HAPROXY CONFIGURATION

This document is about configuring haproxy load balancing for backend apache servers (Here I configure it with 2 backend servers.)

I assume that you already configured and tested your backend apache servers.

Now on the load balancing server you need to install and configure haproxy.

First, SSH into your machine:

 apt -y install haproxy

Now we can configure our haproxy:

nano /etc/haproxy/haproxy.cfg

A basic configuration with two apache web servers is given below:

# Add to the end

# Define frontend

frontend apache_front

        # Frontend listen port – 80

        bind *:80

        # Set the default backend

        default_backend    apache_backend_servers

        # Enable send X-Forwarded-For header

        option             forwardfor

# Define backend

backend apache_backend_servers                                                                                                                     

        # Use roundrobin to balance traffic

        balance            roundrobin

        # Define the backend servers

        server             backend01 192.168.10.11:80 check

        server             backend02 192.168.10.12:80 check

Restart haproxy service

systemctl restart haproxy

This settings will load contents from the servers 192.168.10.11, 192.168.10.12.

The website bidcars.gr is also configured with haproxy. Current setup has 2 haproxy servers. Its configuration is given below:

global

    log /dev/log    local0

    log /dev/log    local1 notice

    chroot /var/lib/haproxy

    stats socket /run/haproxy/admin.sock mode 660 level admin

    stats timeout 30s

    user haproxy

    group haproxy

    daemon

    # Default SSL material locations

    ca-base /etc/ssl/certs

    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.

    # For more information, see ciphers(1SSL). This list is from:

    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

    ssl-default-bind-options no-sslv3

defaults

    log    global

    mode    http

    option    httplog

    option    dontlognull

     timeout connect 5000

     timeout client  500000

     timeout server  500000

    errorfile 400 /etc/haproxy/errors/400.http

    errorfile 403 /etc/haproxy/errors/403.http

    errorfile 408 /etc/haproxy/errors/408.http

    errorfile 500 /etc/haproxy/errors/500.http

    errorfile 502 /etc/haproxy/errors/502.http

    errorfile 503 /etc/haproxy/errors/503.http

    errorfile 504 /etc/haproxy/errors/504.http

listen tcp_proxy

bind :80

bind :443 ssl crt /etc/haproxy/bidcars/star_bidcars_gr.crt

http-request redirect scheme https code 301 unless { ssl_fc }

mode http

option tcplog

option logasap

# balance roundrobin

balance source

server 1.gemini castor.ext.bidcars.infra:80 weight 20 check inter 20000

server 2.gemini polydeuces.ext.bidcars.infra:80 weight 20 check inter 20000

listen admin_stats

bind :8081

mode http

stats uri /stats

    errorfile 400 /etc/haproxy/errors/400.http

    errorfile 403 /etc/haproxy/errors/403.http

    errorfile 408 /etc/haproxy/errors/408.http

    errorfile 500 /etc/haproxy/errors/500.http

    errorfile 502 /etc/haproxy/errors/502.http

    errorfile 503 /etc/haproxy/errors/503.http

    errorfile 504 /etc/haproxy/errors/504.http    

The bidcars server configuration part:

listen tcp_proxy

bind :80

bind :443 ssl crt /etc/haproxy/bidcars/star_bidcars_gr.crt

http-request redirect scheme https code 301 unless { ssl_fc }

mode http

option tcplog

option logasap

# balance roundrobin

balance source

server 1.gemini castor.ext.bidcars.infra:80 weight 20 check inter 20000

server 2.gemini polydeuces.ext.bidcars.infra:80 weight 20 check inter 20000

We have to add the ssl part with the ssl certificate location.

bind :443 ssl crt /etc/haproxy/bidcars/star_bidcars_gr.crt

In the certificate file we have to concatenate private key and certificate.

The permanent redirection to https can be setup with:

http-request redirect scheme https code 301 unless { ssl_fc }

The two backend servers are:

castor.ext.bidcars.infra – 138.201.196.207

polydeuces.ext.bidcars.infra – 138.201.196.210

These names are assigned to the servers via /etc/hosts.

The two haproxy servers are:

139.162.174.72 -p 9999

139.162.170.128

Leave a Reply

Your email address will not be published. Required fields are marked *