Skip to main content
08 Jan 2013

 

Overview and Architecture

HAProxy is a free, very fast and reliable solution offering high availability, load balancing and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing. It distributes a workload across a set of servers to maximize performance and optimize resource usage.

HAProxy can be used for Web applications (HTTP/ HTTPS) as well as for TCP based applications (MySQL, SSL, SMTP) etc.

 

Installation

 

Download and install latest version of HAProxy available at below mentioned location

Option1: Download and install from source (tar.gz) available at http://haproxy.1wt.eu/#down

Steps:

#wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.22.tar.gz

#tar xzvf haproxy-1.4.22.tar.gz

#cd haproxy-1.4.22

#make install

Option2: Download and Install from RPM package available at http://repo.nixval.com/nixval- centos/5/updates/haproxy-1.4.9-1.el5.x86_64.rpm

Steps:

#wget http://repo.nixval.com/nixval-centos/5/updates/haproxy-1.4.9-1.el5.x86_…

#rpm -ivh haproxy-1.4.9-1.el5.x86_64.rpm

 

Configuration

 

Once HAProxy is installed either from source or from RPM, configuration file – haproxy.cfg will be created under /etc/haproxy/ directory

Open the file and you will find 4 different sections as mentioned below:

  1. global – This section allows to specify global settings for HAProxy which can include max connections, pid file, log file location, user/group by which haproxy daemon will be started etc.

  1. defaults – This section allows us to specify certain detault options that can be used for all frontends and backends configuration

  1. frontend – This section allows us to configure frontends for HAProxy which includes port / IP address on which HAProxy will listen and other options based on requirements. We can specify more than one frontends in case we want to forward various traffic like HTTP/ HTTPS/ SMTP etc.

  1. backend – This section allows to us to specify backend systems which will be actual application server to which HAProxy will forward all traffic to for e.g. If HAProxy is configured to load balance HTTP traffic, backends will be web servers or reverse proxy servers like Varnish.

You can specify more than one backend depending upon frontend configuration, Also you can specify more than one application server within single backend to failover/load-balance.

Below is the sample configuration file for HAProxy:

#---------------------------------------------------------------------

# Global settings

#---------------------------------------------------------------------

global

log 127.0.0.1 local2 info

#This will send all logs with type “info” to local syslog server. Additionally you need to #configure local syslog server to collect remote logs with -r option.

log 127.0.0.1 local2 notice

#This will send all logs with type “notice” to local syslog server.

chroot /var/lib/haproxy

#Configure chrooted environment to increases the security level in case an unknown #vulnerability would be exploited, since it would make it very hard for the attacker to #exploit the system.

pidfile /var/run/haproxy.pid

#Writes pids of all daemons into file <pidfile>

maxconn 4000

#Sets the maximum per-process number of concurrent connections to <number>.

user haproxy

#Changes the process' username to <user>. It is recommended that the username is #dedicated to HAProxy or to a small set of similar daemons. HAProxy must be started #with superuser privileges in order to be able to switch to another one.

group haproxy

#Changes the process' group name to <group>. It is recommended that the groupname #is dedicated to HAProxy or to a small set of similar daemons. HAProxy must be started #with a user belonging to this group daemon

stats socket /tmp/haproxy

#Creates a UNIX socket in stream mode at location <path>.

#------------------------------------------------------------------------------

# common defaults that all the 'listen' and 'backend' sections will

# use if not designated in their block

#------------------------------------------------------------------------------

defaults

mode http

#The instance will work in HTTP mode. To be used when HAProxy is configured to #handle only HTTP traffic

log global

#Refer Global section for logs

option dontlognull

#This option indicates that a connection on which no data has been transferred will not be logged

option redispatch

#In HTTP mode, if a server designated by a cookie is down, clients may definitely stick to #it because they cannot flush the cookie, so they will not be able to access the service #anymore. Specifying option redispatch will allow the proxy to break their persistence #and redistribute them to a working server.

timeout connect 10000

# default 10 seconds time out if a backend is not found

timeout client 300000

#The inactivity timeout (in milliseconds) applies when the client is expected to #acknowledge or send data. In HTTP mode, this timeout is particularly important to #consider during the first phase, when the client sends the request, and during the #response while it is reading data sent by the server

timeout server 300000

#The inactivity timeout (in milliseconds) applies when the server is expected to #acknowledge or send data. In HTTP mode, this timeout is particularly important to #consider during the first phase of the server's response, when it has to send the headers, #as it directly represents the server's processing time for the request.

maxconn 60000

#Maximum number of concurrent connections the frontend will accept to serve, excess #connections will be queued by the system in the socket's listen queue and will be #served once a connection closes.

retries 3

#Number of times a connection attempt should be retried on a server when a connection #either is refused or times out. The default value is 3.

#---------------------------------------------------------------------

# main frontend which proxys to the backends - HTTP

#---------------------------------------------------------------------

frontend http-in

#http-in is the name of frontend

bind *:80

#Bind all Network Interfaces to listen on port 80 for this particular frontend

mode http

#As mentioned in defaults section

acl bad_ip src 1.2.3.4

#Create new acl with name “bad_ip” where source IP is 1.2.3.4

acl header hdr(X-Forwarded-For)

#Create new acl with name “header” where header is X-Forwarded-For

block if bad_ip || header

#Block connections/ access when request matches acl “bad_ip” and “header”

#Similarly more ACLs can be created as per requirements

option httpclose

#By default, when a client communicates with a server, HAProxy will only analyze, log, #and process the first request of each connection. If option httpclose is set, it will check if #a "Connection: close" header is already set in each direction, and will add one if missing. #This helps to close the TCP connection after each transfer

option forwardfor

#HTTP header "X-Forwarded-For" will be added by HAProxy to all requests sent to the #server. This header contains a value representing the client's source IP address.

default_backend apache

#Default Backend to use for this particular frontend. These are actual application servers #to which requests will be forwarded.

#---------------------------------------------------------------------

# main frontend which proxys to the backends - HTTPS

#---------------------------------------------------------------------

frontend https-in

#https-in is the name of frontend

bind *:443

#Bind all Network Interfaces to listen on port 443 for this particular frontend

mode tcp

#The instance will work in pure TCP mode. A full-duplex connection will be established #between clients and servers, and no layer 7 examination will be performed. It should be #used for load-balancing traffic other than HTTP i.e. HTTPS, MySQL, SMTP etc.

acl bad_ip src 1.2.3.4

#Already exlained above

acl header hdr(X-Forwarded-For)

#Already explained above

block if bad_ip || header

#Already explained above

default_backend apache_https

#Already explained above

#---------------------------------------------------------------------

# Backend configuration for frontend http-in

#---------------------------------------------------------------------

backend apache

#apache is name of backend which is going to be used for http-in frontend

mode http

#Already explained above

balance source

#The source IP address is hashed and divided by the total weight of the running servers to #designate which server will receive the request. This ensures that the same client IP #address will always reach the same server as long as no server goes down or up. If the #hash result changes due to the number of running servers changing, many clients will be #directed to a different server

option httplog

#By specifying option httplog, each log line turns into a much richer format including, #but not limited to, the HTTP request, the connection timers, the session status, the #connections numbers, the captured headers and cookies, the frontend, backend and #server name, and of course the source address and ports.

option httpclose

#Already explained above

option forwardfor except 127.0.0.1

   #Already explained aboved. Added X-Forwarded-For headed except for 127.0.0.1

   cookie SERVERID insert indirect nocache

   #SERVERID is the name of cookie which will inserted by HAProxy on each request #served after applying loadbalacning algorithm.

   #Actual backed/ application servers are specified below

   server app1 1.2.3.5:80 cookie server01 check

   #app1 is the identification name for webserver with IP address 1.2.3.5 and value #for SERVERID cookie (mentioned above) as server01. “check” will be used to check #aliveness of server on      specified port i.e. Port 80

   server app2 1.2.3.6:80 cookie server02 check

   #app2 is the identification name for webserver with IP address 1.2.3.6 and value #for SERVERID cookie (mentioned above) as server02. “check” will be used to check #aliveness of server on  specified port i.e. Port 80

#### Below section will allow us to view statistics of requests served by HAProxy-

#### Example : http://<haproxy-ip>/haproxy?stats can be accessible with username “ha” #### and password “Haproxy2012”. Mentioned url will be automcatically refreshed every #### 5 seconds as per below configuration

stats enable

stats hide-version

stats scope .

stats realm Haproxy\ Statistics

stats uri /haproxy?stats

stats auth ha:Haproxy2012

stats refresh 5s

#---------------------------------------------------------------------

# Backend configuration for frontend https-in

#---------------------------------------------------------------------

backend apache_https

#apache_https is name of backend which is going to be used for https-in frontend

mode tcp

#Already explained above

option tcplog

#Same as “option httplog” and will be used when mode tcp is selected

balance source

#Already explained above

server app1 1.2.3.5:443 check

#Already explained above - No cookies will be inserted

server app2 1.2.3.6:443 check

#Already explained above - No cookies will be inserted

 

Important Points

 

  • All above parameters can be adjusted and configured as per requirement

  • In above example, load-balancing method used is source-IP based. There are other load-balancing methods available as well like roundrobin, static-rr, leastconn etc. You can use them as per you requirements.

  • Inserting cookie is not supported in “mode tcp” i.e. SSL configuration in above example file

  • Option forwardfor is not supported in “mode tcp” therefore you will not get client source IP in SSL based connections (stunnel is workaround for this)

  • Stats (Viewing Statistics) is also not supported in “mode tcp”