SSL hanshake failure when using httpchk

I’m facing an issue related to setting up a health check in HAProxy when pointing to Supabase Cloud.
Do you have any suggestions or recommendations for handling this?
I’ve included the HAProxy config below for reference:

global
    log /dev/log local0
    maxconn 4096
    stats socket /var/run/haproxy/admin.sock mode 600 level admin
    ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
    ssl-default-server-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11

# Redirect all HTTP to HTTPS
frontend http_in
    bind *:80
    redirect scheme https code 301 if !{ ssl_fc }

# HTTPS frontend
frontend https_in
    bind *:443 ssl crt /etc/ssl/aatuckercarlsonnetwork.com.pem
    mode http
    default_backend supabase_backends

# ---------------------------
# Backend with health checks
backend supabase_backends
    mode http
    option httpchk GET /auth/v1/health?apikey=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Im92Y2VtcmxqcGN3d3JmeW9xaGtlIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NTEyNTQxMTUsImV4cCI6MjA2NjgzMDExNX0.7gQYn4AB_SB1dvVMJoGM4GTcrJXVsS2LedSkl3XesKw
    http-check expect status 200
    default-server inter 3s fall 3 rise 5
    server primary ovcemrljpcwwrfyoqhke.supabase.co:443 ssl verify none check
    server secondary 23.230.68.222:8000 check backup

And this is the error that I meet (Primary server down)

root@HAProxy:~# echo "show stat" | socat stdio /var/run/haproxy/admin.sock | grep supabase_backends
supabase_backends,primary,0,0,0,0,,0,0,0,,0,,0,0,0,0,DOWN,1,1,0,1,1,7,7,,1,4,1,,0,,2,0,,0,L6RSP,,7,0,0,0,0,0,0,,,,0,0,0,,,,,-1,SSL handshake failure,,0,0,0,0,,,,Layer6 invalid response,,5,3,0,,,,172.64.149.246:443,,http,,,,,,,,0,0,0,,,0,,0,0,0,0,0,0,0,0,1,1,,,,0,,,,,,,,,,-,0,0,3,0,0,,,,,,,,,,,,,,,,,,,,,,
supabase_backends,secondary,0,0,0,0,,0,0,0,,0,,0,0,0,0,UP,1,0,1,0,0,7,0,,1,4,2,,0,,2,0,,0,L7OK,200,6,0,0,0,0,0,0,,,,0,0,0,,,,,-1,,,0,0,0,0,,,,Layer7 check passed,,5,3,7,,,,23.230.68.222:8000,,http,,,,,,,,0,0,0,,,0,,0,0,0,0,0,0,0,0,1,1,,,,0,,,,,,,,,,-,0,0,0,0,0,,,,,,,,,,,,,,,,,,,,,,
supabase_backends,BACKEND,0,0,0,0,410,0,0,0,0,0,,0,0,0,0,UP,1,0,1,,0,7,0,,1,4,0,,0,,1,0,,0,,,,0,0,0,0,0,0,,,,0,0,0,0,0,0,0,-1,,,0,0,0,0,,,,,,,,,,,,,,http,roundrobin,,,,,,,0,0,0,0,0,,,0,0,0,0,0,,,,,1,0,0,0,,,,,,,,,,,-,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,5,702,496,0,0,
root@HAProxy:~# 
root@HAProxy:~# journalctl -u haproxy -f
Jul 11 07:23:04 HAProxy haproxy[599806]:    | timeouts are set to a non-zero value: 'client', 'connect', 'server'.
Jul 11 07:23:04 HAProxy haproxy[591881]: [NOTICE]   (591881) : Loading success.
Jul 11 07:23:04 HAProxy haproxy[598697]: [WARNING]  (598697) : Proxy local_http stopped (cumulated conns: FE: 0, BE: 0).
Jul 11 07:23:04 HAProxy haproxy[598697]: Proxy local_http stopped (cumulated conns: FE: 0, BE: 0).
Jul 11 07:23:04 HAProxy haproxy[598697]: [WARNING]  (598697) : Proxy supabase_backends stopped (cumulated conns: FE: 0, BE: 0).
Jul 11 07:23:04 HAProxy haproxy[598697]: Proxy supabase_backends stopped (cumulated conns: FE: 0, BE: 0).
Jul 11 07:23:04 HAProxy haproxy[599806]: [WARNING]  (599806) : Server supabase_backends/primary is DOWN, reason: Layer6 invalid response, info: "SSL handshake failure", check duration: 7ms. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 0 requeued, 0 remaining in queue.
Jul 11 07:23:04 HAProxy haproxy[591881]: [NOTICE]   (591881) : haproxy version is 3.2.3-1844da7
Jul 11 07:23:04 HAProxy haproxy[591881]: [NOTICE]   (591881) : path to executable is /usr/local/sbin/haproxy
Jul 11 07:23:04 HAProxy haproxy[591881]: [WARNING]  (591881) : Former worker (598697) exited with code 0 (Exit)

Just give more context info
HAProxy Version: HAProxy version 3.2.3-1844da7

API health check working fine when call from postman

curl --location 'https://ovcemrljpcwwrfyoqhke.supabase.co/auth/v1/health?apikey=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Im92Y2VtcmxqcGN3d3JmeW9xaGtlIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NTEyNTQxMTUsImV4cCI6MjA2NjgzMDExNX0.7gQYn4AB_SB1dvVMJoGM4GTcrJXVsS2LedSkl3XesKw'


You probably need to add Host headers and SNI values (for both health checks and production traffic).

Add this to your backend to send the correct host header:

http-check send hdr Host ovcemrljpcwwrfyoqhke.supabase.co

Add this to your server config line, to send the proper SNI value. This is likely the reason the health check aborts with a SSL handshake issue:

sni str(ovcemrljpcwwrfyoqhke.supabase.co) check-sni ovcemrljpcwwrfyoqhke.supabase.co