On 23 July 2012 03:59, Alex Soto <[email protected]> wrote: > Hi, > > I've got a proxy connecting to two 'servers' that are connecting from the > HAProxy to the remote servers via an ssh tunnel. > > Here's an example: > > listen portal 127.0.0.1:8085 > mode tcp > balance source > timeout check 3000 > server i-e4014f9c localhost:58919 check > server i-76a4ea0f localhost:38559 check > > localhost:58919 and localhost:38559 are forwarded to separate remote servers > via an SSH tunnel. > > What I'm seeing is that I can take down the remote service and HAProxy > doesn't detect it, but if I take down the ssh tunnel it detects it. I'm > wondering if there is some configuration that I can do to have HAProxy detect > when the remote server's service goes down?
This is because you're only asking HAProxy to check SSH, i.e. localhost:58919/38559. It doesn't know anything about the remote service. If the remote service is HTTP, you could add a "httpchk" line that will determine if layer7 is working. If not, there are some other protocols for which layer7 checks have been implemented (mysql; pgsql(?); smtp) but, if you're not using them, I'm not sure what to suggest. As an aside, I can't imagine performance over SSH tunnels is brilliant. Have you considered more transparent yet still secure options, such as IPsec or (for ease of setup) OpenVPN? With those, you'd have the advantage of being able to do TCP checks of the remote port instead of a localhost one, without having to care about the layer7 checks. Which isn't a /good/ thing - layer7 checks are the way forward! But it helps if you're not talking a layer7 protocol that HAProxy knows about. HTH, Jonathan -- Jonathan Matthews Oxford, London, UK http://www.jpluscplusm.com/contact.html
