HAProxy
From KevinWiki
(Difference between revisions)
(→Installation) |
|||
(3 intermediate revisions not shown) | |||
Line 62: | Line 62: | ||
* Modify the <code>/etc/haproxy/haproxy.cfg</code> file | * Modify the <code>/etc/haproxy/haproxy.cfg</code> file | ||
<pre> | <pre> | ||
- | bind :443 ssl crt /etc/ssl/certs/server_domain.pem | + | bind :443 ssl crt /etc/ssl/certs/server_domain.pem no-sslv3 |
</pre> | </pre> | ||
+ | '''''* <code>no-sslv3</code> to disable SSLv3 due to the vulnerability found in SSL protocol 3.0.''''' | ||
= Configuration = | = Configuration = | ||
Line 224: | Line 225: | ||
/var/log/haproxy*.log | /var/log/haproxy*.log | ||
{ | { | ||
- | rotate | + | rotate 1000 |
weekly | weekly | ||
missingok | missingok | ||
Line 230: | Line 231: | ||
compress | compress | ||
delaycompress | delaycompress | ||
+ | size 20M | ||
sharedscripts | sharedscripts | ||
postrotate | postrotate | ||
Line 239: | Line 241: | ||
<pre> | <pre> | ||
$ restart rsyslog | $ restart rsyslog | ||
+ | </pre> | ||
+ | |||
+ | = HATop = | ||
+ | == Installation == | ||
+ | <pre> | ||
+ | $ apt-get install hatop | ||
+ | </pre> | ||
+ | |||
+ | == Usage == | ||
+ | <pre> | ||
+ | $ hatop -s /var/run/haproxy/haproxy.sock | ||
+ | </pre> | ||
+ | Or set alias | ||
+ | <pre> | ||
+ | alias hamonitor='hatop -s /var/run/haproxy/haproxy.sock' | ||
</pre> | </pre> |
Latest revision as of 17:34, 29 November 2014
Contents |
Installation
$ apt-get install make
- for gcc
$ apt-get install build-essential
- If the following error occurs,
# Install libpcre3-dev if you get "include/common/regex.h:28:18: fatal error: pcre.h: No such file or directory"
- install
$ apt-get install libpcre3-dev
- If the following error occurs,
# libssl-dev if you get "include/types/server.h:29:25: fatal error: openssl/ssl.h: No such file or directory"
- install
$ apt-get install libssl-dev
- HAProxy website:
http://haproxy.1wt.eu/
HAProxy Installation
- Download HAProxy,
e.g.)
$ wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev19.tar.gz
- Install
$ tar -zxvf haproxy-1.5-dev19.tar.gz $ cd haproxy-1.5-dev19 $ make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 $ make install
- Clean all for recompilation
$ make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 clean all
- Add haproxy user
$ useradd -m haproxy -s /bin/false
- For SSL support
$ cat server_domain-crt-bundle.crt server_domain.key > server_domain.pem
- Modify the
/etc/haproxy/haproxy.cfg
file
bind :443 ssl crt /etc/ssl/certs/server_domain.pem no-sslv3
* no-sslv3
to disable SSLv3 due to the vulnerability found in SSL protocol 3.0.
Configuration
haproxy.cfg
- Example of
/etc/haproxy/haproxy.cfg
global log 127.0.0.1 local0 log 127.0.0.1 local1 notice #log loghost local0 info maxconn 4096 #chroot /usr/share/haproxy user haproxy group haproxy daemon #debug #quiet stats socket /var/run/haproxy/haproxy.sock mode 0600 level admin defaults log global mode http option httplog option dontlognull retries 3 option redispatch maxconn 2000 contimeout 5000 clitimeout 50000 srvtimeout 50000 ## first.domain.com { ## # frontend public frontend http_first # HTTP bind 192.168.0.222:80 # Redirect all HTTP traffic to HTTPS redirect scheme https if !{ ssl_fc } frontend https_first bind 192.168.0.222:443 ssl crt /location/to/ssl/first.pem default_backend main_backend_https backend main_backend_https mode http # Tell the backend that this is a secure connection, # even though it's getting plain HTTP. reqadd X-Forwarded-Proto:\ https # Check by hitting a page intended for this use. # option httpchk GET /isrunning option httpchk timeout check 500ms # Wait 500ms between checks. option forwardfor header X-Real-IP option http-server-close balance roundrobin cookie JSESSIONID prefix server app_backend1 192.168.0.301:80 check port 80 cookie app_backend1 server app_backend2 192.168.0.302:80 check port 80 cookie app_backend2 ## } first.domain.com ## ## second.domain.com { ## frontend http_second bind 192.168.0.202:80 redirect scheme https if !{ ssl_fc } frontend https_second bind 192.168.0.202:443 ssl crt /location/to/ssl/second.pem default_backend main_backend_https ## } second.domain.com ## ## third.domain.com { ## frontend http_third bind 192.168.0.203:80 redirect scheme https if !{ ssl_fc } frontend https_third bind 192.168.0.203:443 ssl crt /location/to/ssl/third.pem default_backend main_backend_https ## } third.domain.com ## ## fourth.domain.com { ## frontend http_fourth bind 192.168.0.204:80 redirect scheme https if !{ ssl_fc } frontend https_fourth bind 192.168.0.204:443 ssl crt /location/to/ssl/fourth.pem default_backend main_backend_https ## } fourth.domain.com ## ## fifth.domain.com { ## frontend http_fifth bind 192.168.0.205:80 redirect scheme https if !{ ssl_fc } frontend https_fifth bind 192.168.0.205:443 ssl crt /location/to/ssl/fifth.pem default_backend main_backend_https ## } fifth.domain.com ##
Log
HAProxy uses syslog instead of writing it directly into a file.
So change the configuration fine of the default syslog daemon that is rsyslogd.
- Edit
/etc/rsyslog.conf
$ModLoad imudp $UDPServerAddress 127.0.0.1 $UDPServerRun 514
- Also Edit
/etc/rsyslog.d/49-haproxy.conf
local0.* -/var/log/haproxy_0.log local1.* -/var/log/haproxy_1.log & ~
- Edit
/etc/logrotate.d/haproxy
/var/log/haproxy*.log { rotate 1000 weekly missingok notifempty compress delaycompress size 20M sharedscripts postrotate reload rsyslog >/dev/null 2>&1 || true endscript }
$ restart rsyslog
HATop
Installation
$ apt-get install hatop
Usage
$ hatop -s /var/run/haproxy/haproxy.sock
Or set alias
alias hamonitor='hatop -s /var/run/haproxy/haproxy.sock'