Haproxy on a memberserver

installed and work as exspected with one exception:
I found no solution to start the url "https://ucs-xxx.my.domain.com/univention/management"on this memberserver for updates etc.
I always receive an empty screen or “400 Bad request”.
Log “/var/log/haproxy.log” doesn´t help either:

Feb 10 17:31:25 ucs-xxxx haproxy[28465]: 192.168.a.bbb:62630 [10/Feb/2020:17:31:25.180] https-in~ haproxy_servers/haproxy 0/0/10/25/35 400 169 - - SD-- 0/0/0/0/0 0/0 “GET /univention/portal/ HTTP/1.1”

The crux is that haproxy and 'Apache2 listen on the same port.
Would the only solution be to change port 443 in Apache2 config?
If so, how then permanently?


I’d say that this is hard to achieve. Port 443 is hardcoded into some Apache config files which would have to be changed manually resulting in lots of hazzle after upgrades.
We have a Cool Solution - Reverse Proxy for UCS Portal and Services which also describes that Apache has to be disabled.

I see 2 possible solutions:

  • Do the upgrades (and other tasks) by using the command line interface

  • disable HAProxy / enable Apache if needed


I think I found a easy solution on the HAproxy server:

  1. /etc/apache2/sites-enabled/default-ssl.conf
    VirtualHost *:443 *:444
  1. Change template for the “default…:” --> /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start to:
    VirtualHost *:443 *:444

Don´t know if neccessary:
create 2 items in Univention Configuration Registry

  1. security/packetfilter/package/univention-apache/tcp/444/all
    and set to “ACCEPT”
  1. security/packetfilter/package/univention-apache/tcp/444/all/en
    and set to “HTTPS”

Hope the updates will survive :slight_smile: