Haproxy scripted checks

From: Craig <craig#haquarter.de>
Date: Thu, 09 Jul 2009 23:14:56 +0200


Hi Willy, hi list,

I've thought about haproxy checks a bit lately. Here is my approach: don't do these checks in C.

It's 

a) not fun to code string/checks for every protocol in C
b) to time-inefficient
c) not flexible enough

Why re-invent the wheel?!

Let's abuse nagios plugins, iptables and do some bash scripting.

We'll use nagios-plugins to perform content checks on our services and if they are unavailable, we'll just firewall them; haproxy will be configured to do frequent tcp-checks only (100ms?!).

Nagios plugins are standarized
(http://nagiosplug.sourceforge.net/developer-guidelines.html) and offer a wide variation of functions.

A Nagios template to do a http check would look like this:

define command{ 

         command_name    check_http_get_string
         command_line    $USER1$/check_http -I $HOSTADDRESS$ -w $ARG1$
-c $ARG2$ -H $ARG3$ -p $ARG4$ -u $ARG5$ -s $ARG6$

# ARG1 = WARN
 # ARG2 = CRIT
 # ARG3 = vhost
# ARG4 = port
# ARG5 = URL
 # ARG6 = String

}

it would be called like this as a service: check_http_get_string!10!20!www.foo.com!80!/index.jsp!"Expected result"

Basically we just make our own template (sample bash script follows...):

#!/bin/bash

check_http_get_string()
{
$plugindir/check_http -I $1 -w $2 -c $3 -H $4 -p $5 -u $6 -s $7 &>/dev/null return $?
}

}

block()
{

        iptables -A OUTPUT -d $1 -j REJECT
}

unblock()
{

        iptables -D OUTPUT -d $1 -j REJECT
}

host=192.168.0.23

if ! $(check_http_get_string $host 10 20 www.foo.com 80 /index.jsp "Expected result")
then

        block $host
else 

	if $(blocked $host)
	then
		unblock $host
	fi

fi

You would have to specify how frequently a service is checked and when it is considered up again; but IMHO that would be rather easy to add.

I haven't tested the code, so please see it as an example; we'd read the configuration from a file and would iterate through a list of hosts/services and not just do a single check like in the example above. It's only meant to show you what I mean. I just didn't want to spent hours of coding to see a design flaw in it later.

Any ideas, opinions on this?

Best regards,
Craig Received on 2009/07/09 23:14

This archive was generated by hypermail 2.2.0 : 2009/07/09 23:30 CEST