HAProxy is an open source, free, veryfast and reliable solution offering high availability, load balancing and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing. It distributes a workload across a set of servers to maximize performance and optimize resource usage.
HAProxy can be used for Web applications (HTTP/ HTTPS) as well as for TCP based applications (MySQL, SSL, SMTP) etc.
HAProxy is an open source, free, veryfast and reliable solution offering high availability, load balancing and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing. It distributes a workload across a set of servers to maximize performance and optimize resource usage.
HAProxy can be used for Web applications (HTTP/ HTTPS) as well as for TCP based applications (MySQL, SSL, SMTP) etc.
Installation
Download and install latest version of HAProxy available at below mentioned location
Option 1
Download and install from source (tar.gz) available at http://haproxy.1wt.eu/#down
Installation Steps on Linux:
#wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.22.tar.gz
#tar xzvf haproxy-1.4.22.tar.gz
#cd haproxy-1.4.22
#make install
Option 2
Download and Install from RPM package available at http://repo.nixval.com/nixval- centos/5/updates/haproxy-1.4.9-1.el5.x86_64.rpm
Installation Steps on Linux:
#wget http://repo.nixval.com/nixval-centos/5/updates/haproxy-1.4.9-1.el5.x86_6…
#rpm -ivh haproxy-1.4.9-1.el5.x86_64.rpm
Configuration
Once HAProxy is installed either from source or from RPM, configuration file – haproxy.cfg will be created under /etc/haproxy/ directory
Open the file and you will find 4 different sections as mentioned below:
- global – This section allows us to specify global settings for HAProxy which can include max connections, pid file, log file location, user/group by which haproxy daemon will be started etc.
- defaults – This section allows us to specify certain detault options that can be used for all frontends and backends configuration
- frontend – This section allows us to configure frontends for HAProxy which includes port / IP address on which HAProxy will listen and other options based on requirements. We can specify more than one frontends in case we want to forward various traffic like HTTP/ HTTPS/ SMTP etc.
- backend – This section allows to us to specify backend systems which will be actual application server to which HAProxy will forward all traffic to for e.g. If HAProxy is configured to load balance HTTP traffic, backends will be web servers or reverse proxy servers like Varnish.
You can specify more than one backend depending upon frontend configuration, Also you can specify more than one application server within single backend to failover/load-balance and make application highly available.
Below is the sample configuration file for HAProxy:
#———————————————————————
# Global settings
#———————————————————————
global
log 127.0.0.1 local2 info
#This will send all logs with type “info” to local syslog server. Additionally you need to configure local syslog server to collect remote logs with -r option.
log 127.0.0.1 local2 notice
#This will send all logs with type “notice” to local syslog server. Additionally you need to configure local syslog server to collect remote logs with -r option.
chroot /var/lib/haproxy
#Configure chrooted environment toincreases the security level in case an unknown #vulnerability would be exploited, since it would make it very hard for the attacker to exploit the system.
pidfile /var/run/haproxy.pid
#Writes pids of all daemons into file
maxconn 4000
#Sets the maximum per-process number of concurrent connections to .
user haproxy
#Changes the process’ username to . It is recommended that the username is dedicated to HAProxy or to a small set of similar daemons. HAProxy must be started with superuser privileges in order to be able to switch to another one.
group haproxy
#Changes the process’ group name to . It is recommended that the groupname is dedicated to HAProxy or to a small set of similar daemons. HAProxy must be started with a user belonging to this groupdaemon
stats socket /tmp/haproxy
#Creates a UNIX socket in stream mode at location .
#——————————————————————————
# common defaults that all the ‘listen’ and ‘backend’ sections will
# use if not designated in their block
#——————————————————————————
defaults
mode http
#The instance will work in HTTP mode. To be used when HAProxy is configured to handle only HTTP traffic
log global
#Refer Global section for logs
option dontlognull
#This option indicates that a connection on which no data has been transferred will not be logged
option redispatch
#In HTTP mode, if a server designated by a cookie is down, clients may definitely stick to it because they cannot flush the cookie, so they will not be able to access the service anymore. Specifying option redispatch will allow the proxy to break their persistence and redistribute them to a working server.
timeout connect 10000
# default 10 seconds time out if a backend is not found
timeout client 300000
#The inactivity timeout (in milliseconds) applies when the client is expected to acknowledge or send data. In HTTP mode, this timeout is particularly important to consider during the first phase, when the client sends the request, and during the response while it is reading data sent by the server
timeout server 300000
#The inactivity timeout (in milliseconds) applies when the server is expected to acknowledge or send data. In HTTP mode, this timeout is particularly important to consider during the first phase of the server’s response, when it has to send the headers, as it directly represents the server’s processing time for the request.
maxconn 60000
#Maximum number of concurrent connections the frontend will accept to serve, excess connections will be queued by the system in the socket’s listen queue and will be served once a connection closes.
retries 3
#Number of times a connection attempt should be retried on a server when a connection either is refused or times out. The default value is 3.
#———————————————————————
# main frontend which proxys to the backends – HTTP
#———————————————————————
frontend http-in
#http-in is the name of frontend
bind *:80
#Bind all Network Interfaces to listen on port 80 for this particular frontend
mode http
#As mentioned in defaults section
acl bad_ip src 192.168.100.100
#Create new acl with name “bad_ip” where source IP is 192.168.100.100
acl header hdr(X-Forwarded-For)
#Create new acl with name “header” where header is X-Forwarded-For
block if bad_ip || header
#Block connections/ access when request matches acl “bad_ip” and “header”
#Similarly more ACLs can be created as per requirements
option httpclose
#By default, when a client communicates with a server, HAProxy will only analyze, log, and process the first request of each connection. If option httpclose is set, it will check if a “Connection: close” header is already set in each direction, and will add one if missing. This helps to close the TCP connection after each transfer
option forwardfor
#HTTP header “X-Forwarded-For” will be added by HAProxy to all requests sent to the server. This header contains a value representing the client’s source IP address.
default_backend apache
#Default Backend to use for this particular frontend. These are actual application servers to which requests will be forwarded.
#———————————————————————
# main frontend which proxys to the backends – HTTPS
#———————————————————————
frontend https-in
#https-in is the name of frontend
bind *:443
#Bind all Network Interfaces to listen on port 443 for this particular frontend
mode tcp
#The instance will work in pure TCP mode. A full-duplex connection will be established between clients and servers, and no layer 7 examination will be performed. It should be used for load-balancing traffic other than HTTP i.e. HTTPS, MySQL, SMTP etc.
acl bad_ip src 192.168.100.100
#As exlained in above frontend (http-in) section
acl header hdr(X-Forwarded-For)
#As exlained in above frontend (http-in) section
block if bad_ip || header
#As exlained in above frontend (http-in) section
default_backend apache_https
#As exlained in above frontend (http-in) section
#———————————————————————
# Backend configuration for frontend http-in
#———————————————————————
backend apache
#apache is name of backend which is going to be used for http-in frontend
mode http
#As exlained in above frontend (http-in) section
balance source
#The source IP address is hashed and divided by the total weight of the running servers to designate which server will receive the request. This ensures that the same client IP address will always reach the same server as long as no server goes down or up. If the hash result changes due to the number of running servers changing, many clients will be directed to a different server
option httplog
#By specifying option httplog, each log line turns into a much richer format including, but not limited to, the HTTP request, the connection timers, the session status, the connections numbers, the captured headers and cookies, the frontend, backend and server name, and of course the source address and ports.
option httpclose
#As exlained in above frontend (http-in) section
option forwardfor except 127.0.0.1
#As exlained in above frontend (http-in) section. Add “X-Forwarded-For” header except for 127.0.0.1
cookie SERVERID insert indirect nocache
#SERVERID is the name of cookie which will inserted by HAProxy on each request served after applying loadbalacning algorithm.
#Actual backed/ application servers are specified below
server app1 192.168.100.200:80 cookie server01 check
#app1 is the identification name for webserver with IP address 192.168.100.200 and value for SERVERID cookie (mentioned above) as server01. “check” will be used to check #aliveness of server on specified port i.e. Port 80
server app2 192.168.100.201:80 cookie server02 check
#app2 is the identification name for webserver with IP address 192.168.100.201 and value #for SERVERID cookie (mentioned above) as server02. “check” will be used to check #aliveness of server on specified port i.e. Port 80
#### Below section will allow us to view statistics of requests served by HAProxy – Example : http:///haproxy?stats can be accessible with username “hauser” and password “hapassword”.
#### Mentioned url will be automcatically refreshed every 5 seconds as per below configuration
stats enable
stats hide-version
stats scope .
stats realm Haproxy\\ Statistics
stats uri /haproxy?stats
stats auth hauser:hapassword
stats refresh 5s
#———————————————————————
# Backend configuration for frontend https-in
#———————————————————————
backend apache_https
#apache_https is name of backend which is going to be used for https-in frontend
mode tcp
#As exlained in above frontend (https-in) section
option tcplog
#Same as “option httplog” and will be used when mode tcp is selected
balance source
#As explained above in backend (apache) section
server app1 192.168.100.200:443 check
#As explained above in backend (apache) section – No cookies will be inserted
server app2 192.168.100.201:443 check
#As explained above in backend (apache) section- No cookies will be inserted
Points to be considered
In above example, load-balancing method used is source-IP based. There are other load-balancing methods available as well like roundrobin, static-rr, leastconn etc. You can use them as per you requirements.
Inserting cookie is not supported in “mode tcp” i.e. SSL configuration in above example file
Option forwardfor is not supported in “mode tcp” therefore you will not get client source IP in SSL based connections (stunnel is workaround for this)
Anblicks is a Data and AI company, specializing in data modernization and transformation, that helps organizations across industries make decisions better, faster, and at scale.
