[Loadbalancer] 503 Service Unavailable


I’m currently using rancher with my own owncloud service. I’m trying to access it through the rancher loadbalancer with an HTTPS connection but when I try to reach the URL owncloud.mydomain.fr I have the following error: 503 Service Unavailable No server is available to handle this request.

Ping server: OK
Ping URL: OK
URL https://ipOfNode1:44365 : OK

I have a self signed certificate inside the owncloud container and I’m using a self signed certificate in my rancher loadbalancer

Loadbalancer config:

I don’t get it why it’s not working, any idea?

Thank you

The SSL box means the balancer does SSL termination, so the request to the target is plaintext (but over an encrypted IPSec tunnel for managed network). So you are sending a http request to a https listening port. The target doesn’t respond, and the balancer replies 503.

The same is true about the default target for listener port 443, it should probably be 80, though nothing is apparently using the default target anyway.

If the application supports it, change the target port to the plain HTTP one. If you need SSL to the backend the you currently need to do a TCP listened and not check the SSL box. This means you can’t do hostname routing rules though because the encrypted connection goes all the way to the target and the balancer doesn’t see the host header.

The redis rule also does nothing because there is no listener for 6379, and its protocol is not HTTP-based, and it has no equivalent of a Host header to match… But this is just as well because exposing Redis to the Internet is an explicitly bad idea.

Hello Vincent,

Thank a lot for your explanations.
Is it possible to route owc.domain.fr to the container over SSL with a certificate in rancher and the loadbalancer feature? My goal will be to reach https://owc.domain.fr and forward all the traffic to the container.

Thank you.

You cannot currently do hostname-based routing and TLS/SSL connections all the way to the container. To figure out the hostname the balancer needs to terminate the TLS connection. Even without TLS, the communication between the balancer and the target service is over an AES-encrypted IPSec tunnel.

If you want TLS all the way to the container then you just want TCP load balancing, but you will lose the ability to direct requests based on hostname:

Ok, thank a lot for the explanation, now it’s clear.