Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

T6246: adds haproxy http-check configuration documentation #1388

Merged
merged 2 commits into from
Apr 19, 2024
Merged

T6246: adds haproxy http-check configuration documentation #1388

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a7d11f3
T6246: adds haproxy http-check configuration documentation
nvollmar Apr 17, 2024
4917856
T6246: fixes lint warnings
nvollmar Apr 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 68 additions & 7 deletions docs/configuration/loadbalancing/reverse-proxy.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,8 @@ Backend

Send a Proxy Protocol version 2 header (binary format)

.. cfgcmd:: set load-balancing reverse-proxy backend <name> ssl ca-certificate <ca-certificate>
.. cfgcmd:: set load-balancing reverse-proxy backend <name> ssl
ca-certificate <ca-certificate>

Configure requests to the backend server to use SSL encryption and
authenticate backend against <ca-certificate>
Expand All @@ -154,6 +155,37 @@ Backend
Configure requests to the backend server to use SSL encryption without
validating server certificate


HTTP health check
^^^^^^^^^^^^^^^^^
For web application providing information about their state HTTP health
checks can be used to determine their availability.

.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check

Enables HTTP health checks using OPTION HTTP requests against '/' and
expecting a successful response code in the 200-399 range.

.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check
method <method>

Sets the HTTP method to be used, can be either: option, get, post, put

.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check
uri <path>

Sets the endpoint to be used for health checks

.. cfgcmd:: set load-balancing reverse-proxy backend <name> http-check
expect <condition>

Sets the expected result condition for considering a server healthy.
Some possible examples are:
* ``status 200`` Expecting a 200 response code
* ``status 200-399`` Expecting a non-failure response code
* ``string success`` Expecting the string `success` in the response body


Global
-------

Expand Down Expand Up @@ -215,6 +247,7 @@ servers (srv01 and srv02) using the round-robin load-balancing algorithm.
set load-balancing reverse-proxy backend bk-01 server srv02 address '192.0.2.12'
set load-balancing reverse-proxy backend bk-01 server srv02 port '8882'


Balancing based on domain name
------------------------------
The following configuration demonstrates how to use VyOS
Expand Down Expand Up @@ -295,20 +328,22 @@ connection limit of 4000 and a minimum TLS version of 1.3.
set load-balancing reverse-proxy global-parameters max-connections '4000'
set load-balancing reverse-proxy global-parameters tls-version-min '1.3'


SSL Bridging
-------------
The following configuration terminates incoming HTTPS traffic on the router, then re-encrypts the traffic and sends
to the backend server via HTTPS. This is useful if encryption is required for both legs, but you do not want to
The following configuration terminates incoming HTTPS traffic on the router,
then re-encrypts the traffic and sends to the backend server via HTTPS.
This is useful if encryption is required for both legs, but you do not want to
install publicly trusted certificates on each backend server.

Backend service certificates are checked against the certificate authority specified in the configuration, which
could be an internal CA.
Backend service certificates are checked against the certificate authority
specified in the configuration, which could be an internal CA.

The ``https`` service listens on port 443 with backend ``bk-bridge-ssl`` to
handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination.

The ``bk-bridge-ssl`` backend connects to sr01 server on port 443 via HTTPS and checks backend
server has a valid certificate trusted by CA ``cacert``
The ``bk-bridge-ssl`` backend connects to sr01 server on port 443 via HTTPS
and checks backend server has a valid certificate trusted by CA ``cacert``


.. code-block:: none
Expand All @@ -325,3 +360,29 @@ server has a valid certificate trusted by CA ``cacert``
set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 address '192.0.2.23'
set load-balancing reverse-proxy backend bk-bridge-ssl server sr01 port '443'


Balancing with HTTP health checks
---------------------------------

This configuration enables HTTP health checks on backend servers.

.. code-block:: none

set load-balancing reverse-proxy service my-tcp-api backend 'bk-01'
set load-balancing reverse-proxy service my-tcp-api mode 'tcp'
set load-balancing reverse-proxy service my-tcp-api port '8888'

set load-balancing reverse-proxy backend bk-01 balance 'round-robin'
set load-balancing reverse-proxy backend bk-01 mode 'tcp'

set load-balancing reverse-proxy backend bk-01 http-check method 'get'
set load-balancing reverse-proxy backend bk-01 http-check uri '/health'
set load-balancing reverse-proxy backend bk-01 http-check expect 'status 200'

set load-balancing reverse-proxy backend bk-01 server srv01 address '192.0.2.11'
set load-balancing reverse-proxy backend bk-01 server srv01 port '8881'
set load-balancing reverse-proxy backend bk-01 server srv01 check
set load-balancing reverse-proxy backend bk-01 server srv02 address '192.0.2.12'
set load-balancing reverse-proxy backend bk-01 server srv02 port '8882'
set load-balancing reverse-proxy backend bk-01 server srv02 check

Loading