HAProxy

From KevinWiki

(Difference between revisions)
Jump to: navigation, search
(Created page with "Category:Network = Installation = <pre> $ apt-get install make </pre> * for gcc <pre> $ apt-get install build-essential </pre> * If the following error occurs, <pre> # Ins...")
(Installation)
 
(7 intermediate revisions not shown)
Line 34: Line 34:
== HAProxy Installation ==
== HAProxy Installation ==
* Download HAProxy,
* Download HAProxy,
-
e.g.)
+
e.g.)
<pre>
<pre>
$ wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev19.tar.gz  
$ wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev19.tar.gz  
Line 62: Line 62:
* Modify the <code>/etc/haproxy/haproxy.cfg</code> file
* Modify the <code>/etc/haproxy/haproxy.cfg</code> file
<pre>
<pre>
-
   bind :443 ssl crt /etc/ssl/certs/server_domain.pem
+
   bind :443 ssl crt /etc/ssl/certs/server_domain.pem no-sslv3
 +
</pre>
 +
'''''* <code>no-sslv3</code> to disable SSLv3 due to the vulnerability found in SSL protocol 3.0.'''''
 +
 
 +
= Configuration =
 +
== haproxy.cfg ==
 +
* Example of <code>/etc/haproxy/haproxy.cfg</code>
 +
 
 +
<pre>
 +
global
 +
  log 127.0.0.1 local0
 +
  log 127.0.0.1 local1 notice
 +
  #log loghost  local0 info
 +
  maxconn 4096
 +
  #chroot /usr/share/haproxy
 +
  user haproxy
 +
  group haproxy
 +
  daemon
 +
  #debug
 +
  #quiet
 +
  stats socket /var/run/haproxy/haproxy.sock mode 0600 level admin
 +
 
 +
defaults
 +
  log global
 +
  mode  http
 +
  option  httplog
 +
  option  dontlognull
 +
  retries 3
 +
  option redispatch
 +
  maxconn 2000
 +
  contimeout  5000
 +
  clitimeout  50000
 +
  srvtimeout  50000
 +
 
 +
## first.domain.com { ##
 +
 
 +
# frontend public
 +
frontend http_first
 +
  # HTTP
 +
  bind 192.168.0.222:80
 +
 
 +
  # Redirect all HTTP traffic to HTTPS
 +
  redirect scheme https if !{ ssl_fc }
 +
 +
frontend https_first
 +
 
 +
  bind 192.168.0.222:443 ssl crt /location/to/ssl/first.pem
 +
 
 +
  default_backend main_backend_https
 +
 
 +
backend main_backend_https
 +
  mode http
 +
 
 +
  # Tell the backend that this is a secure connection,
 +
  # even though it's getting plain HTTP.
 +
  reqadd X-Forwarded-Proto:\ https
 +
 
 +
  # Check by hitting a page intended for this use.
 +
#  option httpchk GET /isrunning
 +
  option httpchk
 +
  timeout check 500ms
 +
  # Wait 500ms between checks.
 +
 
 +
  option forwardfor header X-Real-IP
 +
  option http-server-close
 +
 
 +
  balance roundrobin
 +
  cookie JSESSIONID prefix
 +
 
 +
  server app_backend1 192.168.0.301:80 check port 80 cookie app_backend1
 +
  server app_backend2 192.168.0.302:80 check port 80 cookie app_backend2
 +
 
 +
## } first.domain.com ##
 +
 
 +
 
 +
## second.domain.com { ##
 +
 
 +
frontend http_second
 +
 
 +
  bind 192.168.0.202:80
 +
 
 +
  redirect scheme https if !{ ssl_fc }
 +
 
 +
frontend https_second
 +
 
 +
  bind 192.168.0.202:443 ssl crt /location/to/ssl/second.pem
 +
 
 +
  default_backend main_backend_https
 +
 
 +
## } second.domain.com ##
 +
 
 +
 
 +
## third.domain.com { ##
 +
 
 +
frontend http_third
 +
 
 +
  bind 192.168.0.203:80
 +
  redirect scheme https if !{ ssl_fc }
 +
 +
frontend https_third
 +
 
 +
  bind 192.168.0.203:443 ssl crt /location/to/ssl/third.pem
 +
 
 +
  default_backend main_backend_https
 +
 
 +
## } third.domain.com ##
 +
 
 +
 
 +
## fourth.domain.com { ##
 +
 
 +
frontend http_fourth
 +
 
 +
  bind 192.168.0.204:80
 +
  redirect scheme https if !{ ssl_fc }
 +
 +
frontend https_fourth
 +
 
 +
  bind 192.168.0.204:443 ssl crt /location/to/ssl/fourth.pem
 +
 
 +
  default_backend main_backend_https
 +
 
 +
## } fourth.domain.com ##
 +
 
 +
 
 +
## fifth.domain.com { ##
 +
 
 +
frontend http_fifth
 +
 
 +
  bind 192.168.0.205:80
 +
  redirect scheme https if !{ ssl_fc }
 +
 +
frontend https_fifth
 +
 
 +
  bind 192.168.0.205:443 ssl crt /location/to/ssl/fifth.pem
 +
 
 +
  default_backend main_backend_https
 +
 
 +
## } fifth.domain.com ##
 +
 
 +
</pre>
 +
 
 +
== Log ==
 +
HAProxy uses syslog instead of writing it directly into a file.
 +
 
 +
So change the configuration fine of the default syslog daemon that is rsyslogd.
 +
* Edit <code>/etc/rsyslog.conf</code>
 +
<pre>
 +
$ModLoad imudp
 +
$UDPServerAddress 127.0.0.1
 +
$UDPServerRun 514
 +
</pre>
 +
 
 +
* Also Edit <code>/etc/rsyslog.d/49-haproxy.conf</code>
 +
<pre>
 +
local0.* -/var/log/haproxy_0.log
 +
local1.* -/var/log/haproxy_1.log
 +
& ~
 +
</pre>
 +
 
 +
* Edit <code>/etc/logrotate.d/haproxy</code>
 +
<pre>
 +
/var/log/haproxy*.log
 +
{
 +
    rotate 1000
 +
    weekly
 +
    missingok
 +
    notifempty
 +
    compress
 +
    delaycompress
 +
    size 20M
 +
    sharedscripts
 +
    postrotate
 +
        reload rsyslog >/dev/null 2>&1 || true
 +
    endscript
 +
}
 +
</pre>
 +
 
 +
<pre>
 +
$ restart rsyslog
 +
</pre>
 +
 
 +
= HATop =
 +
== Installation ==
 +
<pre>
 +
$ apt-get install hatop
 +
</pre>
 +
 
 +
== Usage ==
 +
<pre>
 +
$ hatop -s /var/run/haproxy/haproxy.sock
 +
</pre>
 +
Or set alias
 +
<pre>
 +
alias hamonitor='hatop -s /var/run/haproxy/haproxy.sock'
</pre>
</pre>

Latest revision as of 17:34, 29 November 2014

Contents

Installation

$ apt-get install make 
  • for gcc
$ apt-get install build-essential 
  • If the following error occurs,
# Install libpcre3-dev if you get "include/common/regex.h:28:18: fatal error: pcre.h: No such file or directory"
  • install
$ apt-get install libpcre3-dev 
  • If the following error occurs,
# libssl-dev if you get "include/types/server.h:29:25: fatal error: openssl/ssl.h: No such file or directory"
  • install
$ apt-get install libssl-dev 
  • HAProxy website:
http://haproxy.1wt.eu/

HAProxy Installation

  • Download HAProxy,

e.g.)

$ wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev19.tar.gz 
  • Install
$ tar -zxvf haproxy-1.5-dev19.tar.gz 
$ cd haproxy-1.5-dev19 
$ make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 
$ make install 
  • Clean all for recompilation
$ make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 clean all 
  • Add haproxy user
$ useradd -m haproxy -s /bin/false 
  • For SSL support
$ cat server_domain-crt-bundle.crt server_domain.key > server_domain.pem 
  • Modify the /etc/haproxy/haproxy.cfg file
  bind :443 ssl crt /etc/ssl/certs/server_domain.pem no-sslv3 

* no-sslv3 to disable SSLv3 due to the vulnerability found in SSL protocol 3.0.

Configuration

haproxy.cfg

  • Example of /etc/haproxy/haproxy.cfg
global
  log 127.0.0.1 local0
  log 127.0.0.1 local1 notice
  #log loghost  local0 info
  maxconn 4096
  #chroot /usr/share/haproxy
  user haproxy
  group haproxy
  daemon
  #debug
  #quiet
  stats socket /var/run/haproxy/haproxy.sock mode 0600 level admin

defaults
  log global
  mode  http
  option  httplog
  option  dontlognull
  retries 3
  option redispatch
  maxconn 2000
  contimeout  5000
  clitimeout  50000
  srvtimeout  50000

## first.domain.com { ##

# frontend public
frontend http_first
  # HTTP
  bind 192.168.0.222:80

  # Redirect all HTTP traffic to HTTPS
  redirect scheme https if !{ ssl_fc }
 
frontend https_first

  bind 192.168.0.222:443 ssl crt /location/to/ssl/first.pem

  default_backend main_backend_https

backend main_backend_https
  mode http

  # Tell the backend that this is a secure connection,
  # even though it's getting plain HTTP.
  reqadd X-Forwarded-Proto:\ https

  # Check by hitting a page intended for this use.
#  option httpchk GET /isrunning
  option httpchk
  timeout check 500ms
  # Wait 500ms between checks.

  option forwardfor header X-Real-IP
  option http-server-close

  balance roundrobin
  cookie JSESSIONID prefix

  server app_backend1 192.168.0.301:80 check port 80 cookie app_backend1
  server app_backend2 192.168.0.302:80 check port 80 cookie app_backend2

## } first.domain.com ##


## second.domain.com { ##

frontend http_second

  bind 192.168.0.202:80

  redirect scheme https if !{ ssl_fc }

frontend https_second

  bind 192.168.0.202:443 ssl crt /location/to/ssl/second.pem

  default_backend main_backend_https

## } second.domain.com ##


## third.domain.com { ##

frontend http_third

  bind 192.168.0.203:80
  redirect scheme https if !{ ssl_fc }
 
frontend https_third

  bind 192.168.0.203:443 ssl crt /location/to/ssl/third.pem

  default_backend main_backend_https

## } third.domain.com ##


## fourth.domain.com { ##

frontend http_fourth

  bind 192.168.0.204:80
  redirect scheme https if !{ ssl_fc }
 
frontend https_fourth

  bind 192.168.0.204:443 ssl crt /location/to/ssl/fourth.pem

  default_backend main_backend_https

## } fourth.domain.com ##


## fifth.domain.com { ##

frontend http_fifth

  bind 192.168.0.205:80
  redirect scheme https if !{ ssl_fc }
 
frontend https_fifth

  bind 192.168.0.205:443 ssl crt /location/to/ssl/fifth.pem

  default_backend main_backend_https

## } fifth.domain.com ##

Log

HAProxy uses syslog instead of writing it directly into a file.

So change the configuration fine of the default syslog daemon that is rsyslogd.

  • Edit /etc/rsyslog.conf
$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514
  • Also Edit /etc/rsyslog.d/49-haproxy.conf
local0.* -/var/log/haproxy_0.log
local1.* -/var/log/haproxy_1.log
& ~
  • Edit /etc/logrotate.d/haproxy
/var/log/haproxy*.log
{
    rotate 1000
    weekly
    missingok
    notifempty
    compress
    delaycompress
    size 20M
    sharedscripts
    postrotate
        reload rsyslog >/dev/null 2>&1 || true
    endscript
}
$ restart rsyslog 

HATop

Installation

$ apt-get install hatop 

Usage

$ hatop -s /var/run/haproxy/haproxy.sock 

Or set alias

alias hamonitor='hatop -s /var/run/haproxy/haproxy.sock'
Personal tools