11

I have haproxy configuration that works perfect for vault server in the backend with http configuration and it load balance based on unsealed and active vault server using 200 OK code. This works for http. But we make everything to be https (tls) and so the health check not working anymore and the haproxy direct us to sealed vault server. How to modify the below configuration to support health check for https vault server backend? My current config for http is as follows:

listen vault
  bind 0.0.0.0:443
  mode tcp
  balance roundrobin
  option httpchk HEAD /v1/sys/health
  http-check expect status 200
  option tcplog
  option ssl-hello-chk
  server web1 <vault 1 IP>:8200 check
  server web2 <vault 2 IP>:8200 check
Jayabalan Bala
  • 281
  • 1
  • 2
  • 8

2 Answers2

7

Finally, I made it work by adding check-ssl verify none more info here in the docs: https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#check-ssl

listen vault
  bind 0.0.0.0:443
  mode tcp
  balance roundrobin
  option httpchk HEAD /v1/sys/health
  http-check expect status 200
  option tcplog
  option ssl-hello-chk
  server web1 <vault 1 IP>:8200 check check-ssl verify none
  server web2 <vault 2 IP>:8200 check check-ssl verify none
Jayabalan Bala
  • 281
  • 1
  • 2
  • 8
5

Something along these lines? (Works for self-signed certs)

...
server web1 <vault 1 IP>:8200 check ssl verify none 
server web2 <vault 2 IP>:8200 check ssl verify none
...

Reference: ssl reference on haproxy documentation

NublaII
  • 63
  • 4
  • I am still monitoring it if it works.. Also, I need to redirect http to https. I saw examples with frontend and backend but not sure how to do with listen section – Jayabalan Bala Aug 01 '18 at 20:06
  • @JayabalanBala Quico search turned this up: https://stackoverflow.com/questions/35399514/force-haproxy-to-https – NublaII Aug 02 '18 at 07:47
  • 1
    @Nublall It didn't help. The correct way of doing is server web1 :8200 check check-ssl verify none – Jayabalan Bala Aug 03 '18 at 03:15
  • @JayabalanBala Thanks, that was it, you need both: `check check-ssl`. This error had me looking for a while on this one--even looked up this Q&A twice before I saw your comment. Thanks again!! – fourpastmidnight Apr 19 '21 at 02:11