@uliromahn wrote:
Hi HAProxy Experts!
Some Background:
we are using HAProxy in our Microservices environment running on Kubernetes. Some of the generated HAProxy config files have multiple backends and each of them hundreds of backend server.
Communication between our services is encrypted using TLS and we use HAProxy for SSL termination.A server definition in the generated HAProxy config files look something like this:
server service_a:443 <ip-address>:443 id 1 check inter 30s rise 3 fall 2 ssl crt <crt-file> ca-file <ca-file> verify required verifyhost <service-fqdn>With this setting, HAProxy does a complete SSL handshake to every server immediately after each restart or reload. This puts a huge CPU load on the sidecar container running HAProxy during the initial check (config property
check).
I believe the fact that it is establishing a TLS connection for the check can be seen on the status page of HAProxy in the columnLastChkwith something lineL6OK in 9mswhile for non TLS connections doing a pure TCP check, it showsL4OK in 2ms.Question:
We want to disable checks over SSL in our environment now and use pure TCP (layer 4) checks also for HTTPS backend server. We tried doing this by adding the optionno-check-sslto eachserverline, like the following from the above example:
server service_a:443 <ip-address>:443 id 1 check inter 30s rise 3 fall 2 ssl no-check-ssl crt <crt-file> ca-file <ca-file> verify required verifyhost <service-fqdn>.However, adding this option does not seem to stop using SSL for checks since we still see
L6OKin the stats page and notL4OK.So, how can we disable using SSL for checks against backends using HTTPS?
Or did the option actually disable it but the display on the stats page is simply misleading?Thank you in advance for looking into this question.
P.S. we are using HAProxy 1.8.17 and are in the process rolling out 1.9.10. We have only tested this with 1.8.17 yet.
Posts: 4
Participants: 2