 I'm here from Lawrence Systems and we're going to be talking about HA Proxy troubleshooting. This is a frequent problem people run into is they followed my videos of which I have two of them covering a couple different aspects of HA Proxy with let's encrypt and, you know, setting it all up and configuring it. And because the videos are a little bit longer, I think some people maybe skip a few steps and then come over and start asking questions, maybe in the forums or elsewhere. But I wanted to make a quick troubleshooting guide because it's only a few different things that I frequently see people missing. And this is my response for when people say, Hey, it's not working, but I followed your video. There's always something you missed. And it is a complex topic. Therefore, I wanted to show the most common things people miss in HA Proxy. Before we dive into this video, if you'd like to learn more about me and my company, head over to LawrenceSystems.com. If you'd like to hire us for a project, which includes things like setting up HA Proxy, there's a hires button right at the top. If you like to support this channel in other ways, there's affiliate links down below. And of course, the forums where you can connect with us and ask your questions about HA Proxy and get this video as a reply. All right, let's dive into this topic. We're going to set up two different sites. Basically, they're both internal and one has a SSL cert on its own. And the other one does not because that way I covered both common configurations, of course, with HA Proxy. It's an extensive tool and can do many more advanced things. But I at least want to drive down the most common things I see people kind of missing. And the first one is this really common TCP port by default. When you set up PF Sense is port 443. That's the default. And if you have your system responding on port 443 for both HA Proxy and for PF Sense, you can end up with kind of a problem. I recommend using something other than 443 unless you're going to put HA Proxy on something other than 443, but you can't have two things bound to the same address or you can run into some of these problems. And the second one down is this other little checkbox, Disable Web Configuration Redirect Rule. This is a port 80 redirect. And if you've moved this to, for example, in this demo, we have one, oh, 443, and you have the redirect. So you have it listening on port 80, but you've also decided that HA Proxy should listen on 80 and 443. It'll now redirect HA Proxy instead and end up at the wrong port. So just a couple of little checkboxes, pick a different port. Remember what port you picked? Someone actually messed with me. They forgot after they did it and didn't realize what port they had it tied to for their PF Sense web UI. Um, and then the other ones just turn off the web redirect. The next really common one is in the HA Proxy back end. This is my Zen Orchestra Lab. This is the Zen Orchestra Lab. The name we put here. Address put port. This is the IP address of where Zen Orchestra operates. And this is the port it's operating on. It does have its own certificate. So if we were to go to port 443 of 192 1683.28, yes, it would respond with a self signed certificate because that's what I have set up on there. That means we do check the box for the encrypted SSL because the communications are. That also means, as I said, is a self signed at 3.28. We do not check this box. So if we check the integrity of that, it's going to find it that it's self signed and fail. So we actually don't need it to check. We already know it's self signed. We don't need the error, uh, to associate with it. So we just go ahead and leave that check off unless you want it to validate that certificate. Generally speaking, this is usually why you install the HA Proxies because you have some internal web servers and you want them to respond with a valid certificate. And so you're usually not going to have that box checked. Now this is the second server I set up and this is the back end for this one. It's at 3.144. It has port 80. This is not encrypted. This is a standard port 80. So it'll respond. There is no certificates or there's no certificate error. And I actually don't have port 443 or any SSL set up on this particular demo. So this server is going to be port 80 of note. We are not checking the encrypted SSL. And of course, we're not going to check the SSL check because there's no certificate there. But one thing that I want to remind people when you're doing this internally, the transaction that is going from the PF sense is actually at 3.1. So when we go to 3.144, what that's going to do is create a connection from the PF sense to this, but it's all going to be in plain text. Some people think by checking the encrypted box that will encrypt, but it will not because port 80 is going to be HTTP on this server and it's not doing any encryption. So any of the data inside the network. So if we are mapping HAProxy to somewhere else or outside the network via the WAN, those connections are going to be encrypted because I'll show you how that works on the front end, but on the back end, the transaction going between there, if someone were to be on the line, so to speak, it would be just passing in clear text on that network. So just something to keep in note, but that's another common thing people miss is they'll check encrypted because they go, Hey, I want it to be encrypted when people talk to it, but technically it's not encrypted on the inside. So when HAProxy inside of PF sense talks to it, you leave that unchecked because it's not encrypted. The next common things are in the front end. So this is the LTS lab. We set up LTS lab servers and where did you want to bind this to? This is important for the listen address. You can choose LAN, WAN or anything else that you have, including, you know, different IP addresses you may have if you have a WAN with multiple IPs, but it is very important to understand where you want that bound to. I bring it up because sometimes people think that you need to port forward and you do not. The associated rule for this, if it's on WAN, is simply opening up the rule to land on the WAN IP address that you have selected. Or if you only have one WAN IP, you would just select that. So if we were to select one of these addresses, WAN address or any of these associate addresses I have blurred out here in bind it, then I would also have to create an accompanying firewall rule. You do not need port forwarding when you're using HAProxy and this is one of those things that we've seen a lot of people do was assuming you need to forward to the server behind it, but you don't. HAProxy is taking the behind connection. So to speak from the LAN to the server and then you need to tie it either to the WAN or the LAN. Now, if you tie it to an internal LAN address, like I do here, you don't need to create any rules because by default you can talk to your LAN side of PF Sense. If you couldn't talk to it, you wouldn't be able to get to PF Sense at all. But if you're doing it on the WAN side, you will have to create an associated rule for that. The next one down and I've covered this in those HAProxy videos, of course, but it's not having these set up properly. We have two devices set up. They're ZenOrchestralab and the value is xolab.lorencsystem.com and then SpeedTest with the host matching SpeedTest.lorencsystem.com. If you do not get these access control is set up properly and listening properly, this is an important aspect. Both of these servers are gonna respond on port 443. So HAProxy is going to be listening on 443 and answering based on which server name it gets. So the server name coming in based on the DNS is what your browser will send will either be SpeedTest or xolab and by that it will choose the proper back end. So if we edit one of these rules, you can see SpeedTest host matches SpeedTest.lorencsystem.com. So when the host name matches and comes in, it then responds with and the quickest way when creating these rules as I showed in the other one is you edit the back end. There's not a pull down here. So we say use back end SpeedTest. That is free form filled in, but this has to be matched. If I were to put in something else or SpeedTest and not spell it, you want it to be exact. You want to spell the same case, the same everything to make sure there's no issues. That is another spot where people list. So this one matches ZenOrchestralab and this one matches ZenOrchestralab and with both of them matching, it should then provide the proper back end. Now on to DNS. Now I'm doing this in Linux, but if you're using Windows subsystem for Linux, it should work as well. I'll make sure you have dig install, just my preferred tool for doing this. But however you want to do your DNS lookups, dig SpeedTest.lorencsystem.com. Lorencsystem.com, sorry, not no S on this one. These are my internal servers. If you try to resolve these, you'll find that they don't resolve externally. But I've set them up for this demo and you'll see that they respond to the right address. Then this right address is not the server. The server is 3.144. The responding address is 3.1 because that's where HA proxy lives. This is another thing people mix up. They leave the DNS entry to point it to their internal server or wherever the server may live and it has to resolve to where HA proxy is. The same thing for the ZenOrchestralab one, it resolves to the same address. It's very important that these work properly and this is part of the core function that you want working in HA proxy is each one as the browser sends Xolab or send speedtest.lorencsystems.com, you wanna make sure it's resolving to the right address because being the same address means which server you get on the backend or which certificate is served up is going to completely depend on what that DNS matching is. And this is where your browser has to do it. Now, the final thing I wanna show you is how you do the browser test from the command line so you can see the output. And we're gonna start with this command right here and let's break this down. Open SSL, client, server name. Server name is what your browser will send. So we're specifying the server name and then we have to implicitly say the IP address of the host we want to send this information to. This is the way OpenSSL can validate and send this information and we're gonna get a response back and read it. Of course, you could do this in a browser. It can be a little bit trickier. I like doing it from the command line because then we can just start grepping things and figuring it out. So we'll do this and it's gonna give me the right response because that's the address for my website and let's actually get the subject. So we'll grep it for the subject. Let's see what it says here. Cool. Let's encrypt cert for laurencesystems.com. So we say server name laurencesystems.com and host is gonna be the IP address of my laurencesystems.com, the public IP and find filter for this server. What if we sent something else as a server name like xxlaurencesystems.com to this host? This is how often shared hosting works. You can have more than one domain working on there. What will it resolve to and what will it send? We actually get an open Lightspeed certificate that I left in there when I set up my website. So Lightspeed is the engine on there and it said, you know what? I don't have anything that matches this so I'm gonna give a default answer of a generic certificate and not serve up the website. This is one of the problems you run into is you realize, oh, it's not responding properly and it's easy to see when we look for the subject like I didn't get the expected let's encrypt laurencesystems.com. Now let's go ahead and switch to different IP address, the HA proxy one. We'll do speedtest.laurencesystems.com. Host is the IP address of our HA proxy. This is all internal down on the LAN side. And here we go. We are seeing it's responding with a wild card let's encrypt cert. Awesome, that's what we wanted. And the same thing, we can test it here with XO and we can see it responds properly. And finally, of course, we can go to speedtest.laurencesystems.com and see the speed test. Now, of note, 192.168.3.144 does bring up this and not secure but here we have the secure and we have the certificate valid and it's responding but it's forwarding to this. So this still responds on 144 and this one right here, Zen Orchestra is working. We have a signed certificate, but if I go to the HTTPS, that matter of fact, we'll do it right here. I think this one's at 28. We end up with a certificate error. There we go. Your website's not private. The one does require that there's a, you know, that checkbox like I showed because that one has a self-signed cert so we don't want to validate the cert because we know it's invalid but then it shows up valid on there. And then the other one of course is valid because it's port 80, there's no certificate but it is encrypted when we view it through HAProxy. These are the same set of things I ask everyone when they're going through there. It is a lot of people ask this question and I covered all this in much more depth in my video of how to set up all these and walk you through step by step on these but these are the same troubleshooting steps I go through each time someone runs their problem. So hopefully they help you and hopefully it's just one of those little things, one of those few little things either DNS and it's almost always DNS, DNS is a real popular problem but those other little back end in ACLs and you don't need to put forward stuff is really important and make sure you have the right boxes checked and if not rewatch my two videos on it which I'll leave link below. All right, thanks. And thank you for making it to the end of this video. If you enjoyed this content, please give it a thumbs up. If you'd like to see more content from this channel hit the subscribe button and the bell icon. To hire a share project, head over to LawrenceSystems.com and click on the hires button right at the top. To help this channel out in other ways there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers check out our affiliate links and descriptions of all of our videos including a link to our shirt store where we have a wide variety of shirts and new designs come out well randomly. So check back frequently. And finally our forums, forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thank you again and we look forward to hearing from you. In the meantime, check out some of our other videos.