How can I use HAproxy in Proxmox?

Editor

Well-Known Member
Apr 26, 2017
108
1
58
Turkey
I installed HAproxy version 1.7.5 on the Proxmox server and forwarded the incoming domain names to the virtual machines located in Proxmox 5.0-30, but all connections are completed with 503.

I am sure the HAproxy configuration file is correct but I still get 503 even address; "haproxy?stats"

what could be the cause of this error?


(on Stackoverflow)

Thank you.
 
Did you install HAproxy on the hypervisor itself? I would not do that, just forward the incoming ports (mostly 80 and 443) to a VM.

Maybe you can describe your problem you want to solve with HAproxy.
 
Did you install HAproxy on the hypervisor itself? I would not do that, just forward the incoming ports (mostly 80 and 443) to a VM.

Maybe you can describe your problem you want to solve with HAproxy.

Yes, I installed HAproxy on Proxmox. But HAproxy gets a 503 error. I am sure there is no error in the HAProxy config file. I think I need to make the necessary adjustments in Proxmox, but I don't know what to do.

131.png

Haproxy Config: https://0bin.net/paste/98srMODHYIpwHRpf#vRyf0Q86ypAJ1vs4xt7PJsJhcNLGWhEb2a3Y3TWo3ys
 
Last edited:
öhhh.... please run your answer through the translator again.

If you only have one PVE host, the easiest solution is to use HAproxy or traefik on a VM and just forward port 80 and 443 to that VM. With this, you have separation of concerns and don't mess with the PVE itself. It also becomes a HAproxy problem and not a PVE problem if it does not work.

Many people, including me use such a setup (I use it with traefik) on their single PVE / single IP systems.
 
öhhh.... please run your answer through the translator again.

If you only have one PVE host, the easiest solution is to use HAproxy or traefik on a VM and just forward port 80 and 443 to that VM. With this, you have separation of concerns and don't mess with the PVE itself. It also becomes a HAproxy problem and not a PVE problem if it does not work.

Many people, including me use such a setup (I use it with traefik) on their single PVE / single IP systems.

Unfortunately, I don't know how to open 80 or a different port directly to a VM from Proxmox settings. I have been trying with this for two days but I have not been successful.

With your suggestion, I will upload "Traefik" to a virtual machine. However, I do not know how to direct Proxmox to the virtual machine that will create port 80 directly.

When my server is at my own home, I use the modem's DMZ feature. I was fixing the problem when I typed the HAproxy IP address into the DMZ.

(I think he may have been subjected to automatic translation while trying to edit my text for the HAproxy link. Sorry :) )
 
Last edited:
When my server is at my own home, I use the modem's DMZ feature. I was fixing the problem when I typed the HAproxy IP address into the DMZ.

That is another problem, but technically similar. Just add a port forward from incoming port 80 to <VM>:80 and 443 to <VM>:443 setting that up is heavily depended on your modem, so I really cannot tell.

You could also forward to your PVE and then forward again, but why overcomplicate things :-D
In PVE - as in every iptables-based firewall - you can just add rules for it:

Code:
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to <VMID>:80

same goes for Port 443.
 
That is another problem, but technically similar. Just add a port forward from incoming port 80 to <VM>:80 and 443 to <VM>:443 setting that up is heavily depended on your modem, so I really cannot tell.

You could also forward to your PVE and then forward again, but why overcomplicate things :-D
In PVE - as in every iptables-based firewall - you can just add rules for it:

Code:
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to <VMID>:80

same goes for Port 443.

`/etc/network/interfaces` on the proxmox server

Bash:
auto lo
iface lo inet loopback

iface enp3s0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 178.20.154.222
        netmask 255.255.255.0
        gateway 178.20.154.254
        bridge_ports enp3s0
        bridge_stp off
        bridge_fd 0

iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 192.168.128.177:80
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 192.168.128.177:443

iface enp5s0 inet manual

192.168.128.177: HAproxy

Is it true this way?
 
You need a post-up before and indentation:

Code:
auto vmbr0
iface vmbr0 inet static
        address 178.20.154.222
        netmask 255.255.255.0
        gateway 178.20.154.254
        bridge_ports enp3s0
        bridge_stp off
        bridge_fd 0
        post-up iptables -t nat -A PREROUTING -i vmbr0 -d 178.20.154.222 -p tcp --dport 80 -j DNAT --to 192.168.128.177:80
        post-up iptables -t nat -A PREROUTING -i vmbr0 -d 178.20.154.222 -p tcp --dport 443 -j DNAT --to 192.168.128.177:443
 
You need a post-up before and indentation:

Code:
auto vmbr0
iface vmbr0 inet static
        address 178.20.154.222
        netmask 255.255.255.0
        gateway 178.20.154.254
        bridge_ports enp3s0
        bridge_stp off
        bridge_fd 0
        post-up iptables -t nat -A PREROUTING -i vmbr0 -d 178.20.154.222 -p tcp --dport 80 -j DNAT --to 192.168.128.177:80
        post-up iptables -t nat -A PREROUTING -i vmbr0 -d 178.20.154.222 -p tcp --dport 443 -j DNAT --to 192.168.128.177:443

Yesterday I returned to Proxmox 5.4 due to the Kernel 5.4 error in Proxmox 6.1.

Therefore, from this morning, I turned to HAproxy again.

Now the situation is this:
I wrote the codes you provided to Proxmox's interface file and rebooted the server,
however, I still cannot access the domain name.
I am getting error 522

The plan currently implemented is as in scheme 1.

W1.fw.png

Is Scheme 2 possible?
 
Sure, nearly everthing is possible with Linux, but why should you? You should always follow the separation of concerns pattern, there go with S#1.

HAproxy100192.168.128.198
Web server101129.168.128.186
Mattermost102192.168.128.182

I try to reach server 101 with domain names, but I get error 521 (web server down).
I can't solve the reason for this.

Is there a mistake here?
qGm2sXi.png
 
Last edited:
Sure, nearly everthing is possible with Linux, but why should you? You should always follow the separation of concerns pattern, there go with S#1.
concerning the s#1 senario L

for the incoming requests from the outside

who is gonna intercept it first ?

is it proxmox ? or the VM in which haproxy is installed ?

i want to know if it is possible to make that VM in which haproxy is installed intercepts requests from outside instead of proxmox ?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!