Step 4: Configuring HAProxy Global Settings
7. Now, here we need to set default variables in ‘/etc/haproxy/haproxy.cfg‘ for HAProxy. The changes needs to make for default under default section as follows, Here some of the changes like timeout for queue, connect, client, server and max connections need to be defined.
In this case, I suggest you to go through the HAProxy man pages and tweak it as per your requirements.
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 20
timeout queue 86400
timeout connect 86400
timeout client 86400
timeout server 86400
timeout http-keep-alive 30
timeout check 20
maxconn 50000
8. Then we need to define front-end and back-end as shown below for Balancer in ‘/etc/haproxy/haproxy.cfg‘ global configuration file. Make sure to replace the IP addresses, hostnames and HAProxy login credentials as per your requirements.
frontend LB bind 192.168.0.125:80 reqadd X-Forwarded-Proto:\ http default_backend LB backend LB 192.168.0.125:80 mode http stats enable stats hide-version stats uri /stats stats realm Haproxy\ Statistics stats auth haproxy:redhat # Credentials for HAProxy Statistic report page. balance roundrobin # Load balancing will work in round-robin process. option httpchk option httpclose option forwardfor cookie LB insert server web1-srv 192.168.0.121:80 cookie web1-srv check # backend server. server web2-srv 192.168.0.122:80 cookie web2-srv check # backend server. server web3-srv 192.168.0.123:80 cookie web3-srv check # backend server. server web4-srv 192.168.0.124:80 check backup # backup fail-over Server, If three of the above fails this will be activated.
9. After adding above settings, our load balancer can be accessed at ‘http://192.168.0.125/stats‘ with HTTP authentication using login name as ‘haproxy‘ and password ‘redhat‘ as mentioned in the above settings, but you can replace them with your own credentials.
10. After you’ve done with the configuration, make sure to restrat the HAProxy and make it persistent at system startup on RedHat based systems.
# service haproxy restart # chkconfig haproxy on # chkconfig --list haproxy
For Ubuntu/Debian users to need to set “ENABLED” option to “1” in ‘/etc/default/haproxy‘ file.
ENABLED=1
Step 5: Verify HAProxy Load Balancer
11. Now it’s time to access our Load balancer URL/IP and verify for the site whether loading. Let me put one HTML file in all four servers. Create a file index.html in all four servers in web servers document root directory and add the following content to it.
<html> <head> <title>Tecmint HAProxy Test Page</title> </head> <body> <!-- Main content --> <h1>My HAProxy Test Page</h1> <p>Welcome to HA Proxy test page! <p>There should be more here, but I don't know what to be write :p. <address>Made 11 January 2015<br> by Babin Lonston.</address> </body> </html>
12. After creating ‘index.html‘ file, now try to access the site and see whether I can able access the copied html file.
http://192.168.0.125/
Site has been successfully accessed.
Step 6: Verify Statistic of Load Balancer
13. To get the statistic page of HAProxy, you can use the following link. While asking for Username and password we have to provide the haproxy/redhat.
http://192.168.0.125/stats
Step 7: Enabling SSL in HAProxy
14. To enable SSL in HAProxy, you need to install mod_ssl package for creating SSL Certificate for HAProxy.
On RHEL/CentOS/Fedora
To install mod_ssl run the following command
# yum install mod_ssl -y
On Ubuntu/Debian
By default under Ubuntu/Debian SSL support comes standard with Apache package. We just need to enable it..
# a2enmod ssl
After you’ve enabled SSL, restart the Apache server for the change to be recognized.
# service apache2 restart
15. After restarting, Navigate to the SSL directory and create SSL certificate using following commands.
# cd /etc/ssl/ # openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/tecmint.key -out /etc/ssl/tecmint.crt # cat tecmint.crt tecmint.key > tecmint.pem
16. Open and edit the haproxy configuration and add the SSL front-end as below.
# vim /etc/haproxy/haproxy.cfg
Add the following configuration as frontend.
frontend LBS bind 192.168.0.125:443 ssl crt /etc/ssl/tecmint.pem reqadd X-Forwarded-Proto:\ https default_backend LB
17. Next, add the redirect rule in backend configuration.
redirect scheme https if !{ ssl_fc }
18. After making above changes, make sure to restart the haproxy service.
# service haproxy restart
While restarting if we get the below warning, we can fix it by adding a parameter in Global Section of haproxy.
tune.ssl.default-dh-param 2048
19. After restarting, try to access the site 192.168.0.125, Now it will forward to https.
http://192.168.0.25
20. Next, verify the haproxy.log under ‘/var/log/‘ directory.
# tail -f /var/log/haproxy.log
Step 8: Open HAProxy Ports on Firewall
21. Open the port’s for web service and Log reception UDP port using below rules.
On CentOS/RHEL 6
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 514 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
On CentOS/RHEL 7 and Fedora 21
# firewallcmd permanent zone=public addport=514/tcp # firewallcmd permanent zone=public addport=80/tcp # firewallcmd permanent zone=public addport=443/tcp # firewallcmd reload
On Debian/Ubuntu
Add the following line to ‘/etc/iptables.up.rules‘ to enable ports on firewall.
A INPUT p tcp dport 514 j ACCEPT A INPUT p tcp dport 80 j ACCEPT A INPUT p tcp dport 443 j ACCEPT
Conclusion
In this article, we’ve installed Apache in 4 server’s and shared a website for reducing the traffic load. I Hope this article will help you to setup a Load Balancer for web server’s using HAProxy and make your applications more stable and available
If you have any questions regarding the article, feel free to post your comments or suggestions, I will love to help you out in whatever the best way I can.
Hi Babin Lonston
Instead of apache can we use apache-tomcat on client machines for web application load balancing ??
What will be the www “A” record for my website is it haproxy IP ? or among 4 webserver IP. I am little bit confuse.
Nice tutorial, I have request for next tutorial about haproxy. how to force redirect when visitor try access http url redirect to https url, how to configuring to increase secure haproxy and how to tune that tool, the last.
how to upgrade/update to the latest version of haproxy in centos 7 which is that os use 1.5 veersion. thanks in advanced
Nice document, can you share best practices for HAProxy on Linux.
Nice document, can you share best practices for HAProxy on Linux.
how to install the latest version of haproxy? its possible?
how to access load balancer using url instead of ip ?
@Vincent,
Just you need to have a valid DNS entry.
And your hostname/IP A, AAA, PTR record should be created in DNS Server.
Thanks & Regards,
Bobin Lonston
Can we add another HA Proxy Server? To make it a distributed system?
this is not High availability setup.. LB doesnt have a failover
What happens if HAProxy server not ping at any situation?…