Load Balancer HAProxy

From wiki.techunit.org
Jump to: navigation, search


Introduction

HAProxy is free, open source software that provides a high availability load balancer and proxy server for TCP and HTTP-based applications that spreads requests across multiple servers. It is written in C and has a reputation for being fast and efficient (in terms of processor and memory usage).
  • Realized on debian 8
  • HAProxy version : 1.5.8

Configuration

Installation

aptitude install haproxy -y

Enable service

  • Edit /etc/default/haproxy
ENABLED=1

Default config file

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

Minimal config file

  • Now backup default config
mv /etc/haproxy/haproxy.cfg{,.original}
  • and create a new one : /etc/haproxy/haproxy.cfg
global
    log 127.0.0.1 local0 notice        # Set your syslog server, default localhost
    maxconn 2000                       # The Number of concurrent connections on the frontend
    user haproxy
    group haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv2 no-sslv3

defaults                               # Default values
    log global
    option  dontlognull
    retries 3                          # the number of retries to perform on a server after a connection failure
    option redispatch                  # enables session redistribution in case of connection failure
    timeout connect  5000
    timeout client  10000
    timeout server  10000

Add a monitore web page

  • Add this block to /etc/haproxy/haproxy.cfg
listen  stats 0.0.0.0:9000
    mode http
    stats uri /haproxy
    stats enable
    stats refresh 30
    stats auth admin:password
    maxconn 5
  • Restart service
  • You can now monitore on this page all your load balanced services

Configure a TCP load balancer

  • Add following blocks to /etc/haproxy/haproxy.cfg

Example SQL

listen SQL 0.0.0.0:3306
    mode tcp
    balance source
    server sql01 10.0.0.1:3306 maxconn 5000 check

Example FTP

listen FTP 0.0.0.0:21
    mode tcp
    option tcplog
    balance source
    timeout client 86400000
    timeout server 86400000
    server ftp01 10.0.0.1:21 maxconn 5000 check
    server ftp02 10.0.0.2:21 maxconn 5000 check

Example SMTP

listen SMTP 0.0.0.0:25
    mode tcp
    option smtpchk
    balance roundrobin 
    server mail01 10.0.0.1:25 maxconn 5000 check
    server mail02 10.0.0.2:25 maxconn 5000 check

Configure a HTTP load balancer

Backend configuration

backend www.example.com
    mode    http
    balance roundrobin
    cookie SERVERID insert indirect
    option forwardfor
    option httpclose
    server web1 10.0.0.1:80 cookie A check
    server web2 10.0.0.2:80 cookie B check

Frontend configuration

HTTP Frontend

frontend http-example
    mode    http
    option  httplog
    option  dontlognull

    bind 0.0.0.0:80
    reqadd X-Forwarded-Proto:\ http

HTTPS Frontend

frontend https-example
    mode    http
    option  httplog
    option  dontlognull

    bind 0.0.0.0:443 ssl crt /path/to/your/cert.pem
    reqadd X-Forwarded-Proto:\ https

ACLs to define backend

  • Under frontend block
    #Declare your ACLs
    acl www.example.com hdr_end(host) -i www.example.com
    acl mail.example.com hdr_end(host) -i mail.example.com
    acl cloud.example.com hdr_end(host) -i cloud.example.com

    #use_backend <backend_name> if <acl_name>
    use_backend www.example.com if www.example.com
    use_backend mail.example.com if mail.example.com
    use_backend cloud.example.com if cloud.example.com

    #Define a default backend
    default_backend www.example.com

Elliot
techUnit's cofounder