The documentation suggests that I can setup a HTTP check for a TCP backend.
The liveness of my backend is determined by a 405 Method Not allowed response when hitting a-app.com/ap_service
My config looks like this:
frontend app-api
bind *:443
mode tcp
option tcplog
default_backend app-api_backend
backend app-api_backend
mode tcp
option httpchk GET /app_service HTTP/1.1
http-check expect status 405
server a a-app.com:443 resolvers dns verify none inter 1000 check
server b b-app.com:443 resolvers dns verify none inter 1000 check
However, in the logs I get:
Server app-api_backend/a is DOWN, reason: Layer7 invalid response, check duration: 1ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Server app-api_backend/b is DOWN, reason: Layer7 invalid response, check duration: 1ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
SOLVED:
@lukastribus pointed me in the right direction. Working config looks like the following:
backend app-api_backend
mode tcp
option httpchk OPTIONS /app_service HTTP/1.1
server a a-app.com:443 resolvers dns verify none inter 1000 check check-ssl
server b b-app.com:443 resolvers dns verify none inter 1000 check check-ssl
check-ssl was the missing piece. I also discovered the API endpoint supports the OPTIONS method which returns a 200 OK. so substituted that instead.