Hello!
Is it possible or not? I’m looking for a solution when incoming traffic isn’t allowed to get in backend side during HAPROXY is in INIT state.
Allow to forward traffic only if health-check returns OK!
yes, this is possible. Just set up the right health check and ensure the app answers positively once it knows itself it is fully ready.
Thanks for reply. Could I ask you what you mean “right health check”?
For example, I have such configure of my farm
listen FARM_1:5400
description FARM_1
bind ip-address:5400
mode tcp
timeout connect 5s
timeout client 60s
timeout server 60s
option tcp-check
rate-limit sessions 30
tcp-check send-binary <some-special-bin-string>
tcp-check expect binary <<some-special-bin-string>
balance leastconn
default-server check resolve-opts allow-dup-ip inter 30s fall 1 rise 1 maxconn 1000
server SRV1 SRV1:11900 maxconn 1000 weight 100 send-proxy
server SRV2 SRV2:11900 maxconn 1000 weight 100 send-proxy
server SRV3 SRV3:11900 maxconn 1000 weight 100 send-proxy
This example includes “tcp health check”. But issue is that haproxy manages to forward connects to backend side be into INIT status. That happens at start-up moment when health check is calculate real status of servers. In my config the tcp-ports on servers’ side are open (L4) and the service which is listen to it administratively restricts connects. HAPROXY sends health check (L7) and receives answer (L7). If the answer - true, the server is ready to serve clients, else - not. In my case server configured to send negative health check to HAPROXY that means the servers do not have to have clients.
You might want to take a look here
http://cbonte.github.io/haproxy-dconv/2.5/configuration.html#tcp-check%20connect
It’s the help for the statement
tcp-check connect
Also check the statements around it, like tcp-check expect etc
Hope it helps