Ok I miss understood you, option httpchk GET /healthcheck and http-check expect status 200 are in different row, but it don't work neither.
>> Hi, >> >> On Fri, Feb 03, Antonio Trujillo Carmona wrote: >>> All this go fine, but balanced A don't know state of virtual machine but >>> state of haproxy in server, due this if we stop VM1 and we see state in >>> balanced A we see VM is OK, that is because Balanced A see then state of >>> haproxy in server 1 not VM1 status. >>> >>> So my question: >>> In this scenarios: >>> |S1 [VM 1]| >>> |Hap------ | >>> |[balA (haproxy)]| | [VM 3]| >>> | keepalived |----- >>> |[balB (haproxy)]| |S2 2 [VM 2]| >>> |Hap------ >>> | [VM 4]| >>> How I can pass state of VM to haproxy in balanced A and B?. >> >> >> If I undestand your question correctly you can use monitor-uri and >> monitor-fail on S1/S2 haproxy. And healthcheck the monitor-uri from >> balA/balB. >> (http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-monitor-uri >> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#nbsrv) >> >> So in S1/S2 haproxy: >> monitor-uri /healthcheck >> monitor-fail if { nbsrv(your_backend_name) lt 1 } >> >> And in balA/balB: >> option httpchk GET /healthcheck ... >> http-check expect status 200 >> >> (http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20httpchk) >> >> -Jarno > Ok I can understand the first part for S1/S2, but not the part for > balA/balB. > option httpchk GET /healthcheck http-check expect status 200 > is possible make a http-check within tcp conection? > We try (prior to ask) with > option httpchk GET /testwebwls/check > (we make a processes who return ok and work fine in tho no SSL > structure), but it don't work, I guess it is due to certificate issue, > certificate name is "aplicaciones", aplicaciones is pointer by DNS to > S1/S2 haproxy, S1/S2 try to connect to "10.105.x.x:1443" and certificate > is not valid for server named "10.105.x.x" only for server named > "aplicaciones" > With your proposal in the statics page we see all server down with "LT7RSP" > > My configuration filed are: > > In BalA/BalB > # haproxy -v > HA-Proxy version 1.5.18 2016/05/10 > # cat /etc/haproxy/haproxy > > ######################################################### > # Fichero configuracion del HAPROXY > ######################################################### > global > log 127.0.0.1 local0 debug > chroot /var/lib/haproxy > user haproxy > group haproxy > daemon > node BALANCEADOR-PRINCIPAL > defaults > log global > mode http > option dontlognull > option httpchk > retries 3 > option redispatch > maxconn 5000 > timeout connect 5s > timeout client 15min > timeout server 15s > stats show-node > stats enable > > frontend Jornasist > bind 10.107.20.9:80 > option httplog > mode http > tcp-request inspect-delay 5s > tcp-request content accept if { req_ssl_hello_type 1 } > ##I leve this part in order to have stats > > #### FRONTEND DESTINADO A SSL ########## > > frontend Aplicaciones > bind *:443 > mode tcp > > tcp-request inspect-delay 5s > tcp-request content accept if { req_ssl_hello_type 1 } > > acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es > acl citrixsf req_ssl_sni -i ssiiprovincial1.gra.sas.junta-andalucia.es > use_backend CitrixSF-SSL if citrixsf > use_backend SevidoresWeblogic-12c-Balanceador-SSL > default_backend SevidoresWeblogic-12c-Balanceador-SSL > > > #### BACKEND DE LOS SERVIDORES DE WEBLOGIC PRE PRODUCCION ##### > ###this part work fine without SSL > #backend SevidoresWeblogic-12c-Balanceador > # mode http > # option httplog > # stats enable > ## option forwardfor > ## cookie JSESSIONID prefix > # cookie ServerID insert nocache indirect > # option httpchk GET /testwebwls/check > # balance roundrobin > > # server ServerManager1-nodo1 10.105.15.112:8001 check inter > 3000 cookie ServerManager1-nodo1 > # server ServerManager2-nodo2 10.105.15.113:8002 check inter > 3000 cookie ServerManager2-nodo2 > # server ServerManager3-nodo1 10.105.15.112:8003 check inter > 3000 cookie ServerManager3-nodo1 > # server ServerManager4-nodo2 10.105.15.113:8004 check inter > 3000 cookie ServerManager4-nodo2 > > > #### BACKEND DE LOS SERVIDORES DE WEBLOGIC PRE PRODUCCION SSL ##### > backend SevidoresWeblogic-12c-Balanceador-SSL > mode tcp > balance roundrobin > > # maximum SSL session ID length is 32 bytes. > stick-table type binary len 32 size 30k expire 30m > > acl clienthello req_ssl_hello_type 1 > acl serverhello rep_ssl_hello_type 2 > > # use tcp content accepts to detects ssl client and server hello. > tcp-request inspect-delay 5s > tcp-request content accept if clienthello > > # no timeout on response inspect delay by default. > # tcp-response content accept if serverhello > > stick on payload_lv(43,1) if clienthello > > # Learn on response if server hello. > # stick store-response payload_lv(43,1) if serverhello > > # different try that not work > # option ssl-hello-chk > # option httpchk GET HTTP/1.0\r\nHost:\ /testwebwls/check > # option tcp-check > > ######## your proposal > option httpchk GET /healthcheck http-check expect status 200 > ######## > server SSL-ServerManager1-nodo1 10.105.15.112:1443 check > server SSL-ServerManager2-nodo2 10.105.15.113:2443 check > server SSL-ServerManager3-nodo1 10.105.15.112:3443 check > server SSL-ServerManager4-nodo2 10.105.15.113:4443 check > > ... > > > In S1/S2 > # haproxy -v > HA-Proxy version 1.5.4 2014/09/02 > # cat /etc/haproxy/haproxy > > global > chroot /var/lib/haproxy > stats timeout 30s > user haproxy > group haproxy > daemon > > # Default SSL material locations > ca-base /etc/ssl/certs > crt-base /etc/ssl/privado > > # Default ciphers to use on SSL-enabled listening sockets. > # For more information, see ciphers(1SSL). > ssl-default-bind-ciphers > kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL > > defaults > mode http > timeout connect 5000 > timeout client 50000 > timeout server 50000 > > frontend fsm1 > bind *:1443 ssl crt aplicaciones.pem > reqadd X-Forwarded-Proto:\ https > > ######## your proposal > monitor-uri /healthcheck > monitor fail if { nbsrv(bsm1) lt 1 } > > default_backend bsm1 > > frontend fsm3 > bind *:3443 ssl crt aplicaciones.pem > reqadd X-Forwarded-Proto:\ https > #### diferent try that don't work > # acl site_dead nbsrv(bsm3) eq 0 > # tcp-request connection reject if site_dead > ## acl site_dead nbsrv(bsm3) lt 1 > > ### this monitor uri have probe work fine > # monitor-uri /testwebwls/check > ### > > # monitor fail if site_dead > > ######## your proposal > monitor-uri /healthcheck > monitor fail if { nbsrv(bsm3) lt 1 } > > default_backend bsm3 > > > backend bsm1 > stats enable > stats hide-version > server sm1 127.0.0.1:8001 check > > backend bsm3 > stats enable > stats hide-version > server sm3 127.0.0.1:8003 check --- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía [email protected]_
