Hi,
I’ve a problem between my NC server and my HAproxy.
If i go trough HAproxy, the logins fails with error
504 bad gateway
if i login trough NC address, the login succedes.
I think there is somewere a configuration thats blocks HAproxy thinking it’s a DOS attack.
I’ve already tried to disable mod_evasive and to add trusted proxy ip to configuration, but no luck
where can i set php/apache connections limits?
thanks
Are you positive it’s not a misconfiguration? HAProxy handles connections to 6 copies of Nextcloud for me with no problem.
I’m not sure since I’m still in testing with the actual configuration, but I think that the problem was that I was missing the option to enable x-forward-for in haproxy configuration. My proxy is a pfsense module.
Somehow i think that the php/apache processes were overloaded in terms of memory and/or connection traking since all clients where tracked as the same IP(haproxy one).
Can you provide a sample of your frontend/backend options? I’m only using ssl offloading, xforwarfor option and ssl connection tracking.
Thanks
Mine isn’t using SSL as it’s just a PoC, but hope this helps regardless. I can show an SSL config for another solution if you wish, also working fine.
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen nccluster
bind 10.10.40.8:80
mode http
stats enable
stats uri /haproxy?stats
stats realm Strictly\ Private
balance leastconn
option httpclose
option forwardfor
server web1 10.11.12.13:80 check fall 1 rise 2
server web2 10.11.12.14:80 check fall 1 rise 2
server web3 10.11.12.15:80 check fall 1 rise 2
server web4 10.11.12.16:80 check fall 1 rise 2
server web5 10.11.12.17:80 check fall 1 rise 2
server web6 10.11.12.18:80 check fall 1 rise 2