Healthcheck on HTTP port with redirection to HTTPS

Help!
1

Hi everyone,

My haproxy is performing a basic LB active/passive to 2 apache servers. The HTTPS part is working as expected. However, I have trouble to perform the appropriate healthcheck on the backend HTTP part.
The backend (apache) is redirecting port 8080 (http) to 8443 (https). So when the healthcheck is using HTTP (port 8080) i’m getting a 302 instead of the 200 (which seems normal).
I tried to perform the healthcheck on the HTTPS port (8443) instead, but i’m getting an error 400.
Moreover, checking the HTTPS port doesn’t means the HTTP port (8080) is working.

Any other (better) idea/advice on implementing this healthcheck ?

#-----------------------------------                                              
# frontend in TCP
#-----------------------------------
frontend frontend-http
    bind 192.168.0.86:8080
    mode tcp
    option tcplog
    default_backend backend-http
 
frontend frontend-https
    bind 192.168.0.86:8443
    mode tcp
    option tcplog
    default_backend backend-https
 
#-----------------------------------
# backend in TCP
#-----------------------------------
backend backend-http
    balance roundrobin
    mode tcp
    server backend-http-1 192.168.0.82:8080 check port 8443 ssl verify none
    server backend-http-2 192.168.0.82:8080 check port 8443 ssl verify none backup
    option httpchk GET /status/
    http-check expect status 200
 
backend backend-https
    balance roundrobin
    mode tcp
    server backend-https-1 192.168.0.82:8443 check ssl verify none
    server backend-https-2 192.168.0.85:8443 check ssl verify none backup
    option httpchk GET /status/
    http-check expect status 200

Thanks,

2

I replied for myself. I guess i mixed check ssl with check-ssl. Here is the corrected configuration. This seems working, however, i’m still not checking the 8080 port, so there maybe a better way to do it?

#-----------------------------------                                              
# frontend in TCP
#-----------------------------------
frontend frontend-http
    bind 192.168.0.86:8080
    mode tcp
    option tcplog
    default_backend backend-http
 
frontend frontend-https
    bind 192.168.0.86:8443
    mode tcp
    option tcplog
    default_backend backend-https
 
#-----------------------------------
# backend in TCP
#-----------------------------------
backend backend-http
    balance roundrobin
    mode tcp
    server backend-http-1 192.168.0.82:8080 check port 8443 check-ssl verify none
    server backend-http-2 192.168.0.82:8080 check port 8443 check-ssl verify none backup
    option httpchk GET /status/
    http-check expect status 200
 
backend backend-https
    balance roundrobin
    mode tcp
    server backend-https-1 192.168.0.82:8443 check check-ssl verify none
    server backend-https-2 192.168.0.85:8443 check check-ssl verify none backup
    option httpchk GET /status/
    http-check expect status 200
3

Hello,

For me, to avoid getting mad following the redirects between the proxy and the backends you should set the redirect on the proxy itself. Then, you can set up the backend as http or https if needed and check it on the right port.

If you have to let the redirect on the backend, you can try to set up http-check expect status with the 302 you get when server is running.