Website Migration Notice: SafePoint is now operated by CyberServal.Learn more →
DiscussionSLA
Sign inSign up

Regarding Upstream Health Checks and Failover

Published 4 months ago

# SafeLine WAF
# 💡 feature
# 💪 improve

Published 4 months ago

profile_photo

Fury

Updated 4 months ago

0

Summary:
Safeline works well as a WAF, but there is a critical gap from a high-availability (HA) perspective.
Details:
Safeline performs upstream HTTP health checks (GET) and can detect abnormal backend states such as timeouts, connection refused, or 5xx responses.
However, when a backend is DOWN or returning repeated 502/5xx errors, Safeline does not automatically fail over traffic to another healthy upstream.
As a result, even though the upstream is marked abnormal, clients can still receive errors, which limits Safeline’s role in HA scenarios.
Main pain points:
No mechanism for:
active health checks with routing decisions
automatically excluding unhealthy upstreams
retrying or redispatching requests to healthy backends
For production HA use cases, users still need an external load balancer (NGINX / HAProxy) behind Safeline.
Suggestions / Feature request:
Add optional active health check and failover logic, such as:
marking upstreams DOWN after N failures
routing traffic only to healthy upstreams
configurable retry on 5xx / timeout
Or at minimum, clarify the product positioning in documentation that Safeline is a WAF only and not an HA-aware load balancer, to avoid incorrect expectations.

Related Posts
#
Webhook Response
#
Load Balancing to two upstream servers.
#
Adding the Ability to Create Users with LDAP/Active Directory
#
Access log viewer
#
Safari - Challenge Not Work