HAProxy

http://www.haproxy.org/ ''HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms.''

=Installation=

sudo add-apt-repository ppa:vbernat/haproxy-1.6 sudo apt-get update sudo apt-get install haproxy sudo service haproxy status

tail -f /var/log/haproxy.log
 * 1) voir le log de HAproxy

HAHOST=haproxy HAHOST=localhost

Open http://localhost/haproxy?stats

=Configuration en SSL Pass-throught= TODO

/etc/haproxy/haproxy.cfg

./http_svr.js

./https_svr.js

sudo service haproxy restart npm install express for port in 8081 8082 8083 ; do nodejs http_srv.js $port & done
 * 1) lancer 3 serveurs express

HOST=localhost curl $HOST:8081 curl $HOST:8082 curl $HOST:8083 curl $HOST:80 curl $HOST:80 curl $HOST:80 curl $HOST:80 curl -k https://$HOST curl -k https://$HOST curl -k https://$HOST curl -k https://$HOST
 * 1) on peut observer la politique de round-robin

=Configuration en SSL Terminaison= Le mode SSL Terminaison permet de diriger les requêtes HTTPS des clients vers les backends HTTP

Créer un certificat auto-signé pour le(s) frontend(s) HAProxy (voir) sudo mkdir /etc/ssl/air sudo openssl genrsa -out /etc/ssl/air/air.key 2048 sudo openssl req -new -key /etc/ssl/air/air.key -multivalue-rdn -subj "/C=FR/L=GRENOBLE/O=UGA/O=POLYTECH/OU=RICM/CN=AIR/emailAddress=air@imag.fr" -out /etc/ssl/air/air.csr sudo openssl x509 -req -days 365 -in /etc/ssl/air/air.csr -signkey /etc/ssl/air/air.key -out /etc/ssl/air/air.crt sudo cat /etc/ssl/air/air.crt /etc/ssl/air/air.key | sudo tee /etc/ssl/air/air.pem

Editer le fichier de configuration /etc/haproxy/haproxy.cfg
 * 1) From https://serversforhackers.com/using-ssl-certificates-with-haproxy

global log /dev/log	local0 log /dev/log	local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon

# Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3

defaults log	global mode	http option	httplog option	dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http

frontend localhost # bind *:80 bind *:443 ssl crt /etc/ssl/air/air.pem mode http default_backend nodes

backend nodes mode http balance roundrobin option forwardfor option httpchk HEAD / HTTP/1.1\r\nHost:localhost server web01 javaee01:8080 check server web02 javaee02:8080 check http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc }
 * 1) JavaEE servers are javaee01 and javaee02

Exécuter les commandes sudo haproxy -f /etc/haproxy/haproxy.cfg -c
 * 1) verifier si le fichier de configuration est valide (option -c)

sudo service haproxy restart
 * 1) Relancer le service

HOST=xxx HAHOST=xxx HAPORT=443 echo | openssl s_client -showcerts -servername $HOST -connect $HAHOST:HAPORT 2>/dev/null | openssl x509 -inform pem -noout -text
 * 1) Visualiser le certificat de haproxy

sudo tail -f /var/log/haproxy.log
 * 1) voir le log de HAproxy

=Configuration en SSL Terminaison avec authentification mutuelle= TODO

=Failover du ferme de serveurs=
 * http://blog.haproxy.com/2013/12/23/failover-and-worst-case-management-with-haproxy/

=Configuration HA avec Keepalived=
 * https://www.howtoforge.com/setting-up-a-high-availability-load-balancer-with-haproxy-keepalived-on-debian-lenny
 * http://behindtheracks.com/2014/04/redundant-load-balancers-haproxy-and-keepalived/

=Monitoring=

Interface Web d’admin HAProxy
Lire https://www.datadoghq.com/blog/how-to-collect-haproxy-metrics/

Ajouter les lignes suivantes à la fin de /etc/haproxy/haproxy.cfg listen admin bind *:1936 stats enable

sudo service haproxy restart wget -O haproxy_stats.html http://localhost:1936/haproxy?stats

Interface en ligne de commande
Ajouter les lignes dans le fichier de configuration /etc/haproxy/haproxy.cfg stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s

echo "show info;show stat" | sudo nc -U /run/haproxy/admin.sock echo "show stat" | sudo nc -U /run/haproxy/admin.sock

HATop
http://feurix.org/projects/hatop/

Ajouter les lignes dans le fichier de configuration de HAProxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s

Installer HATop wget http://hatop.googlecode.com/files/hatop-0.7.7.tar.gz tar xf hatop-0.7.7.tar.gz

Lancer HATop cd hatop-0.7.7/bin sudo ./hatop -s /run/haproxy/admin.sock

Telegraf
Telegraf inclut un plugin pour HAProxy qui par defaut se connecte au port web d’admin pour récupérer une sortie CSV. Dans la configuration actuelle de HAProxy, l’interface http produit du HTML.

wget http://get.influxdb.org/telegraf/telegraf_0.12.0-1_amd64.deb sudo dpkg -i telegraf_0.12.0-1_amd64.deb

(https://github.com/influxdata/telegraf/tree/master/plugins/inputs/haproxy)

=More=
 * DDOS http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
 * Docker http://blog.haproxy.com/2015/11/17/haproxy-and-container-ip-changes-in-docker/
 * How to Monitor HAProxy with the ELK Stack http://logz.io/blog/monitor-haproxy-elk-stack/