HAProxy-featured

HAProxy Load balancer Configuration

HAProxy is an open source, free, veryfast and reliable solution offering high availability, load balancing and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing. It distributes a workload across a set of servers to maximize performance and optimize resource usage.

HAProxy can be used for Web applications (HTTP/ HTTPS) as well as for TCP based applications (MySQL, SSL, SMTP) etc.

Installation

Download and install latest version of HAProxy available at below mentioned location

Option1: Download and install from source (tar.gz) available at http://haproxy.1wt.eu/#down

Installation Steps on Linux:

#wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.22.tar.gz

#tar xzvf haproxy-1.4.22.tar.gz

#cd haproxy-1.4.22

#make install

Option2: Download and Install from RPM package available at http://repo.nixval.com/nixval- centos/5/updates/haproxy-1.4.9-1.el5.x86_64.rpm

Installation Steps on Linux:

#wget http://repo.nixval.com/nixval-centos/5/updates/haproxy-1.4.9-1.el5.x86_6…

#rpm -ivh haproxy-1.4.9-1.el5.x86_64.rpm

Configuration

Once HAProxy is installed either from source or from RPM, configuration file – haproxy.cfg will be created under /etc/haproxy/ directory

Open the file and you will find 4 different sections as mentioned below:

  1. global – This section allows us to specify global settings for HAProxy which can include max connections, pid file, log file location, user/group by which haproxy daemon will be started etc.

  1. defaults – This section allows us to specify certain detault options that can be used for all frontends and backends configuration

  1. frontend – This section allows us to configure frontends for HAProxy which includes port / IP address on which HAProxy will listen and other options based on requirements. We can specify more than one frontends in case we want to forward various traffic like HTTP/ HTTPS/ SMTP etc.

  1. backend – This section allows to us to specify backend systems which will be actual application server to which HAProxy will forward all traffic to for e.g. If HAProxy is configured to load balance HTTP traffic, backends will be web servers or reverse proxy servers like Varnish.

You can specify more than one backend depending upon frontend configuration, Also you can specify more than one application server within single backend to failover/load-balance and make application highly available.

Below is the sample configuration file for HAProxy:

 #———————————————————————

# Global settings

#———————————————————————

global

log 127.0.0.1 local2 info

#This will send all logs with type “info” to local syslog server. Additionally you need to configure local syslog server to collect remote logs with -r option.

 log 127.0.0.1 local2 notice

#This will send all logs with type “notice” to local syslog serverAdditionally you need to configure local syslog server to collect remote logs with -r option.

 chroot /var/lib/haproxy

#Configure chrooted environment toincreases the security level in case an unknown #vulnerability would be exploited, since it would make it very hard for the attacker to exploit the system.

 pidfile /var/run/haproxy.pid

#Writes pids of all daemons into file <pidfile>

 maxconn 4000

#Sets the maximum per-process number of concurrent connections to <number>.

user haproxy

#Changes the process’ username to <user>. It is recommended that the username is dedicated to HAProxy or to a small set of similar daemons. HAProxy must be started with superuser privileges in order to be able to switch to another one.

 group haproxy

#Changes the process’ group name to <group>. It is recommended that the groupname is dedicated to HAProxy or to a small set of similar daemons. HAProxy must be started with a user belonging to this groupdaemon

stats socket /tmp/haproxy

 #Creates a UNIX socket in stream mode at location <path>.

#——————————————————————————

# common defaults that all the ‘listen’ and ‘backend’ sections will

# use if not designated in their block

#——————————————————————————

defaults

 mode http

#The instance will work in HTTP mode. To be used when HAProxy is configured to handle only HTTP traffic

 log global

#Refer Global section for logs

option dontlognull

#This option indicates that a connection on which no data has been transferred will not be logged

 option redispatch

#In HTTP mode, if a server designated by a cookie is down, clients may definitely stick to it because they cannot flush the cookie, so they will not be able to access the service anymore. Specifying option redispatch will allow the proxy to break their persistence and redistribute them to a working server.

 timeout connect 10000

# default 10 seconds time out if a backend is not found

 timeout client 300000

#The inactivity timeout (in milliseconds) applies when the client is expected to acknowledge or send data. In HTTP mode, this timeout is particularly important to consider during the first phase, when the client sends the request, and during the response while it is reading data sent by the server

timeout server 300000

#The inactivity timeout (in milliseconds) applies when the server is expected to acknowledge or send data. In HTTP mode, this timeout is particularly important to consider during the first phase of the server’s response, when it has to send the headers, as it directly represents the server’s processing time for the request.

 maxconn 60000

#Maximum number of concurrent connections the frontend will accept to serve, excess connections will be queued by the system in the socket’s listen queue and will be served once a connection closes.

 retries 3

#Number of times a connection attempt should be retried on a server when a connection either is refused or times out. The default value is 3.

 #———————————————————————

# main frontend which proxys to the backends – HTTP

#———————————————————————

                frontend http-in

                #http-in is the name of frontend

                 bind *:80

                #Bind all Network Interfaces to listen on port 80 for this particular frontend

                 mode http

                #As mentioned in defaults section

                 acl bad_ip src 192.168.100.100

                #Create new acl with name “bad_ip” where source IP is 192.168.100.100

                 acl header hdr(X-Forwarded-For)

                #Create new acl with name “header” where header is X-Forwarded-For

                 block if bad_ip || header

                #Block connections/ access when request matches acl “bad_ip” and “header”

                #Similarly more ACLs can be created as per requirements

                 option httpclose

   #By default, when a client communicates with a server, HAProxy will only analyze, log, and process the first request of     each connection. If option httpclose is set, it will check if a “Connection: close” header is already set in each direction, and will add one if missing. This helps to close the TCP connection after each transfer

                option forwardfor

   #HTTP header “X-Forwarded-For” will be added by HAProxy to all requests sent to the server. This header contains a value representing the client’s source IP address.

                  default_backend apache

    #Default Backend to use for this particular frontend. These are actual application servers to which requests will be forwarded.

                  #———————————————————————

                 # main frontend which proxys to the backends – HTTPS

                 #———————————————————————

                  frontend https-in

                 #https-in is the name of frontend

                  bind *:443

                 #Bind all Network Interfaces to listen on port 443 for this particular frontend

                  mode tcp

    #The instance will work in pure TCP mode. A full-duplex connection will be established between clients and servers, and no layer 7 examination will be performed. It should be used for load-balancing traffic other than HTTP i.e. HTTPS, MySQL, SMTP etc.

                  acl bad_ip src 192.168.100.100

                 #As exlained in above frontend (http-in) section

                  acl header hdr(X-Forwarded-For)

                 #As exlained in above frontend (http-in) section

                  block if bad_ip || header

                 #As exlained in above frontend (http-in) section

                  default_backend apache_https

                 #As exlained in above frontend (http-in) section

                  #———————————————————————

                 # Backend configuration for frontend http-in

                 #———————————————————————

                  backend apache

                 #apache is name of backend which is going to be used for http-in frontend

                 mode http

                 #As exlained in above frontend (http-in) section

                  balance source

    #The source IP address is hashed and divided by the total weight of the running servers to designate which server will receive the request. This ensures that the same client IP address will always reach the same server as long as no server goes down or up. If the hash result changes due to the number of running servers changing, many clients will be directed to a different server

                  option httplog

    #By specifying option httplog, each log line turns into a much richer format including, but not limited to, the HTTP request, the connection timers, the session status, the connections numbers, the captured headers and cookies, the frontend, backend and server name, and of course the source address and ports.

                  option httpclose

                 #As exlained in above frontend (http-in) section

                     option forwardfor except 127.0.0.1

                  #As exlained in above frontend (http-in) section. Add  “X-Forwarded-For” header except for 127.0.0.1

                    cookie SERVERID insert indirect nocache

     #SERVERID is the name of cookie  which will inserted by HAProxy  on each request served after applying    loadbalacning algorithm.

                  #Actual backed/ application servers are specified below

                   server app1 192.168.100.200:80 cookie server01 check

     #app1 is the identification name for webserver with IP address 192.168.100.200 and value for SERVERID cookie  (mentioned above) as server01. “check” will be used to check #aliveness of server on specified port i.e. Port 80

                   server app2 192.168.100.201:80 cookie server02 check

     #app2 is the identification name for webserver with IP address 192.168.100.201 and value #for SERVERID cookie (mentioned above) as server02. “check” will be used to check #aliveness of server on specified port i.e. Port 80

      #### Below section will allow us to view statistics of requests served by HAProxy – Example : http://<server-IP>/haproxy?stats can be accessible with username “hauser”  and password “hapassword”.

     #### Mentioned url will be automcatically refreshed every 5 seconds as per below configuration

                    stats enable

                   stats hide-version

                    stats scope .

                    stats realm Haproxy\ Statistics

                   stats uri /haproxy?stats

                    stats auth hauser:hapassword

                   stats refresh 5s

                   #———————————————————————

                   # Backend configuration for frontend https-in

                   #———————————————————————

                   backend apache_https

      #apache_https is name of backend which is going to be used for https-in frontend

                    mode tcp

                   #As exlained in above frontend (https-in) section

                   option tcplog

      #Same as “option httplog” and will be used when mode tcp is selected

                     balance source

                    #As explained above in backend (apache) section

                     server app1 192.168.100.200:443 check

       #As explained above in backend (apache) section  – No cookies will be inserted

                    server app2 192.168.100.201:443 check

       #As explained above in backend (apache) section- No cookies will be inserted

Points to be considered

  • In above example, load-balancing method used is source-IP based. There are other load-balancing methods available as well like roundrobin, static-rr, leastconn etc. You can use them as per you requirements.
  • Inserting cookie is not supported in “mode tcp” i.e. SSL configuration in above example file

  • Option forwardfor is not supported in “mode tcp” therefore you will not get client source IP in SSL based connections (stunnel is workaround for this)