Will this HAProxy "restart script" work as gracefully I think it will?

I put this script together from various places. What I am hoping is that it will do the following once run:

  1. Pause all "NEW" http traffic for ports 80 and 443 - just "pause" them, don't give any error
  2. gracefully restart haproxy when all "in process" requests are completed
  3. Un pause the http traffic and continue business as usual.

Is this how it will run? Have i missed anything? We have thousands of acl rules based on ip, stored in a file that haproxy references and we need to reload it several times a minute.

#!/bin/sh

# hold/pause new requests
iptables -I INPUT -p tcp --dport 80 --syn -j DROP
iptables -I INPUT -p tcp --dport 443 --syn -j DROP
sleep 1

# gracefully restart haproxy
/usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)

# allow new requests to come in again
iptables -D INPUT -p tcp --dport 80 --syn -j DROP
iptables -D INPUT -p tcp --dport 443 --syn -j DROP

Edit: I'd love to somehow test it, but we don't have any traffic as of yet (with the exception of me testing).

Sources:

http://www.forouzani.com/reload-haproxy-cfg-without-restarting.html

https://github.com/Mirantis/openstack-lbaas/issues/3

HAProxy graceful reload with zero packet loss


Solution 1:

Based on those articles it should work fine.

Just remember that you do not have the traffic you can always emulate it.

Use apache benchmark tool to put some fake traffic.

Just make sure sure that the page that you are loading takes a few seconds to load, to test the worst case scenario.

I created for you a cookbook that proves that the configuration that you provide works right.