consul behind haproxy

[Big Bill]

Hi,

I wasn't not sure if I should ask here but becaase I'm getting error page from Consul and not from haproxy then I decided to ask here.

I'm trying to run Consule in roundrobin with haproxy but afetr executing http://consul-test.infra.itcm.oneadr.net I always  finish with the following error page. Direct connection to each of consul nodes works like expected, not an cat issue at all.

HTTP error code from Consul: 0 error

This is an error page for the Consul web UI. You may have visited a URL that is loading an unknown resource, so you can try going back to the root.

Otherwise, please report any unexpected issues on the GitHub page.

The configuration file for haproxy is pretty straightforward and looks like this:

global

  maxconn 4096

  daemon

  log 127.0.0.1 local2 info

defaults

  log     global

  option  dontlognull

  mode http

  timeout connect 25000ms 

  timeout client 60000ms 

  timeout server 60000ms

frontend http_in

  bind *:80

  acl is_consul_test hdr_beg(host) -i consul-test.infra.itcm.oneadr.net

  use_backend consul_test if is_consul_test

backend consul_test

  cookie SERVERUSED insert indirect nocache

  balance roundrobin

  server infra1p 10.152.84.121:8500

  server infra2p 10.152.84.122:8500

  server infra3p 10.152.84.123:8500

Perhaps any one hit the same issue?

Cheers,

BB

[François Prud'homme]

Hello,

Maybe hdr_beg have to be replaced with hdr_dom.
I have a similar setup, i will watch it tomorrow if it's don't work.

[Big Bill]

Hi François,

Would be great if can show me your configuration.

Cheers,

BB

[François Prud'homme]

My configuration is under 3 parts :

• under consul folder config, i register a check :
  

{

  "services": [

    {

      "name": "consulsvc",

      "id": "consulsvc0",

      "tags": [

        "api"

      ],

      "port": 8500,

      "checks": [

        {

          "http": "http://172.17.42.1:8500/v1/status/peers",

          "interval": "60s",

          "status": "passing",

          "notes": "HTTP consul service"

        }

      ]

    }

  ]

}

• on my enterprise dns, i have a redirect for alias "consulsvc.mydomain.com" to consulsvc.service.consul (there is a redirect for all consul dns subdomain).

• on haproxy, i'm using maps for http/https redirect like this one :
  

frontend https

  bind *:443 ssl crt xxxxxxxxxxx.pem

  reqadd X-Forwarded-Proto:\ https

  redirect scheme http if { hdr(host),lower,map_str(/etc/consul-template.d/http.map) -m found }

  rspadd  Strict-Transport-Security:\ max-age=15768000

  option forwardfor

  use_backend sslv3 if { ssl_fc_protocol SSLv3 }

  use_backend %[hdr(host),lower,map_str(/etc/consul-template.d/mixte.map)] if { hdr(host),lower,map_str(/etc/consul-template.d/mixte.map) -m found }

  use_backend %[hdr(host),lower,map_str(/etc/consul-template.d/https.map,notfound)] if TRUE

(...)

backend consulhttp

  server consulhttp 172.17.42.1:8500 check

On my haproxy map file i have :

grep consul /etc/consul-template.d/https.map

consulsvc.mydomain.com      consulhttp

And... it's work :)

[François Prud'homme]

I reply to myself a little update in progress : this configuration is with a bind on docker bridge... a unnecessary dependancy (read https://medium.com/zendesk-engineering/making-docker-and-consul-get-along-5fceda1d52b9)

As we have all the necessary to redirect container/client/etc on consul api via haproxy, we are now on loopback interface.

Your configuration is maybe false due to this point : don't do loadbalance on consul backend... or add a way to be stick on same server (your cookie may have a problem on your configuration).

[Big Bill]

Hi François,

Thanks for the tip, after cleaning cookies everything started working again.

Cheers,

BB