Check just one backend, node down in all


#1

Hello,
I have an haproxy configuration with 2 frontend (http and https) pointing to two different backends (http and https), but having exactly the same nodes.

As it seems I can’t configure an healthy check on https, I’d like to consider down even on https the node that fails the check on http.

Is it possible to do it in some way?

Thanks!


#2

Why don’t you use the same backend for both frontends?

Health check should work just fine, why don’t you share your configuration?


#3

I could… how? :slight_smile:

I solved the problem, with yum on centos haproxy didn’t have openssl support. I compiled it with openssl support and my checks are now working. Anyway, this is my configuration, if it’s possible to make it more simple having just a backend it could be better!

global
daemon
log 127.0.0.1 local2

listen stats
bind *:1988
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statics
stats uri /haproxy
stats auth username:password
timeout connect 4000
timeout client 42000
timeout server 43000

frontend ft_http
bind :80
mode http
default_backend bk_http

frontend ft_https
bind :443
mode tcp
default_backend bk_https

backend bk_http
mode http
cookie SERVERID insert nocache indirect
option tcp-check
tcp-check send GET\ /myhttpcheck\ HTTP/1.1\r\n
tcp-check send Host:\ node1\r\n
tcp-check send Connection:\ close\r\n
tcp-check send \r\n
tcp-check expect string php_mysql_up
server main1 node1:80 weight 1 cookie main1 check
server main2 node2:80 weight 1 cookie main2 check
server backup node3:80 backup check
balance roundrobin
option redispatch
option forwardfor
timeout connect 4000
timeout client 42000
timeout server 43000

backend bk_https
mode tcp
stick-table type ip size 1m expire 1h
stick on src
option tcp-check
tcp-check send GET\ /myhttpscheck\ HTTP/1.1\r\n
tcp-check send Host:\ node1\r\n
tcp-check send Connection:\ close\r\n
tcp-check send \r\n
tcp-check expect string php_mysql_up
server main1 node1:443 weight 1 cookie main1 check check-ssl verify none
server main2 node2:443 weight 1 cookie main2 check check-ssl verify none
server backup node3:443 backup check check-ssl verify none
balance roundrobin
timeout connect 4000
timeout client 42000
timeout server 43000


#4

You install the SSL certificate on haproxy and terminate SSL there (instead of terminating it on Apache an forwarding port 443 TCP traffic).

like:

frontend ft_https
 bind :443 ssl crt /path/to/certificate
 mode tcp
 default_backend bk_http

#5

That’s an option, but how does it help with the problem I have?


#6

What is the problem you are having?

I was under the assumption that you fixed the ssl health check by having compiled haproxy with openssl.


#7

Yes, sorry… I solved it, but I wanted to understand anyway if it was possible to have just one ckeck on the nodes, and consider that node down for every backend if it’s down on the main one.

But I just saw the “track” command could be what I was looking for:

Track
This option enables ability to set the current state of the server by
tracking another one. Only a server with checks enabled can be tracked
so it is not possible for example to track a server that tracks another
one. If is omitted the current one is used. If disable-on-404 is
used, it has to be enabled on both proxies.


#8

If you have just one backend, that solves this exact problem, doesn’t it?

If you have to use multiple backends for other reasons, then you can use the track option, thats correct.