Load balance the connections to a server farm using HAproxy

cloud computing

In this tutorial we will explain how to configure HAproxy to load balance a HTTP and HTTPS connection when we have a server farm containing multiple servers. The ideal would be that the server farm would be located on private network only. This way the server in the server farm would be protected from any direct hacking attempt. Will also assume that out server farm has two web servers in 10.0.1.0/24 network. The load balancer will need to have two networks. One public and a private one. On the public network the load balancer will accept the connections from the internet and on the private network it will talk with the server farm. Having that cleared also need to mention that we need HAproxy version higher or equal with 1.5 for SSL support. Since most of the repositories are having haproxy older then 1.5 will need to have it downloaded and installed from source.

First we need to download the source:

 

#wget http://www.haproxy.org/download/1.5/src/haproxy-1.5.8.tar.gz

 

Once the source is downloaded we will need to unpack it and install it. Before you install it make sure that you have the development softwares installed.

on yum based systems run :

#yum groupinstall 'Development Tools'

On apt based systems run:

#apt-get install build-essential

 

Now it is time to unpack and install HAproxy:

#tar -xzvf haproxy-1.5.8.tar.gz
#cd haproxy-1.5.8
#./configure
# make && make install

After the HAproxy is installed it is time to configure it.

 #cd /etc/haproxy
#cat haproxy.cfg
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghostlocal0 info
maxconn 2048
#chroot /usr/share/haproxy
#uid 1100
#gid 1100
daemon
#debug
#quiet
user nobody
defaults
log global
mode http
option forwardfor
option http-server-close
#optionhttplog
option dontlognull
retries 3
option redispatch
frontend httpd-front
    bind <public IP>:80
    reqadd X-Forwarded-Proto:\ http
    default_backend http-back
frontend stats-front
    bind *:8080
    mode http
    default_backend stats-back
backend http-back
    balance leastconn
    server <node1> <node1.private_IP>:80 check
    server <node2> <node2.private_IP>:80 check
backend stats-back
    mode http
    balance roundrobin
    stats uri /haproxy/stats
    stats auth admin:<password>
    stats refresh 5s

To add the ssl support you need to change the fronted httpd-front change it to look like this:

frontend www-https
   bind <Public IP address>:443 ssl crt /etc/ssl/private/example.com.pem
   reqadd X-Forwarded-Proto:\ https
   default_backend www-backend

Also change the backend to look like the following:

backend www-backend
   redirect scheme https if !{ ssl_fc }
   server <node1> <node1.private_ip>:80 check
   server <node2> <node2.private_ip>:80 check

You will need to upload the ssl certificate to /etc/ssl/private or to change the path of the certificate to where your certification file is located at.

The configuration file should look like this after the change:

global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghostlocal0 info
maxconn 2048
#chroot /usr/share/haproxy
#uid 1100
#gid 1100
daemon
#debug
#quiet
user nobody
defaults
log global
mode http
option forwardfor
option http-server-close
#optionhttplog
option dontlognull
retries 3
option redispatch
frontend www-https
   bind <Public IP address>:443 ssl crt /etc/ssl/private/example.com.pem
   reqadd X-Forwarded-Proto:\ https
   default_backend www-backend
frontend stats-front
   bind *:8080
   mode http
   default_backend stats-back

backend http-back
   redirect scheme https if !{ ssl_fc }
   balance leastconn
   server <node1> <node1.private_IP>:80 check
   server <node2> <node2.private_IP>:80 check

backend stats-back
   mode http
   balance roundrobin
   stats uri /haproxy/stats
   stats auth admin:<password>
   stats refresh 5s

 

If you use any type of authentication in your service it is a good idea to keep the session going always to the same server cause if your request would hit another server where there is no session the user will need to authenticate over and over again. This can be easily fixed by setting a cookie which the system will check and will make sure that all request will go to the same node in the backend.

This has to be set in the backend http-back:

backend http-back
   balance leastconn
   cookie SERVERID insert indirect nocache
   server <node1> <node1.private_IP>:80 check cookie <node1> inter 2000 rise 2 fall 5
   server <node2> <node2.private_IP>:80 check cookie <node2> inter 2000 rise 2 fall 5

You can actually create this setup on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.

Related Articles