Re: 403 forbidden errors.

From: Willy Tarreau <>
Date: Sat, 19 Mar 2011 07:44:20 +0100

Hello Don,

On Fri, Mar 18, 2011 at 06:54:09PM -0600, Don MacArthur wrote:
> When I address the browser URL directly to the web server address all works
> well. When i direct it through the proxy, on two sites I receive a message
> that it can't connect, and on the third I get the prompt for the invalid
> cert (correct, I'm accessing via the IP address) and then a 403 forbidden
> message. The proxy server can ping the web server and the web server can
> ping the proxy server. I experienced none of this in my test environment
> and am wondering if I broke the config somehow, though I can find no
> differences other than the addresses.

I see several things that are wrong in your config, some of which could explain your issues :

> listen port_443a
> mode http

Here I find it very strange that your port 443 is http. In my opinion you'd want to have "mode tcp" here because I suspect that you're running SSL on this port.

> balance roundrobin
> option httpchk HTTP/1.1

This is not the proper syntax for option httpchk. This will result in sending invalid HTTP requests ("OPTIONS HTTP/1.1 HTTP/1.1"). If you use only one parameter, it must be a URI (eg: /). Please take a look at the doc for the various possibilities.

Also, having httpchk on an SSL service will probably not work, unless your server is able to talk HTTP on this port too. Otherwise, please use "option ssl-hello-chk" which will test for SSL.

> bind
> stats uri /haproxy-stats

"stats uri" can only be used in HTTP instances, because on SSL, the request is ciphered in the stream and haproxy will not be able to do anything with it.

> server web1

Right now, this server has no checks as it misses the "check" parameter. This is why it used to work, otherwise you would have noticed on the stats page that the server would have been down.

Same comments for the second instance below.

> listen port_443b
> mode tcp
> balance leastconn
> option httpchk HTTP/1.1
> bind
> stats uri /haproxy-stats
> server web2
> listen port_808
> mode tcp

Here I suspect that you wanted HTTP on this port, but I may be wrong. If this is HTTP that you need, then I suggest that you also add "option http-server-close" too, otherwise haprox will only check the first request of every connection, and your stats will not always be accessible.

> balance leastconn
> option httpchk HTTP/1.1
> bind
> stats uri /haproxy-stats
> server web3

Willy Received on 2011/03/19 07:44

This archive was generated by hypermail 2.2.0 : 2011/03/19 08:00 CET