How to Setup High-Availability Load Balancer with ‘HAProxy’ to Control Web Server Traffic

Step 4: Configuring HAProxy Global Settings

7. Now, here we need to set default variables in ‘/etc/haproxy/haproxy.cfg‘ for HAProxy. The changes needs to make for default under default section as follows, Here some of the changes like timeout for queue, connect, client, server and max connections need to be defined.

In this case, I suggest you to go through the HAProxy man pages and tweak it as per your requirements.

#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    20
    timeout queue           86400
    timeout connect         86400
    timeout client          86400
    timeout server          86400
    timeout http-keep-alive 30
    timeout check           20
    maxconn                 50000
HAProxy Default Settings

HAProxy Default Settings

8. Then we need to define front-end and back-end as shown below for Balancer in ‘/etc/haproxy/haproxy.cfg‘ global configuration file. Make sure to replace the IP addresses, hostnames and HAProxy login credentials as per your requirements.

frontend LB
   bind 192.168.0.125:80
   reqadd X-Forwarded-Proto:\ http
   default_backend LB

backend LB 192.168.0.125:80
   mode http
   stats enable
   stats hide-version
   stats uri /stats
   stats realm Haproxy\ Statistics
   stats auth haproxy:redhat		# Credentials for HAProxy Statistic report page.
   balance roundrobin			# Load balancing will work in round-robin process.
   option httpchk
   option  httpclose
   option forwardfor
   cookie LB insert
   server web1-srv 192.168.0.121:80 cookie web1-srv check		# backend server.
   server web2-srv 192.168.0.122:80 cookie web2-srv check		# backend server.
   server web3-srv 192.168.0.123:80 cookie web3-srv check		# backend server.
   server web4-srv 192.168.0.124:80 check backup			# backup fail-over Server, If three of the above fails this will be activated.
HAProxy Global Configuration

HAProxy Global Configuration

9. After adding above settings, our load balancer can be accessed at ‘http://192.168.0.125/stats‘ with HTTP authentication using login name as ‘haproxy‘ and password ‘redhat‘ as mentioned in the above settings, but you can replace them with your own credentials.

10. After you’ve done with the configuration, make sure to restrat the HAProxy and make it persistent at system startup on RedHat based systems.

# service haproxy restart
# chkconfig haproxy on
# chkconfig --list haproxy
Start HAProxy

Start HAProxy

For Ubuntu/Debian users to need to set “ENABLED” option to “1” in ‘/etc/default/haproxy‘ file.

ENABLED=1

Step 5: Verify HAProxy Load Balancer

11. Now it’s time to access our Load balancer URL/IP and verify for the site whether loading. Let me put one HTML file in all four servers. Create a file index.html in all four servers in web servers document root directory and add the following content to it.

<html>
<head>
  <title>Tecmint HAProxy Test Page</title>
</head>

<body>
<!-- Main content -->
<h1>My HAProxy Test Page</h1>

<p>Welcome to HA Proxy test page!

<p>There should be more here, but I don't know
what to be write :p.

<address>Made 11 January 2015<br>
  by Babin Lonston.</address>

</body>
</html>

12. After creating ‘index.html‘ file, now try to access the site and see whether I can able access the copied html file.

http://192.168.0.125/
Verify HAProxy Load Balancer

Verify HAProxy Load Balancer

Site has been successfully accessed.

Step 6: Verify Statistic of Load Balancer

13. To get the statistic page of HAProxy, you can use the following link. While asking for Username and password we have to provide the haproxy/redhat.

http://192.168.0.125/stats
HAProxy Statistics Login

HAProxy Statistics Login

HAProxy Statistics

HAProxy Statistics

Step 7: Enabling SSL in HAProxy

14. To enable SSL in HAProxy, you need to install mod_ssl package for creating SSL Certificate for HAProxy.

On RHEL/CentOS/Fedora

To install mod_ssl run the following command

# yum install mod_ssl -y

On Ubuntu/Debian

By default under Ubuntu/Debian SSL support comes standard with Apache package. We just need to enable it..

# a2enmod ssl

After you’ve enabled SSL, restart the Apache server for the change to be recognized.

# service apache2 restart

15. After restarting, Navigate to the SSL directory and create SSL certificate using following commands.

# cd /etc/ssl/
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/tecmint.key -out /etc/ssl/tecmint.crt
# cat tecmint.crt tecmint.key > tecmint.pem
Create SSL for HAProxy

Create SSL for HAProxy

SSL Certificate for HAProxy

SSL Certificate for HAProxy

16. Open and edit the haproxy configuration and add the SSL front-end as below.

# vim /etc/haproxy/haproxy.cfg 

Add the following configuration as frontend.

frontend LBS
   bind 192.168.0.125:443 ssl crt /etc/ssl/tecmint.pem
   reqadd X-Forwarded-Proto:\ https
   default_backend LB

17. Next, add the redirect rule in backend configuration.

redirect scheme https if !{ ssl_fc }
Enable SSL on HAProxy

Enable SSL on HAProxy

18. After making above changes, make sure to restart the haproxy service.

# service haproxy restart

While restarting if we get the below warning, we can fix it by adding a parameter in Global Section of  haproxy.

SSL HAProxy Error

SSL HAProxy Error

tune.ssl.default-dh-param 2048

19. After restarting, try to access the site 192.168.0.125, Now it will forward to https.

http://192.168.0.25
Verify SSL HAProxy

Verify SSL HAProxy

SSL Enabled HAProxy

SSL Enabled HAProxy

20. Next, verify the haproxy.log under ‘/var/log/‘ directory.

# tail -f /var/log/haproxy.log
Check HAProxy Logs

Check HAProxy Logs

Step 8: Open HAProxy Ports on Firewall

21. Open the port’s for web service and Log reception UDP port using below rules.

On CentOS/RHEL 6
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 514 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
On CentOS/RHEL 7 and Fedora 21
# firewall­cmd ­­permanent ­­zone=public ­­add­port=514/tcp
# firewall­cmd ­­permanent ­­zone=public ­­add­port=80/tcp
# firewall­cmd ­­permanent ­­zone=public ­­add­port=443/tcp
# firewall­cmd ­­reload 
On Debian/Ubuntu

Add the following line to ‘/etc/iptables.up.rules‘ to enable ports on firewall.

A INPUT ­p tcp ­­dport 514 ­j ACCEPT 
A INPUT ­p tcp ­­dport 80 ­j ACCEPT 
A INPUT ­p tcp ­­dport 443 ­j ACCEPT 

Conclusion

In this article, we’ve installed Apache in 4 server’s and shared a website for reducing the traffic load. I Hope this article will help you to setup a Load Balancer for web server’s using HAProxy and make your applications more stable and available

If you have any questions regarding the article, feel free to post your comments or suggestions, I will love to help you out in whatever the best way I can.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Babin Lonston

I'm Working as a System Administrator for last 10 year's with 4 years experience with Linux Distributions, fall in love with text based operating systems.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

29 Responses

  1. surya says:

    Hi Babin Lonston

    Instead of apache can we use apache-tomcat on client machines for web application load balancing ??

  2. Alexa says:

    What will be the www “A” record for my website is it haproxy IP ? or among 4 webserver IP. I am little bit confuse.

  3. helwie ahmad says:

    Nice tutorial, I have request for next tutorial about haproxy. how to force redirect when visitor try access http url redirect to https url, how to configuring to increase secure haproxy and how to tune that tool, the last.

    how to upgrade/update to the latest version of haproxy in centos 7 which is that os use 1.5 veersion. thanks in advanced

  4. Sagar says:

    Nice document, can you share best practices for HAProxy on Linux.

  5. helwi says:

    how to install the latest version of haproxy? its possible?

  6. vincent says:

    how to access load balancer using url instead of ip ?

    • Bobin Lonston says:

      @Vincent,

      Just you need to have a valid DNS entry.

      And your hostname/IP A, AAA, PTR record should be created in DNS Server.

      Thanks & Regards,
      Bobin Lonston

  7. Marcos says:

    Can we add another HA Proxy Server? To make it a distributed system?

  8. Marinel says:

    this is not High availability setup.. LB doesnt have a failover

  9. Anand says:

    What happens if HAProxy server not ping at any situation?…

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.