Penpot reliability. HA proxy

Dominik · December 21, 2023, 10:17am

Hello everyone,
Has anyone configured penpot with HAproxy?
In my setup, penpot uses docker. The HAproxy configuration is as follows:

global
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    maxconn     20000
    user        haproxy
    group       haproxy
    daemon

    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
    tune.ssl.default-dh-param 2048
    tune.ssl.cachesize 10000

defaults
    balance roundrobin
    log global
    mode http
    option httplog
    option dontlognull
    option clitcpka
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout connect 5000
    timeout client 50000
    timeout server 50000
#    errorfile 400 /etc/haproxy/errors/400.http
#    errorfile 403 /etc/haproxy/errors/403.http
#    errorfile 408 /etc/haproxy/errors/408.http
#    errorfile 500 /etc/haproxy/errors/500.http
#    errorfile 502 /etc/haproxy/errors/502.http
#    errorfile 503 /etc/haproxy/errors/503.http
#    errorfile 504 /etc/haproxy/errors/504.http

listen stats
    bind :8080 interface ens18
        mode http
        option httplog
        option dontlognull
        log-format {"type":"haproxy","time_local":"%trg","http_status":"%ST","http_request":"%r","remote_addr":"%ci","frontend_ip":"%fi","bytes_read":%B,"upstream_addr":"%si","backend_name":"%b","retries":%rc,"bytes_uploaded":%U,"upstream_response_time":%Tr,"upstream_connect_time":%Tc,"session_duration":"%Tt","termination_state":"%ts","queue_time":%Tw,"header_read_time":%TR,"client_response_time":%Ta,"x_forwarded_for":"%[capture.req.hdr(0)]","x_forwarded_proto":"%[capture.req.hdr(1)]","http_host":"%[capture.req.hdr(2)]","http_location":"%[capture.res.hdr(0)]"}
        stats enable
        stats refresh 30s
        stats uri /
        stats realm Haproxy\ Statistics
        stats auth haproxy:jakies_haslo
        stats admin if TRUE

frontend http-in-local
    bind :80 interface ens18
    mode http
    maxconn 20000
    option forwardfor except 127.0.0.1
    option httplog
    option dontlognull
    option http-keep-alive
    timeout http-keep-alive 930s
    log-format {"type":"haproxy","time_local":"%trg","http_status":"%ST","http_request":"%r","remote_addr":"%ci","frontend_ip":"%fi","bytes_read":%B,"upstream_addr":"%si","backend_name":"%b","retries":%rc,"bytes_uploaded":%U,"upstream_response_time":%Tr,"upstream_connect_time":%Tc,"session_duration":"%Tt","termination_state":"%ts","queue_time":%Tw,"header_read_time":%TR,"client_response_time":%Ta,"x_forwarded_for":"%[capture.req.hdr(0)]","x_forwarded_proto":"%[capture.req.hdr(1)]","http_host":"%[capture.req.hdr(2)]","http_location":"%[capture.res.hdr(0)]"}

    http-request add-header X-Forwarded-Proto http
    redirect scheme https code 301 if !{ ssl_fc }
    capture request header X-Forwarded-For len 64
    capture request header X-Forwarded-Proto len 64
    capture request header Host len 64
    capture response header Location len 64

frontend https-in-local
    mode http
    bind :443 interface ens18 ssl crt /certs/docker.pem crt /certs/penpot.pem crt /certs/dokuwiki.pem no-sslv3 alpn http/1.1
    maxconn 20000
    option forwardfor except 127.0.0.1
    option httplog
    option dontlognull
    option http-keep-alive
    timeout http-keep-alive 930s
    log-format {"type":"haproxy","time_local":"%trg","http_status":"%ST","http_request":"%r","remote_addr":"%ci","frontend_ip":"%fi","bytes_read":%B,"upstream_addr":"%si","backend_name":"%b","retries":%rc,"bytes_uploaded":%U,"upstream_response_time":%Tr,"upstream_connect_time":%Tc,"session_duration":"%Tt","termination_state":"%ts","queue_time":%Tw,"header_read_time":%TR,"client_response_time":%Ta,"x_forwarded_for":"%[capture.req.hdr(0)]","x_forwarded_proto":"%[capture.req.hdr(1)]","http_host":"%[capture.req.hdr(2)]","http_location":"%[capture.res.hdr(0)]"}

    http-request add-header X-Forwarded-Proto https
    capture request header X-Forwarded-For len 64
    capture request header X-Forwarded-Proto len 64
    capture request header Host len 64
    capture response header Location len 64

acl host_penpot.prame.dom hdr(host) -i penpot.prame.dom www.penpot.prame.dom penpot.dom www.penpot.dom
use_backend penpot.prame.dom if host_penpot.prame.dom

backend penpot.prame.dom 
mode http
http-reuse always
timeout http-keep-alive 10s
http-response set-header X-Frame-Options "SAMEORIGIN"
http-response set-header X-Xss-Protection "1; mode=block"
http-response set-header X-Content-Type-Options "nosniff"
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
http-response set-header Referrer-Policy "no-referrer-when-downgrade"
balance roundrobin
option httpchk OPTIONS / HTTP/1.0
server prod-penpot.prame.dom 192.168.0.80:9001 check inter 5s downinter 5s slowstart 10s rise 2 fall 3 weight 100 minconn 0 maxconn 100 maxqueue 0

The response I receive is “503 Service Unavailable No server is available to handle this request”.
Strange thing. Other services work properly (dokuwiki, mantibt, portainer, etc.). Does cooperation with HAproxy require any special penpot configuration?

Topic		Replies	Views
Unable to login to account due to Cookie "auth-token" has been rejected Self hosted Penpot	1	1210	April 25, 2023
Trouble self hosting Penpot Self hosted Penpot	1	368	December 6, 2023
Frontend is unreachable while self hosting Self hosted Penpot	0	608	August 9, 2023
Unable to initialize backend, frontend and exporter containers (docker) Troubleshooting	4	1766	November 11, 2022
Penpot runs fine but tries to reach "redis.x.y" every 10 seconds Troubleshooting	0	106	January 31, 2024

Penpot reliability. HA proxy

Related Topics

Design Freedom for Teams