Hello everyone,
Has anyone configured penpot with HAproxy?
In my setup, penpot uses docker. The HAproxy configuration is as follows:
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
maxconn 20000
user haproxy
group haproxy
daemon
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
tune.ssl.cachesize 10000
defaults
balance roundrobin
log global
mode http
option httplog
option dontlognull
option clitcpka
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout connect 5000
timeout client 50000
timeout server 50000
# errorfile 400 /etc/haproxy/errors/400.http
# errorfile 403 /etc/haproxy/errors/403.http
# errorfile 408 /etc/haproxy/errors/408.http
# errorfile 500 /etc/haproxy/errors/500.http
# errorfile 502 /etc/haproxy/errors/502.http
# errorfile 503 /etc/haproxy/errors/503.http
# errorfile 504 /etc/haproxy/errors/504.http
listen stats
bind :8080 interface ens18
mode http
option httplog
option dontlognull
log-format {"type":"haproxy","time_local":"%trg","http_status":"%ST","http_request":"%r","remote_addr":"%ci","frontend_ip":"%fi","bytes_read":%B,"upstream_addr":"%si","backend_name":"%b","retries":%rc,"bytes_uploaded":%U,"upstream_response_time":%Tr,"upstream_connect_time":%Tc,"session_duration":"%Tt","termination_state":"%ts","queue_time":%Tw,"header_read_time":%TR,"client_response_time":%Ta,"x_forwarded_for":"%[capture.req.hdr(0)]","x_forwarded_proto":"%[capture.req.hdr(1)]","http_host":"%[capture.req.hdr(2)]","http_location":"%[capture.res.hdr(0)]"}
stats enable
stats refresh 30s
stats uri /
stats realm Haproxy\ Statistics
stats auth haproxy:jakies_haslo
stats admin if TRUE
frontend http-in-local
bind :80 interface ens18
mode http
maxconn 20000
option forwardfor except 127.0.0.1
option httplog
option dontlognull
option http-keep-alive
timeout http-keep-alive 930s
log-format {"type":"haproxy","time_local":"%trg","http_status":"%ST","http_request":"%r","remote_addr":"%ci","frontend_ip":"%fi","bytes_read":%B,"upstream_addr":"%si","backend_name":"%b","retries":%rc,"bytes_uploaded":%U,"upstream_response_time":%Tr,"upstream_connect_time":%Tc,"session_duration":"%Tt","termination_state":"%ts","queue_time":%Tw,"header_read_time":%TR,"client_response_time":%Ta,"x_forwarded_for":"%[capture.req.hdr(0)]","x_forwarded_proto":"%[capture.req.hdr(1)]","http_host":"%[capture.req.hdr(2)]","http_location":"%[capture.res.hdr(0)]"}
http-request add-header X-Forwarded-Proto http
redirect scheme https code 301 if !{ ssl_fc }
capture request header X-Forwarded-For len 64
capture request header X-Forwarded-Proto len 64
capture request header Host len 64
capture response header Location len 64
frontend https-in-local
mode http
bind :443 interface ens18 ssl crt /certs/docker.pem crt /certs/penpot.pem crt /certs/dokuwiki.pem no-sslv3 alpn http/1.1
maxconn 20000
option forwardfor except 127.0.0.1
option httplog
option dontlognull
option http-keep-alive
timeout http-keep-alive 930s
log-format {"type":"haproxy","time_local":"%trg","http_status":"%ST","http_request":"%r","remote_addr":"%ci","frontend_ip":"%fi","bytes_read":%B,"upstream_addr":"%si","backend_name":"%b","retries":%rc,"bytes_uploaded":%U,"upstream_response_time":%Tr,"upstream_connect_time":%Tc,"session_duration":"%Tt","termination_state":"%ts","queue_time":%Tw,"header_read_time":%TR,"client_response_time":%Ta,"x_forwarded_for":"%[capture.req.hdr(0)]","x_forwarded_proto":"%[capture.req.hdr(1)]","http_host":"%[capture.req.hdr(2)]","http_location":"%[capture.res.hdr(0)]"}
http-request add-header X-Forwarded-Proto https
capture request header X-Forwarded-For len 64
capture request header X-Forwarded-Proto len 64
capture request header Host len 64
capture response header Location len 64
acl host_penpot.prame.dom hdr(host) -i penpot.prame.dom www.penpot.prame.dom penpot.dom www.penpot.dom
use_backend penpot.prame.dom if host_penpot.prame.dom
backend penpot.prame.dom
mode http
http-reuse always
timeout http-keep-alive 10s
http-response set-header X-Frame-Options "SAMEORIGIN"
http-response set-header X-Xss-Protection "1; mode=block"
http-response set-header X-Content-Type-Options "nosniff"
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
http-response set-header Referrer-Policy "no-referrer-when-downgrade"
balance roundrobin
option httpchk OPTIONS / HTTP/1.0
server prod-penpot.prame.dom 192.168.0.80:9001 check inter 5s downinter 5s slowstart 10s rise 2 fall 3 weight 100 minconn 0 maxconn 100 maxqueue 0
The response I receive is “503 Service Unavailable No server is available to handle this request”.
Strange thing. Other services work properly (dokuwiki, mantibt, portainer, etc.). Does cooperation with HAproxy require any special penpot configuration?