W dniu 2017-12-29 o 15:14, Lukas Tribus pisze: > Hello, > > > > On Fri, Dec 29, 2017 at 3:06 PM, Mariusz Kalota <[email protected]> wrote: >> I have two serwers. Servers need client certificate to give answer. My >> configuration is like this: >> >> listen https-test-51111 >> bind *:51111 >> mode tcp >> balance roundrobin >> option httpchk GET /somefile.asmx >> server server1 192.168.0.1:51111 check check-ssl verify none crt >> /etc/haproxy/cert.pem ssl sni str(test1.site.local) check-sni >> test1.site.local >> server server2 192.168.0.2:51111 check check-ssl verify none crt >> /etc/haproxy/cert.pem ssl sni str(test2.site.local) check-sni >> test2.site.local >> >> >> if you write in webrowser https://test.site.local:51111 you go to >> haproxy which go to one of the two servers. Certificate on that servers >> are *.site.local. >> >> In stats of haproxy I get: >> lastChk >> L7STS/400 in 3ms >> L7STS/400 in 4ms >> >> What I do wrong? > Please clarify what you would like to do. Do you want to forward the > encrypted HTTPS transparently to the backend, but use SSL for health > checks? > In that case you need to remove the ssl option from the command line. > > L7STS means that the server returned a HTTP5xx error. Perhaps you need > some specific Host header for the server to return your checks? > > > Like: > option httpchk GET /somefile.asmx HTTP/1.1\r\nHost:\ test1.site.local > > > > Regards, > Lukas Hello, thanks for reply.
I would like to forward the encrypted HTTPS transparently to the backend. I would like to check health my backend servers, but not only on layer 4, but on layer 7. So I have to get /somefile.asmx, and I have to give client certificate, and I have to check the backend server not using IP, but using hostname. The two backend servers are IIS server, which have binding's: server1: test.site.local:51111 test1.site.local:51111 server2: test.site.local:51111 test2.site.local:51111 If I use in webbrowser test.site.local I go to haproxy. If I use test1.site.local or test2.site.local I go to one of the backend server directly. So currently my main issue is to check healhy of backend servers on layer 7 (http 200 response). Regards, Mariusz
