HAProxy community

SSL requests pass through although check is off


I have following configuration which works good for http connections but have some issues for https.
If client establishes keep-alive connection and I disable httpchk endpoint, https requests are still coming to node (other endpoint) until I kill whole api. There is mode tcp for https. Https checks are on http port because client certificate is required (I don’t want this on haproxy). If there is a new or recreated connection check works fine for https and no tasks are assigned to that server.
Can one advise on this? Is this problem/feature of tcp mode?

retries 5
option redispatch
balance leastconn
option httpchk GET /api/status
http-check expect status 200

listen http
mode http
option http-server-close
option httplog
option forwardfor
server srv1 srv1:8888 check
server srv2 srv2:8888 check

listen https
mode tcp
option tcplog
option http-server-close
server srv1 srv1:9999 check port 8888
server srv2 srv2:9999 check port 8888

if you want to kill existing sessions when the health check fails, you have to use on-marked-down on your server line.

default-server check port 8888 on-marked-down shutdown-sessions
server srv1 srv1:9999 
server srv2 srv2:9999

Hey Jerome,
thanks for your advice.

It’s not exactly what I need as shutdown-session kills all in-flight requests and I would like them to be softly redirected to other node-servers. Actually I can do the same by disabling all server endpoints. The main goal is - it should be transparent for client like in http balancing.


You can’t send a redirect if you don’t terminate ssl with haproxy. When you use mode tcp the connection must be closed if you want to use a different server.

Looks like tcp mode works as you said. I understand it’s hard to implement on transport layer.
Thanks Jerome.