John, Thank you. I had not run across the –c switch yet. That might answer the mail.
From: Skarbek, John [mailto:john.skar...@ca.com] Sent: Friday, February 12, 2016 7:47 AM To: Edward Hart (c) <eh...@vmware.com>; Dennis Jacobfeuerborn <denni...@conversis.de>; haproxy@formilux.org Subject: Re: HAProxy Failure Modes -- John Skarbek On February 11, 2016 at 18:13:50, Dennis Jacobfeuerborn (denni...@conversis.de<mailto:denni...@conversis.de>) wrote: On 11.02.2016 20:23, Edward Hart (c) wrote: > Q1: Can HAProxy be configured to 'roll back' if a patch update causes a > HAProxy failure on a production server? > Q2: Can HAProxy be configured to fail to a known safe state in the event of > server failure during operation? > > I am developing a Security Technical Implement Guide (STIG) for HAProxy. A > STIG is essentially a detailed checklist for hardening a given technology. > DoD uses them to provide cyber defense. > > Finding configurable ways to satisfy the below 2 requirements is proving > difficult. > > Req 1 : The web server must augment re-creation to a stable and known > baseline. The best way to handle this is by using git for the configuration files as it also has the added benefit of providing an audit trail. If that is not possible then simply copy the current config to haproxy.conf.old before you make changes. If the changes don't work simply copy that file back to haproxy.conf and reload the configuration to restore the previous configuration. > Req 2 : The web server must be built to fail to a known safe state if system > initialization fails, shutdown fails, or aborts fail. Maybe I don't understand this requirement properly but if the system fails how is it supposed to automatically "unfail" itself? Can you provide a specific example of such a failure and what state haproxy is supposed to return to in that case? Edward, If you are able to nail down the option provided by Dennis above for your first question, you’d be able to achieve your request for your second question decently easily. After dropping in a new configuration do a reload; haproxy checks the configuration file for errors before start and if for whatever reason it’s config file is not legit, it’ll stop the reload process and the old processes are never killed. This all pending the init script that you have in place. [Example](http://www.haproxy.org/download/contrib/haproxy.init.el5<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.haproxy.org_download_contrib_haproxy.init.el5&d=BQMGaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=V7F2bC1pQVEF1IoEUPPTMw&m=5kofEvgwibOKheATnYzHjDTyyb8M0NMDgyg36g6RLP8&s=A-8rWUkvkK8nbl3MwwqjPCzId0RctQwqOK_iTERkHl8&e=>) Regards, Dennis
