diff --git a/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2 b/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2 index a4b91e0b29..e07683c65a 100644 --- a/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2 +++ b/octavia/common/jinja/haproxy/combined_listeners/templates/macros.j2 @@ -208,13 +208,18 @@ frontend {{ listener.id }} {% else %} {% set monitor_port_opt = "" %} {% endif %} + {% if pool.alpn_protocols is defined %} + {% set alpn_opt = " check-alpn %s"|format(pool.alpn_protocols) %} + {% else %} + {% set alpn_opt = "" %} + {% endif %} {% if pool.health_monitor.type == constants.HEALTH_MONITOR_HTTPS %} {% set monitor_ssl_opt = " check-ssl verify none" %} {% else %} {% set monitor_ssl_opt = "" %} {% endif %} - {% set hm_opt = " check%s inter %ds fall %d rise %d%s%s"|format( - monitor_ssl_opt, pool.health_monitor.delay, + {% set hm_opt = " check%s%s inter %ds fall %d rise %d%s%s"|format( + monitor_ssl_opt, alpn_opt, pool.health_monitor.delay, pool.health_monitor.fall_threshold, pool.health_monitor.rise_threshold, monitor_addr_opt, monitor_port_opt) %} diff --git a/octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py b/octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py index 5130eb518d..28e7a2c991 100644 --- a/octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py +++ b/octavia/tests/unit/common/jinja/haproxy/combined_listeners/test_jinja_cfg.py @@ -1331,11 +1331,11 @@ class TestHaproxyCfg(base.TestCase): " timeout connect 5000\n" " timeout server 50000\n" " server sample_member_id_1 10.0.0.99:82 weight 13 " - "check inter 30s fall 3 rise 2 cookie sample_member_id_1 " - "{opts} alpn {alpn}\n" + "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie " + "sample_member_id_1 {opts} alpn {alpn}\n" " server sample_member_id_2 10.0.0.98:82 weight 13 " - "check inter 30s fall 3 rise 2 cookie sample_member_id_2 " - "{opts} alpn {alpn}\n\n").format( + "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie " + "sample_member_id_2 {opts} alpn {alpn}\n\n").format( maxconn=constants.HAPROXY_DEFAULT_MAXCONN, opts="ssl crt %s verify none sni ssl_fc_sni" % cert_file_path + " ciphers " + constants.CIPHERS_OWASP_SUITE_B + @@ -1410,11 +1410,11 @@ class TestHaproxyCfg(base.TestCase): " timeout connect 5000\n" " timeout server 50000\n" " server sample_member_id_1 10.0.0.99:82 weight 13 " - "check inter 30s fall 3 rise 2 cookie sample_member_id_1 " - "{opts} alpn {alpn}\n" + "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie " + "sample_member_id_1 {opts} alpn {alpn}\n" " server sample_member_id_2 10.0.0.98:82 weight 13 " - "check inter 30s fall 3 rise 2 cookie sample_member_id_2 " - "{opts} alpn {alpn}\n\n").format( + "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie " + "sample_member_id_2 {opts} alpn {alpn}\n\n").format( maxconn=constants.HAPROXY_DEFAULT_MAXCONN, opts="ssl crt %s verify none sni ssl_fc_sni" % cert_file_path + " ciphers " + constants.CIPHERS_OWASP_SUITE_B, @@ -1450,11 +1450,11 @@ class TestHaproxyCfg(base.TestCase): " timeout connect 5000\n" " timeout server 50000\n" " server sample_member_id_1 10.0.0.99:82 weight 13 " - "check inter 30s fall 3 rise 2 cookie sample_member_id_1 " - "{opts} alpn {alpn}\n" + "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie " + "sample_member_id_1 {opts} alpn {alpn}\n" " server sample_member_id_2 10.0.0.98:82 weight 13 " - "check inter 30s fall 3 rise 2 cookie sample_member_id_2 " - "{opts} alpn {alpn}\n\n").format( + "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie " + "sample_member_id_2 {opts} alpn {alpn}\n\n").format( maxconn=constants.HAPROXY_DEFAULT_MAXCONN, opts="ssl crt %s verify none sni ssl_fc_sni" % cert_file_path + " no-sslv3 no-tlsv10 no-tlsv11", @@ -1550,11 +1550,11 @@ class TestHaproxyCfg(base.TestCase): " timeout connect 5000\n" " timeout server 50000\n" " server sample_member_id_1 10.0.0.99:82 weight 13 " - "check inter 30s fall 3 rise 2 cookie sample_member_id_1 " - "{opts} alpn {alpn}\n" + "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie " + "sample_member_id_1 {opts} alpn {alpn}\n" " server sample_member_id_2 10.0.0.98:82 weight 13 " - "check inter 30s fall 3 rise 2 cookie sample_member_id_2 " - "{opts} alpn {alpn}\n\n").format( + "check check-alpn {alpn} inter 30s fall 3 rise 2 cookie " + "sample_member_id_2 {opts} alpn {alpn}\n\n").format( maxconn=constants.HAPROXY_DEFAULT_MAXCONN, opts="%s %s %s %s %s %s" % ( "ssl", "crt", pool_client_cert, diff --git a/releasenotes/notes/fix-http-https-healthmonitor-with-alpn-pools-82249b2b9a025068.yaml b/releasenotes/notes/fix-http-https-healthmonitor-with-alpn-pools-82249b2b9a025068.yaml new file mode 100644 index 0000000000..8db6b678e7 --- /dev/null +++ b/releasenotes/notes/fix-http-https-healthmonitor-with-alpn-pools-82249b2b9a025068.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Fixed a bug with HTTP/HTTPS health-monitors on pools with ALPN protocols in + the amphora-driver. The healthchecks sent by haproxy were flagged as bad + requests by the backend servers. Updated haproxy configuration to use ALPN + for the heathchecks too.