This document is about configuring haproxy load balancing for backend apache servers (Here I configure it with 2 backend servers.)
I assume that you already configured and tested your backend apache servers.
Now on the load balancing server you need to install and configure haproxy.
First, SSH into your machine:
apt -y install haproxy
Now we can configure our haproxy:
nano /etc/haproxy/haproxy.cfg
A basic configuration with two apache web servers is given below:
# Add to the end
# Define frontend
frontend apache_front
# Frontend listen port – 80
bind *:80
# Set the default backend
default_backend apache_backend_servers
# Enable send X-Forwarded-For header
option forwardfor
# Define backend
backend apache_backend_servers
# Use roundrobin to balance traffic
balance roundrobin
# Define the backend servers
server backend01 192.168.10.11:80 check
server backend02 192.168.10.12:80 check
Restart haproxy service
systemctl restart haproxy
This settings will load contents from the servers 192.168.10.11, 192.168.10.12.
The website bidcars.gr is also configured with haproxy. Current setup has 2 haproxy servers. Its configuration is given below:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 500000
timeout server 500000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen tcp_proxy
bind :80
bind :443 ssl crt /etc/haproxy/bidcars/star_bidcars_gr.crt
http-request redirect scheme https code 301 unless { ssl_fc }
mode http
option tcplog
option logasap
# balance roundrobin
balance source
server 1.gemini castor.ext.bidcars.infra:80 weight 20 check inter 20000
server 2.gemini polydeuces.ext.bidcars.infra:80 weight 20 check inter 20000
listen admin_stats
bind :8081
mode http
stats uri /stats
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
The bidcars server configuration part:
listen tcp_proxy
bind :80
bind :443 ssl crt /etc/haproxy/bidcars/star_bidcars_gr.crt
http-request redirect scheme https code 301 unless { ssl_fc }
mode http
option tcplog
option logasap
# balance roundrobin
balance source
server 1.gemini castor.ext.bidcars.infra:80 weight 20 check inter 20000
server 2.gemini polydeuces.ext.bidcars.infra:80 weight 20 check inter 20000
We have to add the ssl part with the ssl certificate location.
bind :443 ssl crt /etc/haproxy/bidcars/star_bidcars_gr.crt
In the certificate file we have to concatenate private key and certificate.
The permanent redirection to https can be setup with:
http-request redirect scheme https code 301 unless { ssl_fc }
The two backend servers are:
castor.ext.bidcars.infra – 138.201.196.207
polydeuces.ext.bidcars.infra – 138.201.196.210
These names are assigned to the servers via /etc/hosts.
The two haproxy servers are:
139.162.174.72 -p 9999
139.162.170.128
