HAProxy is a fast, reliable open-source software package for high availability, load balancing for TCP and HTTP based applications.
This article will help you to setup HAProxy load balancing environment on Ubuntu although most of it could be easily adapted for CentOS. This will configure a Layer 4 Load Balancing. Which will balance load and transfer requests to different-2 servers based on IP address and port numbers.
Network Architecture
Below is the setup. There are 3 Apache web servers running on the standard port 80 and one HAProxy server.
Web Server Details: Server 1: web1.example.com 192.168.1.101 Server 2: web2.example.com 192.168.1.102 Server 3: web3.example.com 192.168.1.103 HAProxy Server: HAProxy: haproxy 192.168.1.12
Step 1 – Install HAProxy
Login to your HAProxy Server and install HAProxy
sudo add-apt-repository ppa:vbernat/haproxy-1.8 sudo apt-get update sudo apt-get install haproxy
Step 2 – HaProxy Configuration
Now edit haproxy default configuration file /etc/haproxy/haproxy.cfg and start configuration.
sudo nano /etc/haproxy/haproxy.cfg
HAProxy Settings:
Here’s an example configuration for HAProxy, you may need to modify it to your setup.
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256::RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
Adding HAProxy Listener:
Now tell HAProxy to where to listen for new connections. This configuration of HAProxy will list on port 80 of 192.168.1.12 ip address.
frontend Local_Server
bind 192.168.1.12:80
mode http
default_backend My_Web_Servers
Add Backend Web Servers:
Now define the backend web servers of where HAProxy will send the request:
backend nodes
mode http
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1rnHost:localhost
server web1.example.com 192.168.1.101:80
server web2.example.com 192.168.1.102:80
server web3.example.com 192.168.1.103:80
Enable HAProxy Stats (Optional)
HAProxy has a really nice stats page that shows you what it’s doing, I highly recommend you view it to optimize your configuration.
listen stats *:1936
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats auth username:password
stats uri /stats
Step 3 – Final HAProxy Configuration File
Your final config may look something like this:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256::RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend Local_Server
bind 192.168.1.12:80
mode http
default_backend My_Web_Servers
backend My_Web_Servers
mode http
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1rnHost:localhost
server web1.example.com 192.168.1.101:80
server web2.example.com 192.168.1.102:80
server web3.example.com 192.168.1.103:80
listen stats *:1936
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats auth username:password
stats uri /stats
Step 4 – Restart HAProxy
Now you have made all necessary changes in your HAProxy server. Now verify the configuration file before restarting service using the following command.
haproxy -c -f /etc/haproxy/haproxy.cfg
If above command returned output as configuration file is valid, then restart HAProxy service (as root, or use sudo command)
service haproxy restart
Step 5 – Verify HAProxy Setting
At this stage, we have full functional HAProxy setup. To text, make a file on each webserver with it’s name (Server 1, Server 2, Server 3)
Now access port 80 on IP 192.168.1.12 (as configured above) in the web browser and hit refresh. You will see that HAProxy is sending requests to backend server one by one (as per round robin algorithm).
With each refresh you can that HAProxy is sending request one by one to a backend server. If a server is nolonger responding, HAProxy will automatically take it out of rotation.