Multi server: TLS handshake error

The haproxy check isn’t passing so its not bothering to forward the request. What happens if you take check off?

backend crowdsec
  server crowdsec my.domain.com:9091 ssl verify none

Restart haproxy without the crowdsec.lua hack:

May 24 23:10:20 ip-10-0-0-182 haproxy[2316]: -:- [24/May/2023:23:10:20.330] <HTTPCLIENT> <HTTPCLIENT>/<HTTPCLIENT> 2/0/3/-1/3 502 209 - - SH-- 0/0/0/0/3 0/0 {} "GET http://10.0.0.245:9091/v1/decisions/stream?startup=true HTTP/1.1"
May 24 23:10:20 ip-10-0-0-182 haproxy[2316]: Got error fetching decisions from Crowdsec: 502 (<html><body><h1>502 Bad Gateway</h1>.The server returned an invalid or incomplete response..</body></html>.)
May 24 23:10:20 ip-10-0-0-182 haproxy[2316]: [alert] 143/231020 (2316) : Got error fetching decisions from Crowdsec: 502 (<html><body><h1>502 Bad Gateway</h1>.The server returned an invalid or incomplete response..</body></html>.)
May 24 23:10:20 ip-10-0-0-182 haproxy[2316]: Got error fetching decisions from Crowdsec: 502 (<html><body><h1>502 Bad Gateway</h1>.The server returned an invalid or incomplete response..</body></html>.)

With the crowdsec.lua hack:

May 24 23:14:34 ip-10-0-0-182 haproxy[2942]: -:- [24/May/2023:23:14:34.663] <HTTPCLIENT> <HTTPCLIENT>/<HTTPSCLIENT> 2/0/-1/-1/6 503 217 - - SC-- 0/0/0/0/3 0/0 {} "GET https://10.0.0.245:9091/v1/decisions/stream?startup=true HTTP/1.1"
May 24 23:14:34 ip-10-0-0-182 haproxy[2942]: Got error fetching decisions from Crowdsec: 503 (<html><body><h1>503 Service Unavailable</h1>.No server is available to handle this request..</body></html>.)
May 24 23:14:34 ip-10-0-0-182 haproxy[2942]: [alert] 143/231434 (2942) : Got error fetching decisions from Crowdsec: 503 (<html><body><h1>503 Service Unavailable</h1>.No server is available to handle this request..</body></html>.)
May 24 23:14:34 ip-10-0-0-182 haproxy[2942]: Got error fetching decisions from Crowdsec: 503 (<html><body><h1>503 Service Unavailable</h1>.No server is available to handle this request..</body></html>.)

I’ve also tried with the IP 10.0.0.245 in place of my.domain.com. Same result.

Seems to me a lot like haproxy bouncer doesn’t work with multi server crowdsec. I really should not have to hack a file that can change with updates, even if it does work which is seems it doesn’t. Should I be writing a bug report?

With check back in place I see this on the haproxy stats page

It works with multi server just TLS cannot be configure on CrowdSec itself it has to best listening for http.

Those errors are haproxy refusing to proxy because it think the backend is down.

I can see from the config you have ssl flag on the backend that will cause issues if you have configured crowdsec for http

Changed to

backend crowdsec
   server crowdsec 10.0.0.245:9091

haproxy.log

May 25 11:26:57 ip-10-0-0-182 haproxy[49080]: -:- [25/May/2023:11:26:57.706] <HTTPCLIENT> <HTTPCLIENT>/<HTTPCLIENT> 3/0/2/-1/3 502 209 - - SH-- 0/0/0/0/3 0/0 {} "GET http://10.0.0.245:9091/v1/decisions/stream?startup=true HTTP/1.1"
May 25 11:26:57 ip-10-0-0-182 haproxy[49080]: Got error fetching decisions from Crowdsec: 502 (<html><body><h1>502 Bad Gateway</h1>.The server returned an invalid or incomplete response..</body></html>.)
May 25 11:26:57 ip-10-0-0-182 haproxy[49080]: [alert] 144/112657 (49080) : Got error fetching decisions from Crowdsec: 502 (<html><body><h1>502 Bad Gateway</h1>.The server returned an invalid or incomplete response..</body></html>.)
May 25 11:26:57 ip-10-0-0-182 haproxy[49080]: Got error fetching decisions from Crowdsec: 502 (<html><body><h1>502 Bad Gateway</h1>.The server returned an invalid or incomplete response..</body></html>.)

Something seems broken here. This is only a problem with haproxy-bouncer, iptables-bouncer can connect to the LAPI host without a problem.

I’ve just set up stunnel to forward the port and it works straight away. I’d prefer to not install extra software but it seems like the sane option in this case