HAproxy health check for https backend

Question

I have haproxy configuration that works perfect for vault server in the backend with http configuration and it load balance based on unsealed and active vault server using 200 OK code. This works for http. But we make everything to be https (tls) and so the health check not working anymore and the haproxy direct us to sealed vault server. How to modify the below configuration to support health check for https vault server backend? My current config for http is as follows:

listen vault
  bind 0.0.0.0:443
  mode tcp
  balance roundrobin
  option httpchk HEAD /v1/sys/health
  http-check expect status 200
  option tcplog
  option ssl-hello-chk
  server web1 <vault 1 IP>:8200 check
  server web2 <vault 2 IP>:8200 check

score 9 · Answer 1 · answered Aug 03 '18 at 03:18

Finally, I made it work by adding check-ssl verify none more info here in the docs: https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#check-ssl

listen vault
  bind 0.0.0.0:443
  mode tcp
  balance roundrobin
  option httpchk HEAD /v1/sys/health
  http-check expect status 200
  option tcplog
  option ssl-hello-chk
  server web1 <vault 1 IP>:8200 check check-ssl verify none
  server web2 <vault 2 IP>:8200 check check-ssl verify none

score 5 · Answer 2 · answered Aug 01 '18 at 16:53

5

Something along these lines? (Works for self-signed certs)

...
server web1 <vault 1 IP>:8200 check ssl verify none 
server web2 <vault 2 IP>:8200 check ssl verify none
...

Reference: ssl reference on haproxy documentation

answered Aug 01 '18 at 16:53

NublaII

63

score 2 · Answer 3 · answered Jul 08 '24 at 05:30

the proper way should be to enable SSL/TLS verification, and not skip it with ssl verify none.

You should load a valid CA (the one of your company or the one you created/used to sign the certificates exposed by your backends) with ca-file <file> and then verify the certs at server level ssl verify required. If your backends expose a publicly-signed valid certificate you can skip the ca-file configuration, since the internal trust store of Haproxy would already contain the CA to trust the certificate.

...
defaults
    ...
    option httpchk
    http-check connect ssl alpn h2
    http-check send meth GET uri /health ver HTTP/2 hdr Host haproxy.local
    http-check expect status 200
    default-server ca-file /certs/CA.pem check ssl verify required
...

HAproxy health check for https backend

3 Answers3