How can I use HAproxy in Proxmox?

E

Editor

Well-Known Member
Apr 26, 2017
108
1
58
Turkey
I installed HAproxy version 1.7.5 on the Proxmox server and forwarded the incoming domain names to the virtual machines located in Proxmox 5.0-30, but all connections are completed with 503.

I am sure the HAproxy configuration file is correct but I still get 503 even address; "haproxy?stats"

what could be the cause of this error?


(on Stackoverflow)

Thank you.
 
Did you install HAproxy on the hypervisor itself? I would not do that, just forward the incoming ports (mostly 80 and 443) to a VM.

Maybe you can describe your problem you want to solve with HAproxy.
 
LnxBil said:
Did you install HAproxy on the hypervisor itself? I would not do that, just forward the incoming ports (mostly 80 and 443) to a VM.

Maybe you can describe your problem you want to solve with HAproxy.
Click to expand...

Yes, I installed HAproxy on Proxmox. But HAproxy gets a 503 error. I am sure there is no error in the HAProxy config file. I think I need to make the necessary adjustments in Proxmox, but I don't know what to do.

131.png

Haproxy Config: https://0bin.net/paste/98srMODHYIpwHRpf#vRyf0Q86ypAJ1vs4xt7PJsJhcNLGWhEb2a3Y3TWo3ys
 
Last edited:
öhhh.... please run your answer through the translator again.

If you only have one PVE host, the easiest solution is to use HAproxy or traefik on a VM and just forward port 80 and 443 to that VM. With this, you have separation of concerns and don't mess with the PVE itself. It also becomes a HAproxy problem and not a PVE problem if it does not work.

Many people, including me use such a setup (I use it with traefik) on their single PVE / single IP systems.
 
LnxBil said:
öhhh.... please run your answer through the translator again.

If you only have one PVE host, the easiest solution is to use HAproxy or traefik on a VM and just forward port 80 and 443 to that VM. With this, you have separation of concerns and don't mess with the PVE itself. It also becomes a HAproxy problem and not a PVE problem if it does not work.

Many people, including me use such a setup (I use it with traefik) on their single PVE / single IP systems.
Click to expand...

Unfortunately, I don't know how to open 80 or a different port directly to a VM from Proxmox settings. I have been trying with this for two days but I have not been successful.

With your suggestion, I will upload "Traefik" to a virtual machine. However, I do not know how to direct Proxmox to the virtual machine that will create port 80 directly.

When my server is at my own home, I use the modem's DMZ feature. I was fixing the problem when I typed the HAproxy IP address into the DMZ.

(I think he may have been subjected to automatic translation while trying to edit my text for the HAproxy link. Sorry :) )
 
Last edited:
Editor said:
When my server is at my own home, I use the modem's DMZ feature. I was fixing the problem when I typed the HAproxy IP address into the DMZ.
Click to expand...

That is another problem, but technically similar. Just add a port forward from incoming port 80 to <VM>:80 and 443 to <VM>:443 setting that up is heavily depended on your modem, so I really cannot tell.

You could also forward to your PVE and then forward again, but why overcomplicate things :-D
In PVE - as in every iptables-based firewall - you can just add rules for it:

Code: 
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to <VMID>:80

same goes for Port 443.
 
LnxBil said:
That is another problem, but technically similar. Just add a port forward from incoming port 80 to <VM>:80 and 443 to <VM>:443 setting that up is heavily depended on your modem, so I really cannot tell.

You could also forward to your PVE and then forward again, but why overcomplicate things :-D
In PVE - as in every iptables-based firewall - you can just add rules for it:

Code: 
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to <VMID>:80

same goes for Port 443.
Click to expand...

`/etc/network/interfaces` on the proxmox server

Bash: 
auto lo
iface lo inet loopback

iface enp3s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 178.20.154.222
        netmask 255.255.255.0
        gateway 178.20.154.254
        bridge_ports enp3s0
        bridge_stp off
        bridge_fd 0

iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.128.177:80
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.128.177:443

iface enp5s0 inet manual

192.168.128.177: HAproxy

Is it true this way?
 
You need a post-up before and indentation:

Code: 
auto vmbr0
iface vmbr0 inet static
        address 178.20.154.222
        netmask 255.255.255.0
        gateway 178.20.154.254
        bridge_ports enp3s0
        bridge_stp off
        bridge_fd 0
        post-up iptables -t nat -A PREROUTING -i vmbr0 -d 178.20.154.222 -p tcp --dport 80 -j DNAT --to 192.168.128.177:80
        post-up iptables -t nat -A PREROUTING -i vmbr0 -d 178.20.154.222 -p tcp --dport 443 -j DNAT --to 192.168.128.177:443
 
LnxBil said:
You need a post-up before and indentation:

Code: 
auto vmbr0
iface vmbr0 inet static
        address 178.20.154.222
        netmask 255.255.255.0
        gateway 178.20.154.254
        bridge_ports enp3s0
        bridge_stp off
        bridge_fd 0
        post-up iptables -t nat -A PREROUTING -i vmbr0 -d 178.20.154.222 -p tcp --dport 80 -j DNAT --to 192.168.128.177:80
        post-up iptables -t nat -A PREROUTING -i vmbr0 -d 178.20.154.222 -p tcp --dport 443 -j DNAT --to 192.168.128.177:443
Click to expand...

Yesterday I returned to Proxmox 5.4 due to the Kernel 5.4 error in Proxmox 6.1.

Therefore, from this morning, I turned to HAproxy again.

Now the situation is this:
I wrote the codes you provided to Proxmox's interface file and rebooted the server,
however, I still cannot access the domain name.
I am getting error 522

The plan currently implemented is as in scheme 1.

W1.fw.png

Is Scheme 2 possible?
 
LnxBil said:
Sure, nearly everthing is possible with Linux, but why should you? You should always follow the separation of concerns pattern, there go with S#1.
Click to expand...

HAproxy100192.168.128.198
Web server101129.168.128.186
Mattermost102192.168.128.182

I try to reach server 101 with domain names, but I get error 521 (web server down).
I can't solve the reason for this.

Is there a mistake here?
qGm2sXi.png
 
Last edited:
LnxBil said:
Sure, nearly everthing is possible with Linux, but why should you? You should always follow the separation of concerns pattern, there go with S#1.
Click to expand...
concerning the s#1 senario L

for the incoming requests from the outside

who is gonna intercept it first ?

is it proxmox ? or the VM in which haproxy is installed ?

i want to know if it is possible to make that VM in which haproxy is installed intercepts requests from outside instead of proxmox ?
 
You must log in or register to reply here.
Top Bottom