HAproxy health check for https backend

I have haproxy configuration that works perfect for vault server in the backend with http configuration and it load balance based on unsealed and active vault server using 200 OK code. This works for http. But we make everything to be https (tls) and so the health check not working anymore and the haproxy direct us to sealed vault server. How to modify the below configuration to support health check for https vault server backend? My current config for http is as follows:

listen vault
  bind 0.0.0.0:443
  mode tcp
  balance roundrobin
  option httpchk HEAD /v1/sys/health
  http-check expect status 200
  option tcplog
  option ssl-hello-chk
  server web1 <vault 1 IP>:8200 check
  server web2 <vault 2 IP>:8200 check

Finally, I made it work by adding check-ssl verify none more info here in the docs: https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#check-ssl

listen vault
  bind 0.0.0.0:443
  mode tcp
  balance roundrobin
  option httpchk HEAD /v1/sys/health
  http-check expect status 200
  option tcplog
  option ssl-hello-chk
  server web1 <vault 1 IP>:8200 check check-ssl verify none
  server web2 <vault 2 IP>:8200 check check-ssl verify none

Something along these lines? (Works for self-signed certs)

...
server web1 <vault 1 IP>:8200 check ssl verify none 
server web2 <vault 2 IP>:8200 check ssl verify none
...

Reference: ssl reference on haproxy documentation

HAproxy health check for https backend

Related

Recent Posts