haproxy package: how to reject tcp connections if backend is down?
I'm using the HaProxy package in pfsense and would like to configure a frontend to reject tcp connections if the respective backend has no servers up. What is a good way to achieve this?
Apparently, the config directives would be something like:
acl site_dead nbsrv(my_backend) lt 1 tcp-request reject if site_dead
It's not obvious to me how I can implement something equivalent in the UI for the haproxy package.
On a related note, on the frontend edit page, I've been playing around with ACLs as I suspect this is where I can accomplish my objective. I see the
Custom acl:option. If I select this option, would I then add the acl line in the above snippet, sans the
acl site_deadportion? e.g. add:
nbsrv(my_backend) lt 1
to the 'value' field? Else I don't see how to make use of the
If no one has specific experience with setting up ACLs to reject connections in the UI, can anyone provide guidance on how to properly use the
Custom acl:option in the UI?
I've tried several different approaches: including putting certain portions of what I would put into a config file, into the 'value' field, but it always fails to parse when I attempt to apply. Is there something I'm missing?
If it fails to parse, what did you put exactly and what does it say.?
produces this for me (p.s. note the backend name in my case is vhost3 but the config has some additional suffix your backend name might also have a additional _http_ in between.. check the config file for the exact name if needed.. but gui should do it automatically ) :
acl myBackAlive nbsrv(vhost3_ipvANY) ge 1 tcp-request connection reject if !myBackAlive
Custom acl could also be used.. but still make sure to use the backendname exactly as it gets written to the haproxy.conf file..
Thanks for your response PiBa.
I've made some good progress on this and think I have a working solution. I've found a working ACL combination:
That is, when all backends are down, I get a match on the kdemo_dead ACL that says "!minCountUsableServers ge 1" and haproxy uses the tpc-request connection reject as desired.
Interestingly, at first when I initially had SSL offload enabled for the frontend, I had a lot of errors when the package attempted to create the haproxy.cfg, and when I finally got past that I no longer got the desired behavior: despite the ACLs, haproxy still initiated a TCP connection and returned a 503. I really don't know what's changed,: perhaps it was because I had some of the boxes checked that created additional ACLs?
It seems the haproxy package is dynamically generating a haproxy.cfg when I apply UI changes and sometimes the content and sequence of entries causes unintended consequences.
At any rate, seems to be working now, so I'm happy:)