'haproxy ACLs configuration
I am trying to setup haproxy as a load balancer for Hashicorp Vault using ACLs. Basically, I what I am trying to do is satisfy
the following conditions. First, go to the server that is initialized, unsealed, and active (status code 200). If that server
does not exist, go to unsealed and standby server (status code 429). Lastly, check if servers are sealed.
I currently have the following configuration. Any advice would be greatly appreciated.
#---------------------------------------------------------------------
Hashicorp Vault Frontend
#---------------------------------------------------------------------
frontend vault_frontend
bind xxx.xxx.xxx.xxx:443
mode tcp
# ACLs
acl active_node_absent nbsrv(vault_active_node) lt 1
use_backend vault_standby_node if active_node_absent
# Options
option tcplog
default_backend vault_active_node
##############
#---------------------------------------------------------------------
Hashicorp Vault Backend
#---------------------------------------------------------------------
backend vault_active_node
mode tcp
balance roundrobin
# Options
option httpchk HEAD /v1/sys/health
http-check expect status 200
# Servers
server vault01.xxx.xxx.xxx vault01.xxx.xxx.xxx:8200 check check-ssl verify none
server vault02.xxx.xxx.xxx vault02.xxx.xxx.xxx:8200 check check-ssl verify none
backend vault_standby_node
mode tcp
balance roundrobin
# Options
option httpchk HEAD /v1/sys/health
http-check expect status 429
# Servers
server vault01.xxx.xxx.xxx vault01.xxx.xxx.xxx:8200 check check-ssl verify none
server vault02.xxx.xxx.xxx vault02.xxx.xxx.xxx:8200 check check-ssl verify none
backend vault_standby_node
mode tcp
balance roundrobin
# Options
option httpchk HEAD /v1/sys/health
http-check expect status 429
# Servers
server vault01.xxx.xxx.xxx vault01.xxx.xxx.xxx:8200 check check-ssl verify none
server vault02.xxx.xxx.xxx vault02.xxx.xxx.xxx:8200 check check-ssl verify none
backend vault_sealed_nodes
mode tcp
# Options
option httpchk HEAD /v1/sys/health
http-check expect status 503
# Servers
server vault01.xxx.xxx.xxx vault01.xxx.xxx.xxx:8200 check check-ssl verify none
server vault02.xxx.xxx.xxx vault02.xxx.xxx.xxx:8200 check check-ssl verify none
Solution 1:[1]
You need a dispatch.yaml file. The dispatch.yaml allows you to override routing rules. You can use the dispatch.yaml to send incoming requests to a specific service (formerly known as modules) based on the path or hostname in the URL.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | dishant makwana |