Apr

29

Installing haproxy load balancing for http and https

Filed Under Developers | 18 Comments

This example will guide you through a simple IP based load balancing solution that handles ssl traffic.

The Configuration =

  • Load Balancer: <192.168.0.2> // will be our haproxy server
  • Web Server 1: <192.168.0.10> // web application server 1
  • Web Server 2: <192.168.0.20> // web application server 2
  • Admin Panel Port 8080: <192.168.0.2> // Statistics Panel on port 8080

                                       Web Server 1
Load Balancer <
                                       Web Server 2

Step 1: Get and Install haproxy

We’ll be using the 1.3.17 src files to install haproxy. You can get them from http://haproxy.1wt.eu/

wget http://haproxy.1wt.eu/download/1.3/src/haproxy-1.3.17.tar.gz 

cd haproxy-1.3.17 

make TARGET=linux26 

cp /path/to/haproxy-1.3.17/examples/haproxy.init /etc/init.d/haproxy 

chmod +x /etc/init.d/haproxy

Step 2: Create some users for security

We’re going to add a haproxy user and run it in a chroot jail. Be sure to read up on other security measures for your server.

useradd haproxy 

mkdir /var/chroot/haproxy 

chown haproxy:haproxy /var/chroot/haproxy 

chmod 700 /var/chroot/haproxy

Step 3: Configure /etc/haproxy.cfg

This will be a simple load balancing. The HAProxy server will listen to 1 IP and distribute to 2 servers.

global
maxconn	 10000 # Total Max Connections.
log	 127.0.0.1	local0
log	 127.0.0.1	local1 notice
daemon
nbproc	 1 # Number of processes
user	 haproxy
    	group	 haproxy
    	chroot	 /var/chroot/haproxy

defaults
log	 global
option tcplog
mode	 tcp
clitimeout	60000
srvtimeout	30000
contimeout	4000
retries	 3
redispatch
option	 httpclose 

listen	load_balanced	192.168.0.2:80,192.168.0.2:443
balance	 source
option	 ssl-hello-chk
option	 forwardfor

server webserver1 192.168.0.10 weight 1 maxconn 5000 check
server webserver2 192.168.0.20 weight 1 maxconn 5000 check

listen  admin_stats 192.168.0.2:8080
mode	 http
stats uri	/my_stats
stats realm 	Global\ statistics
stats auth 	username:password

Start up HAProxy by /etc/init.d/haproxy start.

Step 4: Configuring logging

Edit /etc/sysconfig/syslog

SYSLOGD_OPTIONS=”-m 0 -r”

Edit /etc/syslog.conf. Add the following:

local0.* /var/log/haproxy.log
local1.* /var/log/haproxy-1.log

Restart Syslog

service syslog restart
  • TwitThis
  • Yahoo! Buzz
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • MySpace
  • Google
  • Blogosphere News
  • LinkedIn
  • Live
  • Reddit
  • Slashdot
  • Technorati

Tags: , , , ,

Previous Post: Syntax Highlighter and Code Colorizer for Mediawiki
Next Post: Google Web Toolkit (GWT) Creating a hyperlink for a button

18 Responses to “Installing haproxy load balancing for http and https”

  1. links for 2009-05-02 « Bloggitation on May 2nd, 2009 12:03 am

    [...] Load balancing for ssl web servers using haproxy (tags: web cluster 247up sysadmin) Comments (0) [...]

  2. codemonkey on July 24th, 2009 4:34 pm

    Does this work? I thought haproxy does not load balance HTTPS connections.

    Tried the same. HTTPS does not work. Any ideas?

    Thanks.

  3. Vijesh on July 24th, 2009 5:08 pm

    Yea, it definitely works. I use it in production right now. It works because of the IP based filtering. All traffic is between the server-endpoint and client, the haproxy system doesn’t get involved in the streams.

  4. JB on September 4th, 2009 8:59 am

    So in this configuration, are the SSL certificates residing on the web servers and you are simply forwarding on the SSL requests to those servers? Like codemonkey — I’ve read numerous articles that in order to properly handle SSL request on HAProxy load balanced configurations, once must also install Apache with mod_ssl to work in a reverse proxy configuration.

  5. Vijesh on September 4th, 2009 9:54 am

    SSL is on the web servers themselves. HAProxy forwards all requests via IP to the web servers, so it doesn’t matter if its encrypted traffic. The concept is very similar to a NAT on the clients end, HAProxy acts as a router with this configuration.

  6. JB on September 4th, 2009 5:26 pm

    I’ll give it a shot. It’s just strange that of all the articles discussing HA Proxy and SSL, yours is the only one that says HA Proxy supports this. Even HA Proxy’s own website says an additional layer is needed to properly terminate the SSL requests. But like I said, I’ll give it a shot and see what happens. I’ll post my findings one way or the other.

    Thanks!

  7. Vijesh on September 4th, 2009 6:02 pm

    Yea, HAProxy doesn’t outright say this as a solution. It is hidden in the documentation though. I use it right now and seems to work great. Good luck.

  8. Paras on September 25th, 2009 12:13 am

    Does it retain the real client IP for https transactions ?

  9. Vijesh on September 28th, 2009 1:18 pm

    The real client IP is lost with this setup.

  10. Shlomo on September 29th, 2009 10:38 am

    There is a difference between “terminating” SSL requests and “transparently proxying” SSL requests. Transparently proxying SSL means looking at the TCP/IP packet headers only, without decrypting the SSL contents within. This kind of load balancing is supported by HAProxy – just configure a TCP (”mode tcp”) load balancer, as shown in this article. Terminating SSL means authenticating with the client via SSL and decrypting the traffic into plaintext. When this is performed by the load balancer, the LB needs to use an SSL provider – such as apache’s mod_ssl – to perform these functions. This is not shown in this article.

  11. Harry on September 29th, 2009 11:02 am

    I use this with my set up and ended up with this error message when I tried to restart HAproxy

    [ALERT] 271/135248 (6335) : parsing [/etc/haproxy/haproxy.cfg:26] : server webserver1 has neither service port nor check port. Check has been disabled.
    [ALERT] 271/135248 (6335) : Error reading configuration file : /etc/haproxy/haproxy.cfg

    any idea?

  12. Greg Villegas on October 30th, 2009 3:20 am

    I follow the above configuration, it’s working. My only problem is the logs of the back-end server. The ip address of the load balancer is being log and not the client’s ip address. Any idea how to resolve this. Thanks

  13. admin on October 31st, 2009 1:05 pm

    We can’t do much about the IP address – that’s part of the problem with doing things this way.

  14. Pritpal Singh on December 8th, 2009 3:29 am

    We will configure HAProxy as a transparent proxy, i.e., it will pass on the original user’s IP address in a field called X-Forwarded-For to the backend web servers. Of course, the backend web servers should log the original user’s IP address in their access logs instead of the IP addresses of our load balancers. Therefore we must modify the LogFormat line in /etc/apache2/apache2.conf and replace %h with %{X-Forwarded-For}i:

    Change apache conf file

    From:-
    #LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”" combined

    To:-
    LogFormat “%{X-Forwarded-For}i %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”" combined

  15. jimmy on December 22nd, 2009 3:57 am

    Did anyone get this last part working?

    I wouldn’t have thought that a header (such as X-Forwarded-For could be added when it is an SSL request as this header is HTTP and if the payload is encrypted then it can’t be modified. Is that correct?

    Does haproxy even add this header when the mode is ‘tcp’?

  16. Vijesh on December 22nd, 2009 10:23 am

    Jimmy,

    You are right the X-Forward-For doesn’t work with tcp. HaProxy doesn’t even send the information.

  17. pramod shukla on December 23rd, 2009 4:00 am

    Hi,

    I have java utilities , like java socket programs which accepts raw string and process it.
    I want to deploy that utility to multiple servers and i am looking for a solution to balance the load between these two utilities.
    Please tell me if HAProxy is useful to that or not.

  18. Vijesh on December 23rd, 2009 10:56 am

    HAProxy would work great for that.

Leave a Reply