On 10/4/23 09:18, William Lallemand wrote:
Nothing in haproxy initiate a service reload, are sure you don't have an external process which is doing it? The systemd support within HAProxy is only meant to provide a status to systemd, it does not send it actions.
I found the issue. I am not surprised to learn that it was a PEBCAK problem. :)
I have a certs webapp I wrote in PHP for Lets Encrypt certificate generation and management. One of the things it does is update a whitelist and reload haproxy, and it has an hourly cronjob to make sure that the whitelist is always current.
I have updated the code for this so that it actually checks to see whether the whitelist has changed, and only issue a reload when there is a change. This will eliminate the hourly reloads.
I actually developed this webapp for $DAYJOB and deployed it on my own server as well. A cow-orker noticed frequent alerts from zabbix about haproxy restarting on that system and asked me about it. I have never employed my OCSP updating script on that system ... the only thing the two systems have in common is my certs webapp. I had forgotten about the hourly cronjob.
I actually don't need the cronjob on my own server. My personal haproxy doesn't use that whitelist. It's in place for $DAYJOB so that only certain public IP addresses can reach my webapp.
Thank you for helping me work out that it was not haproxy's OCSP update that caused the anomaly, that just happened to be occuring at the same time.
Shawn
