Hi,
Le 09/07/2017 à 17:58, M a écrit :
Hi,
It seems the error is related to acl and I don’t yet understand why > [...]
frontend https_influxdb
bind 192.168.246.17:8086 ssl crt /data/ssl_certs no-sslv3 ciphers
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:!NULL:!aNULL:!RC4:!RC2:!MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES
mode http
[...]
acl host_influxdb-drp.example.net hdr(host) -i influxdb-drp.example.net
use_backend influxdb-drp.example.net if host_influxdb-drp.example.net
[...]
#curl -G https://influxdb-drp.example.net:8086/query -u admin:'xxx' --data-urlencode
"q=SHOW DATABASES"
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
Jul 9 15:46:16 kalinga haproxy[50375]: 192.168.246.17:57242
[09/Jul/2017:15:46:16.665] https_influxdb~ https_influxdb/<NOSRV> -1/-1/135 212
SC 4/0/0/0/0 0/0
The acl is not matching under this frontend :-(
[...]
Why acl is matching only on frontend https and not on frontend https_influxdb?
Because your Host header is certainly "influxdb-drp.example.net:8086",
not "influxdb-drp.example.net". You can verify this with this acl instead :
acl host_influxdb-drp.example.net hdr(host) -i
influxdb-drp.example.net:8086
Or you can even capture the header in your logs, it's quite useful to
debug acls ;-)
--
Cyril Bonté
