HAProxy community

Help with tcp-request connection reject

I’m trying to tie Polaris GSLB in to haproxy to geo-balance some TCP connections (OpenVPN). The problem I’m running into is that the frontend IP that I’m binding to still responds to the TCP connection request, even when all of the backend servers are down. I tried searching for a solution, but haven’t had much luck. From what I can tell, Polaris has the ability to send a string as part of the payload in the connection check, but I haven’t seen any way to respond to that payload based on the status of the backend. The best I’ve got so far is “tcp-request connection reject if { nbsrv(vpn) lt 1 }”, but as far as Polaris is concerned, the VIP is still up.

tcp-request rules will make it so that a connection cannot be established with the backend, or more specifically that the connection is immediately closed after the 3 Way TCP Handshake, but that’s the point: after, because the kernel will complete the handshake, not haproxy.

So if Polaris just checks if someone on the other side is responding to a SYN or completing a 3 Way handshake, then Polaris will always see it up.

Haproxy cannot currently close bind socket based on this.

Note that OpenVPN mainly uses UDP mode, and a VPN in TCP is generally bound to perform really bad due to multiple congestion control on top of each other.