On Mon, Nov 10, 2014 at 01:45:45PM +0100, Cyril Bonté wrote: > Hi, > > Le 10/11/2014 12:54, Lasse Birnbaum Jensen a écrit : > >Hi all > > > >I have a problem with agent checks on a ssl backend (i cannot change the > >backend to http). This configuration forces the agent-check port expect ssl, > >which seems like a bug. > > > >backend test > > server b1 1.2.3.4:443 ssl check verify none agent-check agent-port > > > > > >Agent check fails with: > > > >Agent check for server test/b1 failed, reason: Layer6 invalid response, > >info: "Connection error during SSL handshake (Connection reset by peer)", > >check duration: 20ms, status: 1/1 UP > > > >Agent-check is defined to do a cleartext request to agent-port and parse the > >result. > > > >I cannot find anything in the doc about overwriting such that ssl only > >applies to health check and not agent check. Can anyone help ? > > Indeed, I think there's a bug introduced by commit 6618300e13 [1] > Both checks and agent checks are using a common transport layer (xprt in > struct check_common from this commit). > > IMHO, we should split the transport layer for each check, and enforce > "raw_sock" for agent checks. > > I add Simon to the discussion, as he worked on it. > Simon, do you agree with that ? > > [1] > http://www.haproxy.org/git?p=haproxy.git;a=commit;h=6618300e13587cac63c34b974cd54d52fc129fde
Yes, that sounds reasonable to me.
