Environment: Centos 7
Haproxy version: 1.5.18
Installation
you can install by using this command
# yum install haproxy
Configure
the configuration file is located at /etc/haproxy/haproxy.cfg
open and edit the file
you need to define frontend and backend
frontend LB
bind 0.0.0.0:80 # bind to all network IP:port
reqadd X-Forwarded-Proto:\ http
default_backend LB # point to backend name LB
backend LB
mode http
balance roundrobin # Load balancing will work in round-robin process.
option httpchk
option httpclose
option forwardfor
cookie SERVERID insert # Let the load-balancer set up a cookie for the session.
server svrv-trep-app01 172.20.101.115:80 cookie app01 check # server 1
server svrv-trep-app02 172.20.101.116:80 cookie app02 check # server 2
server backup-server 172.20.101.124:80 check backup # if all server fail, traffic will go to this backup server
cookie app0x = this is so when client come back, it know which server to go back to.
but if it was new client, then it will set SERVERID=app01 into the header
if using application for session persistence
then replace SERVERID with JSESSIONID
the "check" is use to check if the server is alive or not
Enable Stats
edit
stats enable # enable statistic pages
stats hide-version
stats uri /stats # statistic pages at /stats
stats realm Haproxy\ Statistics
stats auth username:password # Credentials for HAProxy Statistic report page.
Enable log
1. edit rsyslog file
# vim /etc/rsyslog.conf
find and enable this
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
This will make the server listen to port 514 to collect log
2. since inside haproxy.conf, it already define this
log 127.0.0.1 local2
then we create a new file call haproxy.conf under /etc/rsyslog.d/
# vim /etc/rsyslog.d/haproxy.conf
and put this
local2.* /var/log/haproxy.log
3. Then restart the rsyslog service
# systemctl restart rsyslog
Enable SSL
1. edit the haproxy.conf and add the httpd frontend
frontend LBS
bind 0.0.0.0:443 ssl crt /etc/haproxy/test.pem # listen to port 443, ssl crt is at /etc/haproxy/test.pem
reqadd X-Forwarded-Proto:\ https
default_backend LB # go to backend name LB
so the connection will be like this
Public -- use https secure connection --> Haproxy -- use http --> backend server
2. if you want to enforce ssl, then add this to the backend
redirect scheme https if !{ ssl_fc }
so the final configuration will look something like this
frontend LB
bind 0.0.0.0:80
reqadd X-Forwarded-Proto:\ http
default_backend LB
frontend LBS
bind 172.20.101.128:443 ssl crt /etc/haproxy/test.pem
reqadd X-Forwarded-Proto:\ https
default_backend LB
backend LB
mode http
redirect scheme https if !{ ssl_fc }
stats enable
stats hide-version
stats uri /stats
stats realm Haproxy\ Statistics
stats auth username:password
balance roundrobin
option httpchk
option httpclose
option forwardfor
cookie SERVERID insert
server svrv-trep-app01 172.20.101.115:80 cookie app01 check
server svrv-trep-app02 172.20.101.116:80 cookie app02 check
server backup-server 172.20.101.124:80 check backup
Microsite or redirrect certain sub path to other server
1. define the incoming domain name
acl in_domain hdr_dom(host) -i www.testing.com
2. define backend server
backend testing_backend
balance roundrobin
option httpchk GET / HTTP/1.0
server test-server 172.20.1.60:80 maxconn 200 check inter 5s
server maintenance 203.208.240.126:80 backup
timeout server 60s
3. define backend, if want to redirrect www.testing.com/camera to different server
acl camera_r path -i /camera
redirect location /camera/ if testing_domain camera_r
acl camera path_beg -i /camera/
use_backend testing_backend if in_domain camera
== explain ==
1st line, is to define camera_r = /camera
2nd line, if fall on in_domain camera_r (mean www.testing.com/camera) then redirrect to www.testing.com/camera/
3rd line, is to define camera = /camera/
4th line, if fall on in_domain camera (www.testing.com/camera/) then redirrect to server testing_backend