Hello Rainer,
On Tue, 25 Jun 2019 at 16:18, <[email protected]> wrote: > The requests from the healthchecks *do* arrive at the right vhosts on > the backend, there's a code 200 in the logs. > So, I wonder what exactly is timing out for haproxy. > The server on the other end does not accept non-SNI connections, there's > an SSL handshake error if you don't do SNI. > > > At this point, I feel pretty dumb. Health checks are fine. Actual requests with your production traffic are not. check-sni specifies the SNI value to use for health-checks ONLY. sni specifies the SNI value for actual traffic ONLY. You need both though. So you servers look like this for example, notice that both check-sni and sni is configured: server server1 10.10.10.11:443 check check-ssl ssl verify none force-tlsv12 maxconn 3000 cookie s1 check-sni host3.intern sni str(host3.intern) server server2 10.10.10.12:443 check check-ssl ssl verify none force-tlsv12 maxconn 3000 cookie s2 check-sni host3.intern sni str(host3.intern) If you only configure check-sni, only health checks work, production traffic will not. regards, lukas
