How to use HAProxy to redirect connection to active Vault cluster

Use HAProxy to redirect connection to active HashiCorp Vault cluster.

Use the following HAProxy configuration to play with primary/secondary HashiCorp Vault cluster.

[...]

# consul agent
resolvers consul
  nameserver consul 127.0.0.1:8600
  accepted_payload_size 8192
  hold valid 5s

# https frontend
frontend https-frontend
  bind *:443 ssl crt /etc/haproxy/haproxy.pem

  # match vault address
  acl is-vault hdr(host) -i vault-primary.octocat.cloud

  # check if backend is dead
  acl is-vault-backend-dead nbsrv(vault-ui-backend) lt 1

  # redirect to secondary vault if primary backend is dead
  http-request redirect location https://vault-secondary.octocat.cloud if is-vault-backend-dead

  # use backend if address match
  use_backend vault-ui-backend if is_vault

# primary vault backend
backend vault-ui-backend
  ## simple http check
  # option httpchk GET /v1/sys/health

  ## advanced http check, see https://www.vaultproject.io/api-docs/system/health
  option httpchk
  http-check send meth GET uri /v1/sys/health
  http-check expect status 200,473

  # backend server template
  server-template vault 1-5 _vault._tcp.service.consul resolvers consul resolve-prefer ipv4 check ssl ca-file /etc/haproxy/vault-ca.pem send-proxy

It is a simple configuration snippet, so play with it.