Cert renewal blocks HAProxy indefinitely with Websocket connections

[njam]

Currently this container image is sending SIGUSR1 to HAProxy after renewing certificates to reload the config. This triggers a "soft-stop", which waits for all requests/connections to finish before restarting the server.

When proxying Websocket connections (which are usually open indefinitely), the soft-stop will never succeed, and at the same time HAProxy will not accept new connections anymore.

Possible solutions:

1. Use a hard-reload instead of a soft-reload. This could be done by sending SIGTERM instead, but can also be done by setting hard-stop-after to a small value in the HAProxy config (e.g. hard-stop-after 1ms).
2. Dynamically reload the SSL certs using the set ssl cert command (see blog post) This has the advantage that existing requests/connections are not affected, and SSL certs are reloaded on-the-fly, but it's more work and must be done in the renewal script.

This issue probably also affects HTTP proxies (but only slighlty), in that the proxy will not accept any requests for a brief period while renewing certs (depending on how long the requests take to finish).

[tomdess]

just created tag 2.4.1 as a workaround for this bug using the hard-stop-after config entry in haproxy configuration (1st solution proposed), thank you @njam

[njam]

:+1: thanks! I think this ticket can be closed then right?