Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    haproxy package: how to reject tcp connections if backend is down?

    Scheduled Pinned Locked Moved
    Cache/Proxy
    2
    4
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danieruz
      last edited by danieruz

      Greetings!

      I'm using the HaProxy package in pfsense and would like to configure a frontend to reject tcp connections if the respective backend has no servers up. What is a good way to achieve this?

      Apparently, the config directives would be something like:

      acl site_dead nbsrv(my_backend) lt 1
tcp-request reject if site_dead

      It's not obvious to me how I can implement something equivalent in the UI for the haproxy package.

      On a related note, on the frontend edit page, I've been playing around with ACLs as I suspect this is where I can accomplish my objective. I see the Custom acl: option. If I select this option, would I then add the acl line in the above snippet, sans the acl site_dead portion? e.g. add:

      nbsrv(my_backend) lt 1

      to the 'value' field? Else I don't see how to make use of the Custom acl: selection.

      1 Reply Last reply Reply Quote 0
      • D
        danieruz
        last edited by

        If no one has specific experience with setting up ACLs to reject connections in the UI, can anyone provide guidance on how to properly use the Custom acl: option in the UI?

        I've tried several different approaches: including putting certain portions of what I would put into a config file, into the 'value' field, but it always fails to parse when I attempt to apply. Is there something I'm missing?

        1 Reply Last reply Reply Quote 0
        • P
          PiBa
          last edited by PiBa

          If it fails to parse, what did you put exactly and what does it say.?
          0_1527944187567_2018-06-02 14_55_15-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png
          produces this for me (p.s. note the backend name in my case is vhost3 but the config has some additional suffix your backend name might also have a additional _http_ in between.. check the config file for the exact name if needed.. but gui should do it automatically ) :

          acl			myBackAlive	nbsrv(vhost3_ipvANY) ge 1
tcp-request connection reject  if  !myBackAlive

          Custom acl could also be used.. but still make sure to use the backendname exactly as it gets written to the haproxy.conf file..

          1 Reply Last reply Reply Quote 0
          • D
            danieruz
            last edited by

            Thanks for your response PiBa.

            I've made some good progress on this and think I have a working solution. I've found a working ACL combination:
            0_1528222388862_workingACLs.jpg
            That is, when all backends are down, I get a match on the kdemo_dead ACL that says "!minCountUsableServers ge 1" and haproxy uses the tpc-request connection reject as desired.

            Interestingly, at first when I initially had SSL offload enabled for the frontend, I had a lot of errors when the package attempted to create the haproxy.cfg, and when I finally got past that I no longer got the desired behavior: despite the ACLs, haproxy still initiated a TCP connection and returned a 503. I really don't know what's changed,: perhaps it was because I had some of the boxes checked that created additional ACLs?

            It seems the haproxy package is dynamically generating a haproxy.cfg when I apply UI changes and sometimes the content and sequence of entries causes unintended consequences.

            At any rate, seems to be working now, so I'm happy:)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.