Hi,

I proxy everything with haproxy.
Mikrotik admin web console too.

I got error gateway timeout without any reason, click on any page after few moment (random) I'm logout with error message:

ERROR: Gateway Timeout

haproxy backend side:

backend mkt
server mkt 192.168.3.1:8081 check port 8081

In browser web developer, nothing special too.
If you have any idea or already proxied the web console, feedback is appreciated.
Thanks!

I'd disable check in haproxy config. ROS webfig service is not exactly a standard full featured web server and might get upset because of haproxy's L4 checks (i.e. only TCP connect without requesting any contents). And in this case L4 check is useless, it's only necessary in case where there are multiple backend servers and haproxy uses live ones in load-sharing manner. Or if you use haproxy's stats to actually supervise backends' health.

Hi,

I've switched from L7 to L4 (as you see on backend config). Without any changes, now as you suggest without any check.
Same result :-/
HAProxy is a simple TCP proxy :-/
As you said: "it's not a real webserver" I dig into timeout on haproxy to increase that and see what happen.

About check interest with only one backend is interesting to know the global status of your backend from haproxy point of view.

I do hope you are not opening the web config to the outside world using haproxy.
Best solution to access MT Routers are using a secure VPN tunnel.

If VPN are not an option, do this:
1. Use another port than default.
2. Use port knocking. This prevents someone from seeing open ports.
3. Use a long and good password.
4. Use access list to prevent any random internet from accessing your router.
5. Log everything. (See my signature for example.)
6. Upgrade firmware to latest stable release
7. ++++

Hi,

Good advice (except if you had mikrotik bug like me, stuck in 7.1rc4 :-/).
Haproxy is my https entrypoint for all my stuff, this is why I would like to include mikrotik web console.
I do all appropriate restriction and good known TLS ciphers setup, http auth basic if I'm not in whitlisted IPs etc etc ...

So, I think I know what I do about security concern.
I reach mikrotik with SSH but sometime webui is more easy to see things this is why I would to proxify.

Any haproxy advice about my problem ?

Regards,