W dniu 2017-12-29 o 16:10, Mariusz Kalota pisze: > W dniu 2017-12-29 o 15:53, Mariusz Kalota pisze: >> W dniu 2017-12-29 o 15:28, Lukas Tribus pisze: >>> Hello, >>> >>> >>> On Fri, Dec 29, 2017 at 3:24 PM, Mariusz Kalota <[email protected]> wrote: >>>> Hello, thanks for reply. >>>> >>>> I would like to forward the encrypted HTTPS transparently to the >>>> backend. I would like to check health my backend servers, but not only >>>> on layer 4, but on layer 7. So I have to get /somefile.asmx, and I have >>>> to give client certificate, and I have to check the backend server not >>>> using IP, but using hostname. >>>> >>>> The two backend servers are IIS server, which have binding's: >>>> >>>> server1: >>>> test.site.local:51111 >>>> test1.site.local:51111 >>>> >>>> server2: >>>> test.site.local:51111 >>>> test2.site.local:51111 >>>> >>>> If I use in webbrowser test.site.local I go to haproxy. If I use >>>> test1.site.local or test2.site.local I go to one of the backend server >>>> directly. >>>> >>>> So currently my main issue is to check healhy of backend servers on >>>> layer 7 (http 200 response). >>> Understood, please follow the suggestions from the previous mail. Also >>> make sure sni and host header are set to the same string. >>> >>> >>> Lukas >> Hello, >> there is some progres. My current config: >> >> listen https-test-51111 >> bind *:51111 >> mode tcp >> balance roundrobin >> option httpchk GET /somefile.asmx test2.site.local:51111 >> server server1 192.168.0.1:51111 check check-ssl verify none crt >> /etc/haproxy/cert.pem ssl sni str(test1.site.local) check-sni >> test1.site.local >> server server2 192.168.0.2:51111 check check-ssl verify none crt >> /etc/haproxy/cert.pem ssl sni str(test2.site.local) check-sni >> test2.site.local >> >> >> haproxy stats: >> server1 L7STS/400 in 3ms >> server2 L7OK/200 in 26ms >> >> The second server is ok, because there is >> >> option httpchk GET /somefile.asmx test2.site.local:51111 >> >> but the first not. >> >> How can I fix this? >> >> Regards, >> Mariusz > Sorry, there are mistake. > My current config in line option is: > > option httpchk GET /somefile.asmx HTTP/1.1\r\nHost:\ test2.site.local:51111 > Ok. I fixed it. My currently working config:
listen https-test-51111 bind *:51111 mode tcp balance roundrobin option httpchk GET /somefile.asmx HTTP/1.1\r\nHost test.site.local:51111 server server1 192.168.0.1:51111 check check-ssl verify none crt /etc/haproxy/cert.pem ssl sni str(test.site.local) check-sni test.site.local server server2 192.168.0.2:51111 check check-ssl verify none crt /etc/haproxy/cert.pem ssl sni str(test.site.local) check-sni test.site.local Thanks for help!
