Hi all,
I hope you can help me with an issue I am having with a haproxy implementation. Not sure if it is a haproxy issue or openwrt issue/missconfig
I have haproxy 2.0 running on an OpenWRT 19.07.6 router (192.168.1.1) with several dockerized servers being served by different domains via a dockerized NGINX available at 192.168.1.106:9443
The servers are available at:
cucumber.mydomain.com > 192.168.1.106:1001
carrot.mydomain.com > 192.168.1.106:1002
apple.mydomain.com > 192.168.1.106:1003
The NGINX instance is terminating the ssl, with the backend servers running in http and would like to keep it like that, with haproxy used in passthrough mode for “split dns” functionality.
I have port forwarding on OpenWRT external :443 to internal :9443 to the NGINX.
I can perfectly reach all my servers from outside and also from inside, but the moment I cut the internet, I cannot reach them anymore from inside (well, from outside neither )My goal is to be able to reach the servers by the domain e.g. https://cucumber.mydomain.com even when there is no internet, but I cannot make it work. I have enabled tcp mode for passthrough as per the below config, but no joy. Haproxy stats show no matches to backend just the front-end.
This is my haproxy config:
global
log 192.168.1.106:514 daemon debug
maxconn 5000
ulimit-n 65535
uid 0
gid 0
daemon
nosplice
debug
defaults
timeout connect 5000ms
mode tcp
option tcplog
log global
timeout client 5000ms
timeout server 5000ms
#stats webpage
listen stat_page
bind *:8444 ssl crt /etc/ssl/private/haproxy/haproxy.pem
mode http
option tcplog
stats enable
stats uri /stats
stats realm HA_Stats
stats auth admin:admin
#proxy traffic listener
listen main_https_listen
bind 192.168.1.1:443
#Luci is running on 192.168.1.1:8443 so no overlap
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl cucumber req_ssl_sni -i cucumber.mydomain.com
use_backend bk_cucumber if { req_ssl_sni -i cucumber.mydomain.com}
backend bk_cucumber
mode tcp
timeout connect 50000ms
timeout server 30000ms
server nginx 192.168.1.106:9443 check
listen local_health_check
bind :60000
mode health
As per the logs, I see:
main_https_listen main_https_listen/ -1/-1/49 0 SC 2/1/0/0/0 0/0
which points to a disconnect between haproxy and nginx.
I have already asked for help in the haproxy forum, but since the config is correct and should work because it is pretty standard, I suspect I might be missing something on the OpenWRT end.
Thank you