SOLVED: Server Unavailable on haproxy

[sEVacitU]

Setup: 
- Public IP: [Removed public IP - TheDreadPirate]
- Jellyfin Server: Windows PC 192:168.1.12:8096 no https, no docker
- haproxy Server: Rocky 9 10.0.0.12
- DNS: a record points "jellyfin.mydomain.com" to [Removed public IP - TheDreadPirate]

Notes:
- When doing a port scan port 443 is open at my public ip
- When monitoring my firewall rules, traffic is successfully being passed to my Rocky server
- I cannot ping my jellyfin server from my Rocky server, but if I log into the GUI and navigate to 192:168.1.12:8096 I can access my jellyfin library.


When attempting to navigate to jellyfin.mydomain.com I get a 503 Server Unavailable error. 

Code:

[root@localhost user]# systemctl status haproxy
[b]●[/b] haproxy.service - HAProxy Load Balancer
     Loaded: loaded (/usr/lib/systemd/system/haproxy.service; [b]disabled[/b]; preset: [b]disabled[/b])
     Active: [b]active (running)[/b] since Sat 2024-03-02 02:08:08 CST; 7h ago
    Process: 2164 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 2166 (haproxy)
      Tasks: 5 (limit: 22944)
     Memory: 10.3M
        CPU: 3.263s
     CGroup: /system.slice/haproxy.service
             ├─2166 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -f /etc/haproxy/conf.d -p /run/haproxy.pid
             └─2168 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -f /etc/haproxy/conf.d -p /run/haproxy.pid

Mar 02 02:08:08 localhost.localdomain systemd[1]: Starting HAProxy Load Balancer...
Mar 02 02:08:08 localhost.localdomain haproxy[2166]: [NOTICE]   (2166) : New worker #1 (2168) forked
Mar 02 02:08:08 localhost.localdomain systemd[1]: Started HAProxy Load Balancer.
Mar 02 02:08:08 localhost.localdomain haproxy[2168]: [WARNING]  (2168) : Server jellyfin_backend/jellyfin is DOWN, reason: Layer4 connection problem, info: "General socket error (Permission denied)", check duratio>
Mar 02 02:08:08 localhost.localdomain haproxy[2168]: [NOTICE]   (2168) : haproxy version is 2.4.22-f8e3218
Mar 02 02:08:08 localhost.localdomain haproxy[2168]: [NOTICE]   (2168) : path to executable is /usr/sbin/haproxy
Mar 02 02:08:08 localhost.localdomain haproxy[2168]: [ALERT]    (2168) : sendmsg()/writev() failed in logger #2: No such file or directory (errno=2)
Mar 02 02:08:08 localhost.localdomain haproxy[2168]: [ALERT]    (2168) : backend 'jellyfin_backend' has no server available!

Code:

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend jellyfin_proxy
    bind *:443 ssl crt /etc/letsencrypt/live/jellyfin.mydomain.com/fullchain.pem alpn h2,http/1.1
    redirect scheme https if !{ ssl_fc }
    
    option forwardfor
  
    acl letsencrypt_auth path_beg /.well-known/acme-challenge/

    acl is_jellyfin hdr(host) -i jellyfin.henrilogon.com

    use_backend jellyfin_backend if is_jellyfin

#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend jellyfin_backend
    option httpchk
    option forwardfor
    http-check send meth GET uri /health
    http-check expect string Healthy
    server jellyfin 192.168.1.12:8096 check

backend letsencrypt
    server letsencrypt 127.0.0.1:8888

#---------------------------------------------------------------------


listen stats
bind *:9000
stats enable
stats uri /stats
stats refresh 10s
stats admin if TRUE

Code:

[root@localhost tim]# curl -v 192.168.1.12:8096
*   Trying 192.168.1.12:8096...
* Connected to 192.168.1.12 (192.168.1.12) port 8096 (#0)
> GET / HTTP/1.1
> Host: 192.168.1.12:8096
> User-Agent: curl/7.76.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Content-Length: 0
< Date: Sat, 02 Mar 2024 16:26:27 GMT
< Server: Kestrel
< Location: /web/index.html
< 
* Connection #0 to host 192.168.1.12 left intact

Jellyfin Networking Settings:
Server Address Settings
    Local HTTP port number: 8096
    Enable HTTPS: Not Selected
    Local HTTPS port number: 8920
    Base URL: empty
    Bind to local network address: 192.168.1.12
    LAN networks: 192.168.1.0/24, 192.168.2.0/24
    Known proxies: 10.0.0.12
HTTPS Settings:
    *Disabled*
Remote Access Settings
    Allow remote connections to this server: checked
    Remote IP address filter: empty
    Remote IP address filter mode: Whitelist
    Enable automatic port mapping: unchecked
    Public HTTP port number: 8096
    Public HTTPS port number: 8920
IP Protocols
    *IPv4 Only*
Firewall and Proxy Settings
    jellyfin.mydomain.com


---- Edit ----
I did finally find the following log

Code:

Mar  2 10:51:50 localhost setroubleshoot[2096]: SELinux is preventing /usr/sbin/haproxy from name_connect 
access on the tcp_socket port 8096.#012#012*****  Plugin connect_ports (85.9 confidence) suggests   
*********************#012#012If you want to allow /usr/sbin/haproxy to connect to network port 8096#012
Then you need to modify the port type.#012Do#012# semanage port -a -t PORT_TYPE -p tcp 8096#012 
where PORT_TYPE is one of the following: commplex_link_port_t, commplex_main_port_t, dns_port_t, 
dnssec_port_t, fmpro_internal_port_t, http_cache_port_t, http_port_t, kerberos_port_t, ocsp_port_t, 
rtp_media_port_t.#012#012*****  Plugin catchall_boolean (7.33 confidence) suggests   ******************#012#012
If you want to allow nis to enabled#012Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
#012#012Do#012setsebool -P nis_enabled 1#012#012*****  Plugin catchall_boolean (7.33 confidence) suggests   
******************#012#012If you want to allow haproxy to connect any#012Then you must tell SELinux about this by 
enabling the 'haproxy_connect_any' boolean.#012#012Do#012setsebool -P haproxy_connect_any 1#012#012*****  
Plugin catchall (1.35 confidence) suggests   **************************#012#012If you believe that haproxy should be 
allowed name_connect access on the port 8096 tcp_socket by default.#012Then you should report this as a bug.#012
You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012#
ausearch -c 'haproxy' --raw | audit2allow -M my-haproxy#012# semodule -X 300 -i my-haproxy.pp#012

[TheDreadPirate]

Is the address 10.12 or 1.12? Your curl command is using 10.12 but all your configs are 1.12.

[sEVacitU]

Is the address 10.12 or 1.12?  Your curl command is using 10.12 but all your configs are 1.12.

It's 10.21. I just get into the habbit of changing all IPs even though those privates legit don't really matter. I will edit the curl to match the rest.

[TheDreadPirate]

Do you have a firewall rule on your Jellyfin host that only allows connections to port 8096 from the 192.168.1.0/24 subnet?

[sEVacitU]

Do you have a firewall rule on your Jellyfin host that only allows connections to port 8096 from the 192.168.1.0/24 subnet?

Nope. The firewall rules I have set up on the host allows local networks set to 192.168.1.0/24, 192.168.2.0/24, 10.0.0.0/24 and any remote network. (I know this isn't a great idea, currently I am just port forwarding from my public IP to my jellyfin server with no proxy. I will change that firewall rule once I get my proxy working.

When using a browser on 10.0.0.1 I can get to my jellyfin server without issue, but I get a layer 4 rejection message when attempting to use the proxy. I didn't know if for some reason my proxy was trying to use HTTPS on the backend instead of HTTP, otherwise I'm pretty lost about why it doesn't work.

[sEVacitU]

After parsing out the log message I recieved I added the following command and it resolved the issue for me.

Code:

sudo semanage port -a -t http_port_t -p tcp 8096