouroboros systemd[1]: haproxy.service: Start request repeated too quickly.
Jun 09 12:39:07 Ouroboros systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jun 09 12:39:07 Ouroboros systemd[1]: Failed to start HAProxy Load Balancer.

Joulinar · 9 June 2020 11:51

well the error messag changed. You did not get the following anymore

haproxy.service: Failed at step EXEC spawning /usr/local/sbin/haproxy: No such file or directory

probably you have an incorrect or not consistent config file that prevent HaProxy to start

Rilic · 9 June 2020 12:00

Found this page to help validate haproxy.cfg: https://stackoverflow.com/questions/39609178/validate-haproxy-cfg

I followed the instructions but the commands couldn’t find the haproxy binary. I tried restarting the service again but it gave me the file not found error:

● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/etc/systemd/system/haproxy.service; disabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2020-06-09 12:58:26 BST; 5s ago
  Process: 1009 ExecStartPre=/usr/local/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=203/EXEC)

Jun 09 12:58:25 Ouroboros systemd[1009]: haproxy.service: Failed at step EXEC spawning /usr/local/sbin/haproxy: No such file or directory
Jun 09 12:58:25 Ouroboros systemd[1]: haproxy.service: Control process exited, code=exited, status=203/EXEC
Jun 09 12:58:25 Ouroboros systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jun 09 12:58:25 Ouroboros systemd[1]: Failed to start HAProxy Load Balancer.
Jun 09 12:58:26 Ouroboros systemd[1]: haproxy.service: Service RestartSec=100ms expired, scheduling restart.
Jun 09 12:58:26 Ouroboros systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 5.
Jun 09 12:58:26 Ouroboros systemd[1]: Stopped HAProxy Load Balancer.
Jun 09 12:58:26 Ouroboros systemd[1]: haproxy.service: Start request repeated too quickly.
Jun 09 12:58:26 Ouroboros systemd[1]: haproxy.service: Failed with result 'exit-code'.
Jun 09 12:58:26 Ouroboros systemd[1]: Failed to start HAProxy Load Balancer.

Is something deleting it?

Joulinar · 9 June 2020 13:18

ok I had a look to the installation process and it seems some issues with the current one. At least for me it’s giving the following error

make: *** [Makefile:857: haproxy] Error 1
strip: 'haproxy': No such file
Please run 'make' before 'make install'.
make: *** [Makefile:899: install-bin] Error 1

the software is compiled during installation and this did not finished. Therefore haproxy is not created and missing. Anyway I found that there is a newer version of haproxy availably than installed by DietPi. To get this version you would need to update one of the DietPi scripts. As this is a huge script, I recommend to use the search function inside the code.

nano /boot/dietpi/dietpi-software

Go-to line 4276 and adjust version=‘2.1.7’. Once done, safe the file and reinstall haproxy

dietpi-software reinstall 98

On my system, installation finished without error now

Rilic · 9 June 2020 13:35

It’s using the new file now:

[  OK  ] DietPi-Software | Checking URL: https://www.haproxy.org/download/2.1/src/haproxy-2.1.7.tar.gz

Upon installing, it seems like it removes a lot of files:

  CC      ebtree/ebmbtree.o
  CC      ebtree/ebsttree.o
  CC      ebtree/ebimtree.o
  CC      ebtree/ebistree.o
  LD      haproxy
removed '/usr/local/sbin/haproxy'
'haproxy' -> '/usr/local/sbin/haproxy'
removed '/usr/local/share/man/man1/haproxy.1'
'doc/haproxy.1' -> '/usr/local/share/man/man1/haproxy.1'
removed '/usr/local/doc/haproxy/configuration.txt'
'doc/configuration.txt' -> '/usr/local/doc/haproxy/configuration.txt'
removed '/usr/local/doc/haproxy/management.txt'
'doc/management.txt' -> '/usr/local/doc/haproxy/management.txt'
removed '/usr/local/doc/haproxy/proxy-protocol.txt'
'doc/proxy-protocol.txt' -> '/usr/local/doc/haproxy/proxy-protocol.txt'
removed '/usr/local/doc/haproxy/seamless_reload.txt'
'doc/seamless_reload.txt' -> '/usr/local/doc/haproxy/seamless_reload.txt'
removed '/usr/local/doc/haproxy/architecture.txt'
'doc/architecture.txt' -> '/usr/local/doc/haproxy/architecture.txt'
removed '/usr/local/doc/haproxy/peers-v2.0.txt'
'doc/peers-v2.0.txt' -> '/usr/local/doc/haproxy/peers-v2.0.txt'
removed '/usr/local/doc/haproxy/regression-testing.txt'
'doc/regression-testing.txt' -> '/usr/local/doc/haproxy/regression-testing.txt'
removed '/usr/local/doc/haproxy/cookie-options.txt'
'doc/cookie-options.txt' -> '/usr/local/doc/haproxy/cookie-options.txt'
removed '/usr/local/doc/haproxy/lua.txt'
'doc/lua.txt' -> '/usr/local/doc/haproxy/lua.txt'
removed '/usr/local/doc/haproxy/WURFL-device-detection.txt'
'doc/WURFL-device-detection.txt' -> '/usr/local/doc/haproxy/WURFL-device-detection.txt'
removed '/usr/local/doc/haproxy/linux-syn-cookies.txt'
'doc/linux-syn-cookies.txt' -> '/usr/local/doc/haproxy/linux-syn-cookies.txt'
removed '/usr/local/doc/haproxy/SOCKS4.protocol.txt'
'doc/SOCKS4.protocol.txt' -> '/usr/local/doc/haproxy/SOCKS4.protocol.txt'
removed '/usr/local/doc/haproxy/network-namespaces.txt'
'doc/network-namespaces.txt' -> '/usr/local/doc/haproxy/network-namespaces.txt'
removed '/usr/local/doc/haproxy/DeviceAtlas-device-detection.txt'
'doc/DeviceAtlas-device-detection.txt' -> '/usr/local/doc/haproxy/DeviceAtlas-device-detection.txt'
removed '/usr/local/doc/haproxy/51Degrees-device-detection.txt'
'doc/51Degrees-device-detection.txt' -> '/usr/local/doc/haproxy/51Degrees-device-detection.txt'
removed '/usr/local/doc/haproxy/netscaler-client-ip-insertion-protocol.txt'
'doc/netscaler-client-ip-insertion-protocol.txt' -> '/usr/local/doc/haproxy/netscaler-client-ip-insertion-protocol.txt'
removed '/usr/local/doc/haproxy/peers.txt'
'doc/peers.txt' -> '/usr/local/doc/haproxy/peers.txt'
removed '/usr/local/doc/haproxy/close-options.txt'
'doc/close-options.txt' -> '/usr/local/doc/haproxy/close-options.txt'
removed '/usr/local/doc/haproxy/SPOE.txt'
'doc/SPOE.txt' -> '/usr/local/doc/haproxy/SPOE.txt'
removed '/usr/local/doc/haproxy/intro.txt'
'doc/intro.txt' -> '/usr/local/doc/haproxy/intro.txt'
sed -e 's:@SBINDIR@:'/usr/local/sbin':' haproxy.service.in > haproxy.service

As you can see from the top-most lines, this includes the binary. Why is being deleted, or is that the old one?

EDIT: It still isn’t working. I should have been clearer, sorry

Joulinar · 9 June 2020 13:39

yes it’s going to recreated all the files. Is the service set to active now ?

Rilic · 9 June 2020 14:08

I can use the haproxy command! We’re getting somewhere. Now it’s just a config problem on my end, as per the validation command. Will let you know if I get it working!

Rilic · 9 June 2020 14:36

Alright, so it looks like it’s working! HaProxy is passing example.com connections to port 8080, where lighttpd is.
I only have two problems now:

I might use SSL pass-through instead of SSL termination for my servers. This would mean I’d only need to run certbot once for each subdomain used and not have to manually renew it. However, it also means that I need to set up lighttpd to use SSL on port 8080, somehow.
I’m having a problem getting my gitea instance seen by haproxy. It’s set to pass through git.example.com connections to port 3000, but I don’t know if I’ve done it right as it’s just passing it through to lighttpd.

Any tips for any of this? I’d really appreciate it. Also, thanks a lot for sticking with me through all of this. I really hope this isn’t getting annoying!

Joulinar · 9 June 2020 14:53

can you share you haproxy conf file?

Rilic · 9 June 2020 15:03

global

	# rsyslog is required for logging
	#log /var/log    local0
	#log /var/log    local1 notice
	maxconn 64
	log 127.0.0.1 local0 notice
	# Jail directory
	chroot /var/lib/haproxy
	stats socket /run/haproxy.sock mode 660 level admin
	stats timeout 30s
	user root
	group root
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL).
	ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL

defaults

	log     global
	mode    http
	option  httplog
	option  dontlognull
	timeout connect 5000
	timeout client  50000
	timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
	bind *:80
	bind *:443
	acl sub1 hdr_sub(host) -i example.com
	acl sub2 hdr_sub(host) -i git.example.com
	
	use_backend lighttpd_backend if sub1
	use_backend gitea_backend if sub2

backend lighttpd_backend
	mode http
	option forwardfor
	server lighttpd_server 127.0.0.1:8080

backend gitea_backend
	mode http
	option forwardfor
	server gitea_server 127.0.0.1:3000

# Admin web page

	listen stats
	bind *:4264
	stats enable
	stats uri /
	stats hide-version
	stats auth admin:dietpi

Joulinar · 9 June 2020 23:20

ok I adjusted the frontend section slidly. This will forward every request to lighttpd_backend except requests for git.example.com

frontend http-in
        bind *:80
        bind *:443
#       acl sub1 hdr_sub(host) -i example.com
        default_backend lighttpd_backend
        acl sub2 hdr_sub(host) -i git.example.com

#       use_backend lighttpd_backend if sub1
        use_backend gitea_backend if sub2

But I need to say that I’m not an expert on HaProxy config files. There might better ways

Rilic · 10 June 2020 00:03

It’s still not routing git.example.com to 127.0.0.1:3000… It seems like it’s not reading the domain properly. Is there any help you can give there, or should I go to a different forum for specifically HaProxy stuff?

Joulinar · 10 June 2020 10:58

This is the config file I’m using. And I’m able to reach gitea

global

rsyslog is required for logging

#log /var/log local0
#log /var/log local1 notice
maxconn 64
log 127.0.0.1 local0 notice

Jail directory

chroot /var/lib/haproxy
stats socket /run/haproxy.sock mode 660 level admin
stats timeout 30s
user root
group root
daemon

Default SSL material locations

ca-base /etc/ssl/certs
crt-base /etc/ssl/private

Default ciphers to use on SSL-enabled listening sockets.

For more information, see ciphers(1SSL).

ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL

defaults

        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
        bind *:80
        bind *:443
#       acl sub1 hdr_sub(host) -i example.com
        default_backend lighttpd_backend
        acl sub2 hdr_sub(host) -i git.example.com

#       use_backend lighttpd_backend if sub1
        use_backend gitea_backend if sub2

backend lighttpd_backend
        mode http
        option forwardfor
        server lighttpd_server 127.0.0.1:8080

backend gitea_backend
        mode http
        option forwardfor
        server gitea_server 127.0.0.1:3000

# Admin web page

        listen stats
        bind *:4264
        stats enable
        stats uri /
        stats hide-version
        stats auth admin:dietpi

Did you cleared cache on your browser as well? Did your restart HaProxy service?

Yes indeed, consulting a pure HaProxy fucussing board might be a good option. These guys most probably more knowledgeable than we are.

Rilic · 10 June 2020 11:54

It has suddenly struck me that Gitea is still using the normal domain (example.com:3000), rather than its subdomain (git.example.com), as well as using HTTPS on port 3000. Might it be redirecting to the top domain, which then sends it to lighttpd through HaProxy?

Rilic · 10 June 2020 12:19

There’s a change in the problem. It’s almost working, though!

It’s accepting a connection on git.example.com and forwarding it to port 3000!

I’m getting this error on firefox:
SSL_ERROR_RX_RECORD_TOO_LONG

This is happening on both lighttpd and Gitea.

I think it has something to do with HaProxy. Are you any help here, or?