Hi HAProxy Experts!
we are using HAProxy in our Microservices environment running on Kubernetes. Some of the generated HAProxy config files have multiple backends and each of them hundreds of backend server.
Communication between our services is encrypted using TLS and we use HAProxy for SSL termination.
A server definition in the generated HAProxy config files look something like this:
server service_a:443 <ip-address>:443 id 1 check inter 30s rise 3 fall 2 ssl crt <crt-file> ca-file <ca-file> verify required verifyhost <service-fqdn>
With this setting, HAProxy does a complete SSL handshake to every server immediately after each restart or reload. This puts a huge CPU load on the sidecar container running HAProxy during the initial check (config property
I believe the fact that it is establishing a TLS connection for the check can be seen on the status page of HAProxy in the column
LastChk with something line
L6OK in 9ms while for non TLS connections doing a pure TCP check, it shows
L4OK in 2ms.
We want to disable checks over SSL in our environment now and use pure TCP (layer 4) checks also for HTTPS backend server. We tried doing this by adding the option
no-check-ssl to each
server line, like the following from the above example:
server service_a:443 <ip-address>:443 id 1 check inter 30s rise 3 fall 2 ssl no-check-ssl crt <crt-file> ca-file <ca-file> verify required verifyhost <service-fqdn>.
However, adding this option does not seem to stop using SSL for checks since we still see
L6OK in the stats page and not
So, how can we disable using SSL for checks against backends using HTTPS?
Or did the option actually disable it but the display on the stats page is simply misleading?
Thank you in advance for looking into this question.
P.S. we are using HAProxy 1.8.17 and are in the process rolling out 1.9.10. We have only tested this with 1.8.17 yet.