--- tags: - upnote-import --- # Home-Assistent über HAProxy ## FAQs ### Seite zeigt Fehler Invalid method encountered ``` haproxy Invalid method encountered: b'' ^ ``` Grund war, dass die bind-option „accept-proxy“ und ein Proxy-Protocol zugewiesen waren. Der HA ist aber dafür gemacht, hinter einem Proxy zu lafen. In dem Fall muss beides entfernt werden. ### Google AI Analyse The error "Received something which does not look like a PROXY protocol header" in [OPNsense](https://www.google.com/search?q=OPNsense&newwindow=1&sca_esv=69afb27cda6b1637&sxsrf=AE3TifNGCTUN_X9hUalFtKqVKJ9xTQtN-A%3A1760112723749&ei=UzDpaKqwLciE9u8PyY3QkQw&ved=2ahUKEwit9YfiiJqQAxVIh_0HHSUIPdwQgK4QegQIARAB&uact=5&oq=opnsense+Received+something+which+does+not+look+like+a+PROXY+protocol+header&gs_lp=Egxnd3Mtd2l6LXNlcnAiTG9wbnNlbnNlIFJlY2VpdmVkIHNvbWV0aGluZyB3aGljaCBkb2VzIG5vdCBsb29rIGxpa2UgYSBQUk9YWSBwcm90b2NvbCBoZWFkZXJIjhhQAFibF3AAeAGQAQCYAaMBoAHuCKoBAzEuOLgBA8gBAPgBAZgCAaACfMICBhAAGAcYHpgDAJIHAzAuMaAHuRCyBwMwLjG4B3zCBwMwLjHIBwE&sclient=gws-wiz-serp&mstk=AUtExfAj2bFRYreBlPXhaXdkbD_Z26rDtwz-nmb-hYGj9CEoaSACui3YP6f78Egef9J1ucLy4x6mmPTa9XrDpoWrbG_x4QMgYSScPEz9sacNQ2cpPBrwu8bFdNeXaCPPcLPescVBkp0wuzOtU-YbupXon2r51dCLNa10FiWSss8dcFjvxOU&csui=3), likely when using HAProxy, means that a client connected to the proxy but sent data that doesn't conform to the PROXY protocol format. To fix this, you should check your HAProxy configuration to ensure the `accept-proxy` argument is present on the `bind` line of your frontend, or if you are sending the header, verify that the backend is configured correctly to receive it.  **Understanding the Error** - **What is PROXY Protocol?** It's a standard text-based or binary-based protocol that proxies use to pass connection information (like the client's IP address) to the next proxy or the backend server. - **What it Means:** The error indicates that OPNsense's HAProxy expected to see a PROXY protocol header from the client, but the client sent something else (likely just regular HTTP or another protocol) instead.  **How to Fix It** 1. **Check Your HAProxy Frontend Configuration:** - Navigate to `Services` > `HAProxy` > `Settings`. - Edit the frontend section that is receiving the connection. - Ensure that the `accept-proxy` argument is added to the `bind` line for that frontend. This allows HAProxy to recognize both version 1 (text) and version 2 (binary) PROXY protocol headers. 2. **Verify Backend Configuration:** - If your setup involves multiple HAProxy instances or a different type of backend server, check the configuration on that backend as well. - If the backend is not expecting the PROXY protocol, it might not understand the data it's receiving, leading to errors. 3. **Consider the Client's Request:** - Is the client _supposed_ to be sending a PROXY protocol header? If the client is just a regular HTTP client, it won't send this header, and the `accept-proxy` directive is what's needed on the HAProxy frontend to _receive_ it. - If your client application _is_ designed to send the PROXY protocol, then the error means its implementation is sending the header in an unexpected format.  **Example HAProxy Configuration Snippet (for reference):** ``` frontend my_frontend bind *:80 accept-proxy # This is the key line # Other frontend settings ``` - `bind *:80` : This tells HAProxy to listen on port 80. - `accept-proxy`: This tells HAProxy to accept and process the PROXY protocol from the client.  #### Lösung:  attribut „accept-proxy“ wieder entfernt und Proxy Protocol auf „none“ geändert. Im Frontend: ![](..\..\files\91ded0d3-2662-4758-944d-6aafc9c9ab3a.png)
Im Backend: ![](..\..\files\b2f34d78-d178-48c5-80d6-7a3e2ea3b89b.png)
##
## weitere Einstellungen: ### DNS-Override ![](..\..\files\e595984e-53d9-4b9e-9be2-8ba4cde1cf34.png)
##
### FW-Regel ![](..\..\files\4134c53e-af3e-4bd0-a251-ec507f0aee2f.png)
## Files running config file: ``` # # Automatically generated configuration. # Do not edit this file manually. # global uid 80 gid 80 chroot /var/haproxy daemon stats socket /var/run/haproxy.socket group proxy mode 775 level admin nbthread 1 hard-stop-after 60s no strict-limits httpclient.resolvers.prefer ipv4 tune.ssl.default-dh-param 4096 spread-checks 2 tune.bufsize 16384 tune.lua.maxmem 0 log /var/run/log local0 info lua-prepend-path /tmp/haproxy/lua/?.lua defaults log global option redispatch -1 maxconn 100 timeout client 30s timeout connect 30s timeout server 30s retries 3 default-server init-addr last,libc default-server maxconn 100 # autogenerated entries for ACLs # autogenerated entries for config in backends/frontends # autogenerated entries for stats # Frontend (DISABLED): 0_SNI_frontend (Listening on 0.0.0.0:80, 0.0.0.0:443) # Frontend (DISABLED): 1_HTTP_frontend (Listening on 127.4.4.3:80) # Frontend (DISABLED): 1_HTTPS_frontend (Listening on 127.4.4.3:443) # Frontend: kbha_frontend () frontend kbha_frontend http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" bind 0.0.0.0:443 name 0.0.0.0:443 ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/68e90ee37e8f60.01330497.certlist bind 0.0.0.0:80 name 0.0.0.0:80 ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/68e90ee37e8f60.01330497.certlist bind 192.168.178.106:443 name 192.168.178.106:443 ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/68e90ee37e8f60.01330497.certlist bind 192.168.178.106:80 name 192.168.178.106:80 ssl curves secp384r1 no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/68e90ee37e8f60.01330497.certlist mode http option http-keep-alive default_backend kbha_backend option forwardfor # logging options # ACL: kbha acl acl_68e90f4b9c2340.62230672 hdr(host) -i kbha.straso.com # ACTION: kbha use_backend kbha_backend if acl_68e90f4b9c2340.62230672 # Backend (DISABLED): portainer_backend () # Backend: kbha_backend (Backend for HomeAssistant) backend kbha_backend # health checking is DISABLED mode http balance source # stickiness stick-table type ip size 50k expire 30m stick on src http-reuse safe server kbha_server 192.168.178.4:8123 # statistics are DISABLED ``` ##
##
##
## Links ### gutes Tutorial: [Setup OPNsense with HAProxy and Let's Encrypt | Marcus Holtz](https://blog.holtzweb.com/posts/opnsense-with-haproxy-and-lets-encrypt/) passend zum Thread im Forum [Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating](https://forum.opnsense.org/index.php?topic=23339.0) ### noch ein Tutorial, DE mit Zusatztipps [HAProxy auf OPNsense - Schritt für Schritt - blog.admin-intelligence.de](https://blog.admin-intelligence.de/haproxy-auf-opnsense-schritt-fuer-schritt/)