> >>> Hi, >>> >>> On Fri, Feb 03, Antonio Trujillo Carmona wrote: >>>> All this go fine, but balanced A don't know state of virtual machine but >>>> state of haproxy in server, due this if we stop VM1 and we see state in >>>> balanced A we see VM is OK, that is because Balanced A see then state of >>>> haproxy in server 1 not VM1 status. >>>> >>>> So my question: >>>> In this scenarios: >>>> |S1 [VM 1]| >>>> |Hap------ | >>>> |[balA (haproxy)]| | [VM 3]| >>>> | keepalived |----- >>>> |[balB (haproxy)]| |S2 2 [VM 2]| >>>> |Hap------ >>>> | [VM 4]| >>>> How I can pass state of VM to haproxy in balanced A and B?. >>> >>> >>> If I undestand your question correctly you can use monitor-uri and >>> monitor-fail on S1/S2 haproxy. And healthcheck the monitor-uri from >>> balA/balB. >>> (http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-monitor-uri >>> http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#nbsrv) >>> >>> So in S1/S2 haproxy: >>> monitor-uri /healthcheck >>> monitor-fail if { nbsrv(your_backend_name) lt 1 } >>> >>> And in balA/balB: >>> option httpchk GET /healthcheck ... >>> http-check expect status 200 >>> >>> (http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20httpchk) >>> >>> -Jarno >> Ok I can understand the first part for S1/S2, but not the part for >> balA/balB. >> option httpchk GET /healthcheck http-check expect status 200 >> is possible make a http-check within tcp conection? >> We try (prior to ask) with >> option httpchk GET /testwebwls/check >> (we make a processes who return ok and work fine in tho no SSL >> structure), but it don't work, I guess it is due to certificate issue, >> certificate name is "aplicaciones", aplicaciones is pointer by DNS to >> S1/S2 haproxy, S1/S2 try to connect to "10.105.x.x:1443" and certificate >> is not valid for server named "10.105.x.x" only for server named >> "aplicaciones" >> With your proposal in the statics page we see all server down with "LT7RSP" >> >> My configuration filed are: >> >> In BalA/BalB >> # haproxy -v >> HA-Proxy version 1.5.18 2016/05/10 >> # cat /etc/haproxy/haproxy >> >> ######################################################### >> # Fichero configuracion del HAPROXY >> ######################################################### >> global >> log 127.0.0.1 local0 debug >> chroot /var/lib/haproxy >> user haproxy >> group haproxy >> daemon >> node BALANCEADOR-PRINCIPAL >> defaults >> log global >> mode http >> option dontlognull >> option httpchk >> retries 3 >> option redispatch >> maxconn 5000 >> timeout connect 5s >> timeout client 15min >> timeout server 15s >> stats show-node >> stats enable >> >> frontend Jornasist >> bind 10.107.20.9:80 >> option httplog >> mode http >> tcp-request inspect-delay 5s >> tcp-request content accept if { req_ssl_hello_type 1 } >> ##I leve this part in order to have stats >> >> #### FRONTEND DESTINADO A SSL ########## >> >> frontend Aplicaciones >> bind *:443 >> mode tcp >> >> tcp-request inspect-delay 5s >> tcp-request content accept if { req_ssl_hello_type 1 } >> >> acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es >> acl citrixsf req_ssl_sni -i ssiiprovincial1.gra.sas.junta-andalucia.es >> use_backend CitrixSF-SSL if citrixsf >> use_backend SevidoresWeblogic-12c-Balanceador-SSL >> default_backend SevidoresWeblogic-12c-Balanceador-SSL >> >> >> #### BACKEND DE LOS SERVIDORES DE WEBLOGIC PRE PRODUCCION ##### >> ###this part work fine without SSL >> #backend SevidoresWeblogic-12c-Balanceador >> # mode http >> # option httplog >> # stats enable >> ## option forwardfor >> ## cookie JSESSIONID prefix >> # cookie ServerID insert nocache indirect >> # option httpchk GET /testwebwls/check >> # balance roundrobin >> >> # server ServerManager1-nodo1 10.105.15.112:8001 check inter >> 3000 cookie ServerManager1-nodo1 >> # server ServerManager2-nodo2 10.105.15.113:8002 check inter >> 3000 cookie ServerManager2-nodo2 >> # server ServerManager3-nodo1 10.105.15.112:8003 check inter >> 3000 cookie ServerManager3-nodo1 >> # server ServerManager4-nodo2 10.105.15.113:8004 check inter >> 3000 cookie ServerManager4-nodo2 >> >> >> #### BACKEND DE LOS SERVIDORES DE WEBLOGIC PRE PRODUCCION SSL ##### >> backend SevidoresWeblogic-12c-Balanceador-SSL >> mode tcp >> balance roundrobin >> >> # maximum SSL session ID length is 32 bytes. >> stick-table type binary len 32 size 30k expire 30m >> >> acl clienthello req_ssl_hello_type 1 >> acl serverhello rep_ssl_hello_type 2 >> >> # use tcp content accepts to detects ssl client and server hello. >> tcp-request inspect-delay 5s >> tcp-request content accept if clienthello >> >> # no timeout on response inspect delay by default. >> # tcp-response content accept if serverhello >> >> stick on payload_lv(43,1) if clienthello >> >> # Learn on response if server hello. >> # stick store-response payload_lv(43,1) if serverhello >> >> # different try that not work >> # option ssl-hello-chk >> # option httpchk GET HTTP/1.0\r\nHost:\ /testwebwls/check >> # option tcp-check >> >> ######## your proposal >> option httpchk GET /healthcheck >> http-check expect status 200 >> ######## >> server SSL-ServerManager1-nodo1 10.105.15.112:1443 check >> server SSL-ServerManager2-nodo2 10.105.15.113:2443 check >> server SSL-ServerManager3-nodo1 10.105.15.112:3443 check >> server SSL-ServerManager4-nodo2 10.105.15.113:4443 check >> >> ... >> >> >> In S1/S2 >> # haproxy -v >> HA-Proxy version 1.5.4 2014/09/02 >> # cat /etc/haproxy/haproxy >> >> global >> chroot /var/lib/haproxy >> stats timeout 30s >> user haproxy >> group haproxy >> daemon >> >> # Default SSL material locations >> ca-base /etc/ssl/certs >> crt-base /etc/ssl/privado >> >> # Default ciphers to use on SSL-enabled listening sockets. >> # For more information, see ciphers(1SSL). >> ssl-default-bind-ciphers >> kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL >> >> defaults >> mode http >> timeout connect 5000 >> timeout client 50000 >> timeout server 50000 >> >> frontend fsm1 >> bind *:1443 ssl crt aplicaciones.pem >> reqadd X-Forwarded-Proto:\ https >> >> ######## your proposal >> monitor-uri /healthcheck >> monitor fail if { nbsrv(bsm1) lt 1 } >> >> default_backend bsm1 >> >> frontend fsm3 >> bind *:3443 ssl crt aplicaciones.pem >> reqadd X-Forwarded-Proto:\ https >> #### diferent try that don't work >> # acl site_dead nbsrv(bsm3) eq 0 >> # tcp-request connection reject if site_dead >> ## acl site_dead nbsrv(bsm3) lt 1 >> >> ### this monitor uri have probe work fine >> # monitor-uri /testwebwls/check >> ### >> >> # monitor fail if site_dead >> >> ######## your proposal >> monitor-uri /healthcheck >> monitor fail if { nbsrv(bsm3) lt 1 } >> >> default_backend bsm3 >> >> >> backend bsm1 >> stats enable >> stats hide-version >> server sm1 127.0.0.1:8001 check >> >> backend bsm3 >> stats enable >> stats hide-version >> server sm3 127.0.0.1:8003 check
Ok I found a solution. bypass haproxy in server: server SSL-ServerManager1-nodo1 10.105.15.112:1443 check port 8001 server SSL-ServerManager2-nodo2 10.105.15.113:2443 check port 8002 server SSL-ServerManager3-nodo1 10.105.15.112:3443 check port 8003 server SSL-ServerManager4-nodo2 10.105.15.113:4443 check port 8004 but I need to add option httpchk GET /healthcheck http-check expect status 404 What is the meaning of status return in http-check? without SSL you can see in statistics if server is down, up, going down or starting, right now I guess it are not going to work, only up or down Thank for your help, I going home till Monday, good weekend. --- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía [email protected]_
