Load balance connect
In this tutorial we will explain how to configure HAproxy to load balance a HTTP and HTTPS connection when we have a server farm containing multiple servers. The ideal would be that the server farm would be located on private network only. This way the server in the server farm would be protected from any direct hacking attempt. Will also assume that out server farm has two web servers in 10.0.1.0/24 network. The load balancer will need to have two networks. One public and a private one. On the public network the load balancer will accept the connections from the internet and on the private network it will talk with the server farm. Having that cleared also need to mention that we need HAproxy version higher or equal with 1.5 for SSL support. Since most of the repositories are having haproxy older then 1.5 will need to have it downloaded and installed from source.
First we need to download the source:
#wget http://www.haproxy.org/download/1.5/src/haproxy-1.5.8.tar.gz
2nd step
Once the source is downloaded we will need to unpack it and install it. Before you install it make sure that you have the development softwares installed.
on yum based systems run :
#yum groupinstall 'Development Tools'
On apt based systems run:
#apt-get install build-essential
Now it is time to unpack and install HAproxy:
#tar -xzvf haproxy-1.5.8.tar.gz
#cd haproxy-1.5.8
#./configure
# make && make install
After the HAproxy is installed it is time to configure it.
#cd /etc/haproxy
#cat haproxy.cfg
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghostlocal0 info
maxconn 2048
#chroot /usr/share/haproxy
#uid 1100
#gid 1100
daemon
#debug
#quiet
user nobody
defaults
log global
mode http
option forwardfor
option http-server-close
#optionhttplog
option dontlognull
retries 3
option redispatch
frontend httpd-front
bind <public IP>:80
reqadd X-Forwarded-Proto:\ http
default_backend http-back
frontend stats-front
bind *:8080
mode http
default_backend stats-back
backend http-back
balance leastconn
server <node1> <node1.private_IP>:80 check
server <node2> <node2.private_IP>:80 check
backend stats-back
mode http
balance roundrobin
stats uri /haproxy/stats
stats auth admin:<password>
stats refresh 5s
To add the ssl support you need to change the fronted httpd-front change it to look like this:
frontend www-https
bind <Public IP address>:443 ssl crt /etc/ssl/private/example.com.pem
reqadd X-Forwarded-Proto:\ https
default_backend www-backend
Also change the backend to look like the following:
backend www-backend
redirect scheme https if !{ ssl_fc }
server <node1> <node1.private_ip>:80 check
server <node2> <node2.private_ip>:80 check
You will need to upload the ssl certificate to /etc/ssl/private or to change the path of the certificate to where your certification file is located at.
The configuration file should look like this after the change:
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghostlocal0 info
maxconn 2048
#chroot /usr/share/haproxy
#uid 1100
#gid 1100
daemon
#debug
#quiet
user nobody
defaults
log global
mode http
option forwardfor
option http-server-close
#optionhttplog
option dontlognull
retries 3
option redispatch
frontend www-https
bind <Public IP address>:443 ssl crt /etc/ssl/private/example.com.pem
reqadd X-Forwarded-Proto:\ https
default_backend www-backend
frontend stats-front
bind *:8080
mode http
default_backend stats-back
backend http-back
redirect scheme https if !{ ssl_fc }
balance leastconn
server <node1> <node1.private_IP>:80 check
server <node2> <node2.private_IP>:80 check
backend stats-back
mode http
balance roundrobin
stats uri /haproxy/stats
stats auth admin:<password>
stats refresh 5s
If you use any type of authentication in your service it is a good idea to keep the session going always to the same server cause if your request would hit another server where there is no session the user will need to authenticate over and over again. This can be easily fixed by setting a cookie which the system will check and will make sure that all request will go to the same node in the backend.
This has to be set in the backend http-back:
backend http-back
balance leastconn
cookie SERVERID insert indirect nocache
server <node1> <node1.private_IP>:80 check cookie <node1> inter 2000 rise 2 fall 5
server <node2> <node2.private_IP>:80 check cookie <node2> inter 2000 rise 2 fall 5
You can actually create this setup on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.