Preserve backend server status when reloading haproxy

haproxy

Because I have a large pool of https certificates that changes from day to day (massive multitenant application with many domains), I have a script that may reload haproxy at nearly random times. This works fine.

I also set backend servers to MAINT when I am deploying new versions of applications to them. This also works fine.

The trouble is that if the reload happens, any servers that I had set to MAINT status are instead reloaded as READY. This lets customers see waits or even error messages.

Is there a way to preserve the current status of backend servers when reloading haproxy?

Best Answer

Not sure which version you're using, the following needs HAProxy >= 1.6~:

You might want to have a look at the load-server-state-from-file directive, which allows

seamless reloads of HAProxy.

This directive points HAProxy to a file where server state from previous running process has been saved. That way, when starting up, before handling traffic, the new process can apply old states to servers exactly has if no reload occured. [...]

(That's just an excerpt, for more details follow the link.)

Using this, your config could look like (only relevant parts shown):

global
  server-state-file /var/lib/haproxy/server-state
  stats socket /var/lib/haproxy/stats

defaults
  load-server-state-from-file global

Your reload command could then look like the following:

socat /var/lib/haproxy/stats - <<< \"show servers state\" > /var/lib/haproxy/server-state && systemctl reload-or-restart haproxy

That is:

Connect to the stats socket via socat, get the states of the servers and / or backends and write to the state file.
After this, if all went well, reload or restart HAProxy.

Related Solutions

Ssl – How to horizontally scale SSL termination behind HAProxy load balancing

Firstly this adds unneccesary complexity to your webservers.

Secondly terminating the SSL connection at the LB means you can use keepalive on the client side for the connection reducing the complex part of establishing the connection. Also the most efficient use of resources is to group like workloads. Many people seperate static and dynamic content, SSL at the LB means that both can come from different servers through the same connection.

Thirdly SSL generally scales at a different rate than required by your web app. I think the lack of examples is due to the fact that a single LB pair or Round robin dns is enough for most people. It seems to me that you may be overestimating the SSL workload.

Also I am not sure about your reasoning regarding security. In addition to the fact that the webserver is already running far more services with possible exploits, if there are any vulnerabilities in the LB then you have just introduced them onto your webservers too!

Serve 404 from HAProxy when no acls match

If you would be okay with any of the following response codes: 200, 400, 403, 405, 408, 429, 500, 502, 503, or 504.

Then you could do something like this:

frontend www
  ...
  default_backend no-match

backend no-match
  mode http
  http-request deny deny_status 400

http-request: http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4-http-request
Accepted response codes described in errorfile: http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#errorfile

Best Answer

Related Solutions

Ssl – How to horizontally scale SSL termination behind HAProxy load balancing

Serve 404 from HAProxy when no acls match

Related Topic