Hi Tom,
Try this: check-ssl (
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#check-ssl
)
It will cause healthchecks to use ssl.
You will likely also add either a ca-cert or verify none.
Regards,
PiBa-NL
Op 25-11-2015 om 11:34 schreef Tom Duckering:
Hi,
We’re in a situation where we’d like to use HAProxy to sit in front of a couple
of 3rd party HTTP(S) proxies to ensure that we’re resilient in the case that
one of them fails.
So far we have managed to configure a something basic, but we’re a little
unsatisfied with using just a tcp-check since we’ve seen cases where HTTP
devices will accept TCP connections but are not actually functioning. Ideally
we’d like our checks to traverse the proxy and hit one of our services on the
other side.
We tried to configure an httpchk but it’s not working because the endpoint we’d
like to call through the proxy to is using SSL/TLS. It’s seemingly not possible
since in this case we need to first ask the proxy to open a connection (i.e.
CONNECT) to the HTTPS endpoint and then start sending requests using SSL. This
is where we’re stuck.
Does anyone have any suggestions on how we might get this working? We’ve searched
for “proxy” and “SSL" in the HAProxy docs but as you’d expect we get a lot of
good but irrelevant information.
We’re running version 1.5.14.
Thanks,
Tom & Will
┌──────────┐ ┌──────────┐
│ │ │ │
│ │ │3rd party │
│ │ │ Explicit │
┌───▶│ HAProxy │───┬───▶│ HTTP(S) │────┐
│ │ │ │ │ Proxy │ │
┌──────────┐ │ │ │ │ │ │ │
┌──────────┐
│ │ │ │ │ │ │ │ │ │
│
│ │ │ └──────────┘ │ └──────────┘ │ │
│
│ HTTP │ │ ▲ │ │ │
HTTPS │
│Client(s) │───┤ │VRRP │ ├───▶│
Endpoint │
│ │ │ ▼ │ │ │
│
│ │ │ ┌──────────┐ │ ┌──────────┐ │ │
│
│ │ │ │ │ │ │ │ │ │
│
└──────────┘ │ │ │ │ │3rd party │ │
└──────────┘
│ │ │ │ │ Explicit │ │
└───▶│ HAProxy │───┴───▶│ HTTP(S) │────┘
│ │ │ Proxy │
│ │ │ │
│ │ │ │
└──────────┘ └──────────┘
