HAProxy community

How to healthcheck redis behind stunnel?

Hi,

I am new to haproxy and wanted to give it a try on centos 7.6.
I want to use haproxy to do the failover of a redis instance, which is located behind stunnel to enable tls on redis. On producer side I am using fielebeat and metricbeat which sends data tls encrypted to redis.
Stunnel and redis are located on the same box.

So my chain looks like this:
producer -> (TLS) -> haproxy (TLS passthrough) -> (TLS) -> stunnel -> redis.

Without encryption it healthcheck and connection via redis-cli from external to redis via haproxy is working fine.

That is the config for that:
defaults REDIS
    mode tcp
    timeout connect 3s
    timeout server 6s
    timeout client 6s

frontend ft_redis
    bind 0.0.0.0:16380 name redis
    default_backend bk_redis

backend bk_redis
    option tcp-check
    tcp-check connect
    tcp-check send PING\r\n
    tcp-check expect string +PONG
    tcp-check send info\ replication\r\n
    tcp-check expect string role:master
    tcp-check send QUIT\r\n
    tcp-check expect string +OK
    server server1 localhost:7000 check inter 1s 
    server server2 localhost:7001 check inter 1s 

Now I want to do the same, but via accessing the stunnel ports (where I need to connect via TLS).
I changed the two server lines to:

server server1 localhost:7100 check-ssl inter 1s ssl verify none
server server2 localhost:7101 check-ssl inter 1s ssl verify none

But looks like something is wrong. The healthcheck does not come back. The backend lines in stats are gray without any status.

Do you have any ideas how to solve the issue?

Thanks a lot, Andreas

You cannot do it. What you are doing without TLS is you are checking which redis backends is in the master role and then only route traffic there. To do this, you are implementing some basic redis dialog with a custom TCP health check.

However, custom TCP health checks don’t support TLS, so this cannot be done.

Do you need to route traffic only to the master instance? In that case, at least for health checks, you need to use a separate non-TLS port for haproxy health checks (of the same redis service).

Or use external health checking.

However this deployment doesn’t make a lot of sense. You can drop stunnel completely and use haproxy instead to warp everything in TLS. Then you won’t have to deal with TLS on the haproxy backend side and can continue to use health check to only route traffic to the master role redis instance.

Thanks a lot for your reply.

I managed to get it working with external check, calling a bash file. But I can’t manage it to do with chroot together.
I opened another thread for this: External-check with chroot not working

Thanks, Andreas