Working configuration for haproxy with power setting

I’m not sure if I miss any key part of the configuration or I just fundamentally misunderstand the purpose of force saving in haproxy (using version 1.5.11 on Ubuntu 14.04). From the documentation:

The force-persist statement allows you to declare various ACL-based conditions that, when they occur, will cause the request to ignore the status of the server down and still try to connect to it. This enables the server, still responding to an error to check the health, and run a specially configured browser to check the service.

This is similar to what I want, where I can put all application servers in “maintenance mode” for code deployment, but still allow certain IP addresses to connect to check them, after deployment, before giving everyone access again . Here is the configuration I configured:

global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 300s timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http listen mysite bind *:80 bind *:443 ssl crt mysite.pem http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } redirect scheme https if !{ ssl_fc } balance roundrobin option forwardfor option httpchk HEAD /haproxy_health_check.php acl whitelist src -f /etc/haproxy/whitelist.lst force-persist if whitelist server app-1 10.1.4.32:80 maxconn 20 check inter 10000 

With this configuration, I think I would have to run the following command:

 echo "disable server mysite/app-1" | socat /run/haproxy/admin.sock stdio 

due to the fact that one application server crashed, and while I am starting from the IP address specified in /etc/haproxy/whitelist.lst, I should still see the website as if the server is still turned on. However, I see that this is a 503 error page, which I would expect normally if I were a regular user, but not from the white list. To remove the possibility of incorrect IP addresses or the incorrect acl command, I tried an option in which I simply installed:

 force-persist if TRUE 

From my reading of the documentation, I would think that it would act as if I would never shut down the server no matter what IP address I get. Sorry, I'm still getting 503.

There are more severe ways associated with passing the extra configuration and reloading the haproxy that I could use to get this to work, but the “force save” along with the convenient ability to disable via the command line looks a lot more elegant, and I would definitely prefer this. if i could make it work.

Has anyone else tried to get haproxy to work this way? Am I really misinterpreting strength-tenacity in this way? Do I need an extra bit of configuration to make it work?