haproxy_safe_reload.sh

#!/usr/bin/env bash
#
# HAProxy wrapper to make reloads safer
#
# THIS FILE IS AUTOMATICALLY DISTRIBUTED BY PUPPET. ANY LOCAL CHANGES WILL BE OVERWRITTEN!

HAPROXY_DIR=/etc/haproxy
HAPROXY_BIN=/usr/sbin/haproxy

check() {
  $HAPROXY_BIN -f $HAPROXY_DIR/haproxy.cfg -c
}

get_ports() {
  /usr/bin/lsof -i -sTCP:LISTEN | \
    /bin/grep haproxy | \
    /bin/grep LISTEN | \
    /usr/bin/awk '{ print $9 }' | \
    /usr/bin/tr ':' ' ' | \
    /usr/bin/awk '{ print $2 }' | \
    /usr/bin/sort | /usr/bin/uniq
}

disable_syn() {
  for i in `get_ports`; do
    echo "Disabling SYN on $i"
    /sbin/iptables -I INPUT -p tcp --dport $i --syn -j DROP
  done
}

enable_syn() {
  for i in `get_ports`; do
    echo "Enabling SYN on $i"
    /sbin/iptables -D INPUT -p tcp --dport $i --syn -j DROP
  done
}

reload() {
  /etc/init.d/haproxy reload
}

safereload() {
  check
  if [ $? -eq 0 ]; then
    disable_syn
    sleep 1
    reload
    enable_syn
  else
    exit $?
  fi
}

command=$1
case "$command" in
  check)
    check
  ;;
  safereload)
    safereload
  ;;
  *)
    echo "Usage: $0 [ check | safereload ]"
    exit 1
  ;;
esac