HAproxy finds no backend when different port is used

Question

I have two backends that are the same server running two of the same Docker image, but each with a different port. That is, on the backend server, the only different between the two is the port mapping. My load balancer (HAProxy) is a separate physical machine at 10.0.0.2.

frontend http-in
    bind *:80
    bind *:443 ssl crt /etc/ssl/mydomain.com/both.pem
    http-request redirect scheme https unless { ssl_fc }

    acl eighty_http        hdr(host)     -m beg -i eighty.
    acl eightyhundred_http        hdr(host)     -m beg -i eightyhundred.

    use_backend eighty if eighty_http
    use_backend eightyhundred if eightyhundred_http

backend eighty
    server      twenty 10.0.0.20:80 check maxconn 300

backend eightyhundred
    server      twenty 10.0.0.20:8000 check maxconn 300

When I sudo systemctl restart haproxy it tells me that "backend eightyhundred has no server available!" However, I can curl both ports successfully from the load balancer.

I put the following in iptables:

sudo iptables -A OUTPUT -p tcp -d 10.0.0.0/16 --sport 8000 -j ACCEPT

...and for selinux:

sudo semanage port --add --type http_port_t --proto tcp 8000

neither made a difference.

What am I missing here?

Answer 1

In a nutshell, the issue is that you cannot just randomly pick a port to use for your backend. Here, 8000 is already added to soundd_port_t, which is a group that haproxy isn't in. So, "sudo semanage port --add --type http_port_t --proto tcp 8000" does not accomplish what was intended here. It actually fails to do what you think it might have done when it says this port is already added (it's already added to something else). The simple solution is to select ports that HAProxy has access to. This guy explains it all best:

https://unix.stackexchange.com/questions/363878/which-selinux-policies-apply-to-haproxy