> Hi,
>
> On Fri, Feb 03, Antonio Trujillo Carmona wrote:
>> All this go fine, but balanced A don't know state of virtual machine but
>> state of haproxy in server, due this if we stop VM1 and we see state in
>> balanced A we see VM is OK, that is because Balanced A see then state of
>> haproxy in server 1 not VM1 status.
>>
>> So my question:
>> In this scenarios:
>> |S1 [VM 1]|
>> |Hap------ |
>> |[balA (haproxy)]| | [VM 3]|
>> | keepalived |-----
>> |[balB (haproxy)]| |S2 2 [VM 2]|
>> |Hap------
>> | [VM 4]|
>> How I can pass state of VM to haproxy in balanced A and B?.
>
>
> If I undestand your question correctly you can use monitor-uri and
> monitor-fail on S1/S2 haproxy. And healthcheck the monitor-uri from
> balA/balB.
> (http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-monitor-uri
> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#nbsrv)
>
> So in S1/S2 haproxy:
> monitor-uri /healthcheck
> monitor-fail if { nbsrv(your_backend_name) lt 1 }
>
> And in balA/balB:
> option httpchk GET /healthcheck ...
> http-check expect status 200
>
> (http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20httpchk)
>
> -Jarno
Ok I can understand the first part for S1/S2, but not the part for
balA/balB.
option httpchk GET /healthcheck http-check expect status 200
is possible make a http-check within tcp conection?
We try (prior to ask) with
option httpchk GET /testwebwls/check
(we make a processes who return ok and work fine in tho no SSL
structure), but it don't work, I guess it is due to certificate issue,
certificate name is "aplicaciones", aplicaciones is pointer by DNS to
S1/S2 haproxy, S1/S2 try to connect to "10.105.x.x:1443" and certificate
is not valid for server named "10.105.x.x" only for server named
"aplicaciones"
With your proposal in the statics page we see all server down with "LT7RSP"
My configuration filed are:
In BalA/BalB
# haproxy -v
HA-Proxy version 1.5.18 2016/05/10
# cat /etc/haproxy/haproxy
#########################################################
# Fichero configuracion del HAPROXY
#########################################################
global
log 127.0.0.1 local0 debug
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
node BALANCEADOR-PRINCIPAL
defaults
log global
mode http
option dontlognull
option httpchk
retries 3
option redispatch
maxconn 5000
timeout connect 5s
timeout client 15min
timeout server 15s
stats show-node
stats enable
frontend Jornasist
bind 10.107.20.9:80
option httplog
mode http
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
##I leve this part in order to have stats
#### FRONTEND DESTINADO A SSL ##########
frontend Aplicaciones
bind *:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i ssiiprovincial1.gra.sas.junta-andalucia.es
use_backend CitrixSF-SSL if citrixsf
use_backend SevidoresWeblogic-12c-Balanceador-SSL
default_backend SevidoresWeblogic-12c-Balanceador-SSL
#### BACKEND DE LOS SERVIDORES DE WEBLOGIC PRE PRODUCCION #####
###this part work fine without SSL
#backend SevidoresWeblogic-12c-Balanceador
# mode http
# option httplog
# stats enable
## option forwardfor
## cookie JSESSIONID prefix
# cookie ServerID insert nocache indirect
# option httpchk GET /testwebwls/check
# balance roundrobin
# server ServerManager1-nodo1 10.105.15.112:8001 check inter
3000 cookie ServerManager1-nodo1
# server ServerManager2-nodo2 10.105.15.113:8002 check inter
3000 cookie ServerManager2-nodo2
# server ServerManager3-nodo1 10.105.15.112:8003 check inter
3000 cookie ServerManager3-nodo1
# server ServerManager4-nodo2 10.105.15.113:8004 check inter
3000 cookie ServerManager4-nodo2
#### BACKEND DE LOS SERVIDORES DE WEBLOGIC PRE PRODUCCION SSL #####
backend SevidoresWeblogic-12c-Balanceador-SSL
mode tcp
balance roundrobin
# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
# tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
# Learn on response if server hello.
# stick store-response payload_lv(43,1) if serverhello
# different try that not work
# option ssl-hello-chk
# option httpchk GET HTTP/1.0\r\nHost:\ /testwebwls/check
# option tcp-check
######## your proposal
option httpchk GET /healthcheck http-check expect status 200
########
server SSL-ServerManager1-nodo1 10.105.15.112:1443 check
server SSL-ServerManager2-nodo2 10.105.15.113:2443 check
server SSL-ServerManager3-nodo1 10.105.15.112:3443 check
server SSL-ServerManager4-nodo2 10.105.15.113:4443 check
...
In S1/S2
# haproxy -v
HA-Proxy version 1.5.4 2014/09/02
# cat /etc/haproxy/haproxy
global
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/privado
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers
kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
defaults
mode http
timeout connect 5000
timeout client 50000
timeout server 50000
frontend fsm1
bind *:1443 ssl crt aplicaciones.pem
reqadd X-Forwarded-Proto:\ https
######## your proposal
monitor-uri /healthcheck
monitor fail if { nbsrv(bsm1) lt 1 }
default_backend bsm1
frontend fsm3
bind *:3443 ssl crt aplicaciones.pem
reqadd X-Forwarded-Proto:\ https
#### diferent try that don't work
# acl site_dead nbsrv(bsm3) eq 0
# tcp-request connection reject if site_dead
## acl site_dead nbsrv(bsm3) lt 1
### this monitor uri have probe work fine
# monitor-uri /testwebwls/check
###
# monitor fail if site_dead
######## your proposal
monitor-uri /healthcheck
monitor fail if { nbsrv(bsm3) lt 1 }
default_backend bsm3
backend bsm1
stats enable
stats hide-version
server sm1 127.0.0.1:8001 check
backend bsm3
stats enable
stats hide-version
server sm3 127.0.0.1:8003 check
---
*Antonio Trujillo Carmona*
*Técnico de redes y sistemas.*
*Subdirección de Tecnologías de la Información y Comunicaciones*
Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía
[email protected]_
