HAProxy
From KevinWiki
(Difference between revisions)
(→Installation) |
|||
(6 intermediate revisions not shown) | |||
Line 62: | Line 62: | ||
* Modify the <code>/etc/haproxy/haproxy.cfg</code> file | * Modify the <code>/etc/haproxy/haproxy.cfg</code> file | ||
<pre> | <pre> | ||
- | bind :443 ssl crt /etc/ssl/certs/server_domain.pem | + | bind :443 ssl crt /etc/ssl/certs/server_domain.pem no-sslv3 |
+ | </pre> | ||
+ | '''''* <code>no-sslv3</code> to disable SSLv3 due to the vulnerability found in SSL protocol 3.0.''''' | ||
+ | |||
+ | = Configuration = | ||
+ | == haproxy.cfg == | ||
+ | * Example of <code>/etc/haproxy/haproxy.cfg</code> | ||
+ | |||
+ | <pre> | ||
+ | global | ||
+ | log 127.0.0.1 local0 | ||
+ | log 127.0.0.1 local1 notice | ||
+ | #log loghost local0 info | ||
+ | maxconn 4096 | ||
+ | #chroot /usr/share/haproxy | ||
+ | user haproxy | ||
+ | group haproxy | ||
+ | daemon | ||
+ | #debug | ||
+ | #quiet | ||
+ | stats socket /var/run/haproxy/haproxy.sock mode 0600 level admin | ||
+ | |||
+ | defaults | ||
+ | log global | ||
+ | mode http | ||
+ | option httplog | ||
+ | option dontlognull | ||
+ | retries 3 | ||
+ | option redispatch | ||
+ | maxconn 2000 | ||
+ | contimeout 5000 | ||
+ | clitimeout 50000 | ||
+ | srvtimeout 50000 | ||
+ | |||
+ | ## first.domain.com { ## | ||
+ | |||
+ | # frontend public | ||
+ | frontend http_first | ||
+ | # HTTP | ||
+ | bind 192.168.0.222:80 | ||
+ | |||
+ | # Redirect all HTTP traffic to HTTPS | ||
+ | redirect scheme https if !{ ssl_fc } | ||
+ | |||
+ | frontend https_first | ||
+ | |||
+ | bind 192.168.0.222:443 ssl crt /location/to/ssl/first.pem | ||
+ | |||
+ | default_backend main_backend_https | ||
+ | |||
+ | backend main_backend_https | ||
+ | mode http | ||
+ | |||
+ | # Tell the backend that this is a secure connection, | ||
+ | # even though it's getting plain HTTP. | ||
+ | reqadd X-Forwarded-Proto:\ https | ||
+ | |||
+ | # Check by hitting a page intended for this use. | ||
+ | # option httpchk GET /isrunning | ||
+ | option httpchk | ||
+ | timeout check 500ms | ||
+ | # Wait 500ms between checks. | ||
+ | |||
+ | option forwardfor header X-Real-IP | ||
+ | option http-server-close | ||
+ | |||
+ | balance roundrobin | ||
+ | cookie JSESSIONID prefix | ||
+ | |||
+ | server app_backend1 192.168.0.301:80 check port 80 cookie app_backend1 | ||
+ | server app_backend2 192.168.0.302:80 check port 80 cookie app_backend2 | ||
+ | |||
+ | ## } first.domain.com ## | ||
+ | |||
+ | |||
+ | ## second.domain.com { ## | ||
+ | |||
+ | frontend http_second | ||
+ | |||
+ | bind 192.168.0.202:80 | ||
+ | |||
+ | redirect scheme https if !{ ssl_fc } | ||
+ | |||
+ | frontend https_second | ||
+ | |||
+ | bind 192.168.0.202:443 ssl crt /location/to/ssl/second.pem | ||
+ | |||
+ | default_backend main_backend_https | ||
+ | |||
+ | ## } second.domain.com ## | ||
+ | |||
+ | |||
+ | ## third.domain.com { ## | ||
+ | |||
+ | frontend http_third | ||
+ | |||
+ | bind 192.168.0.203:80 | ||
+ | redirect scheme https if !{ ssl_fc } | ||
+ | |||
+ | frontend https_third | ||
+ | |||
+ | bind 192.168.0.203:443 ssl crt /location/to/ssl/third.pem | ||
+ | |||
+ | default_backend main_backend_https | ||
+ | |||
+ | ## } third.domain.com ## | ||
+ | |||
+ | |||
+ | ## fourth.domain.com { ## | ||
+ | |||
+ | frontend http_fourth | ||
+ | |||
+ | bind 192.168.0.204:80 | ||
+ | redirect scheme https if !{ ssl_fc } | ||
+ | |||
+ | frontend https_fourth | ||
+ | |||
+ | bind 192.168.0.204:443 ssl crt /location/to/ssl/fourth.pem | ||
+ | |||
+ | default_backend main_backend_https | ||
+ | |||
+ | ## } fourth.domain.com ## | ||
+ | |||
+ | |||
+ | ## fifth.domain.com { ## | ||
+ | |||
+ | frontend http_fifth | ||
+ | |||
+ | bind 192.168.0.205:80 | ||
+ | redirect scheme https if !{ ssl_fc } | ||
+ | |||
+ | frontend https_fifth | ||
+ | |||
+ | bind 192.168.0.205:443 ssl crt /location/to/ssl/fifth.pem | ||
+ | |||
+ | default_backend main_backend_https | ||
+ | |||
+ | ## } fifth.domain.com ## | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | == Log == | ||
+ | HAProxy uses syslog instead of writing it directly into a file. | ||
+ | |||
+ | So change the configuration fine of the default syslog daemon that is rsyslogd. | ||
+ | * Edit <code>/etc/rsyslog.conf</code> | ||
+ | <pre> | ||
+ | $ModLoad imudp | ||
+ | $UDPServerAddress 127.0.0.1 | ||
+ | $UDPServerRun 514 | ||
+ | </pre> | ||
+ | |||
+ | * Also Edit <code>/etc/rsyslog.d/49-haproxy.conf</code> | ||
+ | <pre> | ||
+ | local0.* -/var/log/haproxy_0.log | ||
+ | local1.* -/var/log/haproxy_1.log | ||
+ | & ~ | ||
+ | </pre> | ||
+ | |||
+ | * Edit <code>/etc/logrotate.d/haproxy</code> | ||
+ | <pre> | ||
+ | /var/log/haproxy*.log | ||
+ | { | ||
+ | rotate 1000 | ||
+ | weekly | ||
+ | missingok | ||
+ | notifempty | ||
+ | compress | ||
+ | delaycompress | ||
+ | size 20M | ||
+ | sharedscripts | ||
+ | postrotate | ||
+ | reload rsyslog >/dev/null 2>&1 || true | ||
+ | endscript | ||
+ | } | ||
+ | </pre> | ||
+ | |||
+ | <pre> | ||
+ | $ restart rsyslog | ||
+ | </pre> | ||
+ | |||
+ | = HATop = | ||
+ | == Installation == | ||
+ | <pre> | ||
+ | $ apt-get install hatop | ||
+ | </pre> | ||
+ | |||
+ | == Usage == | ||
+ | <pre> | ||
+ | $ hatop -s /var/run/haproxy/haproxy.sock | ||
+ | </pre> | ||
+ | Or set alias | ||
+ | <pre> | ||
+ | alias hamonitor='hatop -s /var/run/haproxy/haproxy.sock' | ||
</pre> | </pre> |
Latest revision as of 17:34, 29 November 2014
Contents |
Installation
$ apt-get install make
- for gcc
$ apt-get install build-essential
- If the following error occurs,
# Install libpcre3-dev if you get "include/common/regex.h:28:18: fatal error: pcre.h: No such file or directory"
- install
$ apt-get install libpcre3-dev
- If the following error occurs,
# libssl-dev if you get "include/types/server.h:29:25: fatal error: openssl/ssl.h: No such file or directory"
- install
$ apt-get install libssl-dev
- HAProxy website:
http://haproxy.1wt.eu/
HAProxy Installation
- Download HAProxy,
e.g.)
$ wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev19.tar.gz
- Install
$ tar -zxvf haproxy-1.5-dev19.tar.gz $ cd haproxy-1.5-dev19 $ make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 $ make install
- Clean all for recompilation
$ make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 clean all
- Add haproxy user
$ useradd -m haproxy -s /bin/false
- For SSL support
$ cat server_domain-crt-bundle.crt server_domain.key > server_domain.pem
- Modify the
/etc/haproxy/haproxy.cfg
file
bind :443 ssl crt /etc/ssl/certs/server_domain.pem no-sslv3
* no-sslv3
to disable SSLv3 due to the vulnerability found in SSL protocol 3.0.
Configuration
haproxy.cfg
- Example of
/etc/haproxy/haproxy.cfg
global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghost local0 info maxconn 4096 #chroot /usr/share/haproxy user haproxy group haproxy daemon #debug #quiet stats socket /var/run/haproxy/haproxy.sock mode 0600 level admin defaults log global mode http option httplog option dontlognull retries 3 option redispatch maxconn 2000 contimeout 5000 clitimeout 50000 srvtimeout 50000 ## first.domain.com { ## # frontend public frontend http_first # HTTP bind 192.168.0.222:80 # Redirect all HTTP traffic to HTTPS redirect scheme https if !{ ssl_fc } frontend https_first bind 192.168.0.222:443 ssl crt /location/to/ssl/first.pem default_backend main_backend_https backend main_backend_https mode http # Tell the backend that this is a secure connection, # even though it's getting plain HTTP. reqadd X-Forwarded-Proto:\ https # Check by hitting a page intended for this use. # option httpchk GET /isrunning option httpchk timeout check 500ms # Wait 500ms between checks. option forwardfor header X-Real-IP option http-server-close balance roundrobin cookie JSESSIONID prefix server app_backend1 192.168.0.301:80 check port 80 cookie app_backend1 server app_backend2 192.168.0.302:80 check port 80 cookie app_backend2 ## } first.domain.com ## ## second.domain.com { ## frontend http_second bind 192.168.0.202:80 redirect scheme https if !{ ssl_fc } frontend https_second bind 192.168.0.202:443 ssl crt /location/to/ssl/second.pem default_backend main_backend_https ## } second.domain.com ## ## third.domain.com { ## frontend http_third bind 192.168.0.203:80 redirect scheme https if !{ ssl_fc } frontend https_third bind 192.168.0.203:443 ssl crt /location/to/ssl/third.pem default_backend main_backend_https ## } third.domain.com ## ## fourth.domain.com { ## frontend http_fourth bind 192.168.0.204:80 redirect scheme https if !{ ssl_fc } frontend https_fourth bind 192.168.0.204:443 ssl crt /location/to/ssl/fourth.pem default_backend main_backend_https ## } fourth.domain.com ## ## fifth.domain.com { ## frontend http_fifth bind 192.168.0.205:80 redirect scheme https if !{ ssl_fc } frontend https_fifth bind 192.168.0.205:443 ssl crt /location/to/ssl/fifth.pem default_backend main_backend_https ## } fifth.domain.com ##
Log
HAProxy uses syslog instead of writing it directly into a file.
So change the configuration fine of the default syslog daemon that is rsyslogd.
- Edit
/etc/rsyslog.conf
$ModLoad imudp $UDPServerAddress 127.0.0.1 $UDPServerRun 514
- Also Edit
/etc/rsyslog.d/49-haproxy.conf
local0.* -/var/log/haproxy_0.log local1.* -/var/log/haproxy_1.log & ~
- Edit
/etc/logrotate.d/haproxy
/var/log/haproxy*.log { rotate 1000 weekly missingok notifempty compress delaycompress size 20M sharedscripts postrotate reload rsyslog >/dev/null 2>&1 || true endscript }
$ restart rsyslog
HATop
Installation
$ apt-get install hatop
Usage
$ hatop -s /var/run/haproxy/haproxy.sock
Or set alias
alias hamonitor='hatop -s /var/run/haproxy/haproxy.sock'