How to setup HTTP check for TCP backend in HAProxy?

The documentation suggests that I can setup a HTTP check for a TCP backend.

The liveness of my backend is determined by a 405 Method Not allowed response when hitting a-app.com/ap_service

My config looks like this:

    frontend app-api
        bind *:443
        mode tcp
    
        option tcplog
        default_backend app-api_backend
    
    
    backend app-api_backend
        mode tcp
        option httpchk GET /app_service HTTP/1.1
        http-check expect status 405
        server a a-app.com:443  resolvers dns verify none inter 1000  check
        server b b-app.com:443  resolvers dns verify none inter 1000  check

However, in the logs I get:

    Server app-api_backend/a is DOWN, reason: Layer7 invalid response, check duration: 1ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
    Server app-api_backend/b is DOWN, reason: Layer7 invalid response, check duration: 1ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.

SOLVED:

@lukastribus pointed me in the right direction. Working config looks like the following:

 backend app-api_backend
        mode tcp
        option httpchk OPTIONS /app_service HTTP/1.1
        server a a-app.com:443  resolvers dns verify none inter 1000  check check-ssl
        server b b-app.com:443  resolvers dns verify none inter 1000  check check-ssl

check-ssl was the missing piece. I also discovered the API endpoint supports the OPTIONS method which returns a 200 OK. so substituted that instead.

It’s doesn’t fail because TCP mode doesn’t support this, it fails because you did not tell haproxy that the health check has to be encrypted. It sends plaintext HTTP to your port 443 as health check.

Specify the check-ssl directive on each server to make haproxy use a SSL layer, therefor making a HTTPS request for the health check.

1 Like