From air
Jump to navigation Jump to search

http://www.haproxy.org/ HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms.


sudo add-apt-repository ppa:vbernat/haproxy-1.6
sudo apt-get update
sudo apt-get install haproxy
sudo service haproxy status

# voir le log de HAproxy
tail -f /var/log/haproxy.log


Open http://localhost/haproxy?stats

Configuration en SSL Pass-throught





sudo service haproxy restart
# lancer 3 serveurs express
npm install express
for port in 8081 8082 8083 ; do nodejs http_srv.js $port & done

curl $HOST:8081
curl $HOST:8082
curl $HOST:8083
# on peut observer la politique de round-robin
curl $HOST:80
curl $HOST:80
curl $HOST:80
curl $HOST:80
curl -k https://$HOST
curl -k https://$HOST
curl -k https://$HOST
curl -k https://$HOST

Configuration en SSL Terminaison

Le mode SSL Terminaison permet de diriger les requêtes HTTPS des clients vers les backends HTTP

Créer un certificat auto-signé pour le(s) frontend(s) HAProxy (voir)

sudo mkdir /etc/ssl/air
sudo openssl genrsa -out /etc/ssl/air/air.key 2048
sudo openssl req -new -key /etc/ssl/air/air.key -multivalue-rdn -subj "/C=FR/L=GRENOBLE/O=UGA/O=POLYTECH/OU=RICM/CN=AIR/emailAddress=air@imag.fr" -out /etc/ssl/air/air.csr
sudo openssl x509 -req -days 365 -in /etc/ssl/air/air.csr -signkey /etc/ssl/air/air.key -out /etc/ssl/air/air.crt
sudo cat /etc/ssl/air/air.crt /etc/ssl/air/air.key | sudo tee /etc/ssl/air/air.pem

Editer le fichier de configuration /etc/haproxy/haproxy.cfg

# From https://serversforhackers.com/using-ssl-certificates-with-haproxy

	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl-default-bind-options no-sslv3

	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend localhost
    # bind *:80
    bind *:443 ssl crt /etc/ssl/air/air.pem
    mode http
    default_backend nodes

# JavaEE servers are javaee01 and javaee02
backend nodes
    mode http
    balance roundrobin
    option forwardfor
    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server web01 javaee01:8080 check
    server web02 javaee02:8080 check
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }

Exécuter les commandes

# verifier si le fichier de configuration est valide (option -c)
sudo haproxy -f /etc/haproxy/haproxy.cfg -c

# Relancer le service
sudo service haproxy restart

# Visualiser le certificat de haproxy
echo | openssl s_client -showcerts -servername $HOST -connect $HAHOST:HAPORT 2>/dev/null | openssl x509 -inform pem -noout -text

# voir le log de HAproxy
sudo tail -f /var/log/haproxy.log

Configuration en SSL Terminaison avec authentification mutuelle


Failover du ferme de serveurs

Configuration HA avec Keepalived


Interface Web d’admin HAProxy

Lire https://www.datadoghq.com/blog/how-to-collect-haproxy-metrics/

Ajouter les lignes suivantes à la fin de /etc/haproxy/haproxy.cfg

listen admin
    bind *:1936
    stats enable
sudo service haproxy restart
wget -O haproxy_stats.html  http://localhost:1936/haproxy?stats

Interface en ligne de commande

Ajouter les lignes dans le fichier de configuration /etc/haproxy/haproxy.cfg

    stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
echo "show info;show stat" | sudo nc -U /run/haproxy/admin.sock
echo "show stat" | sudo nc -U /run/haproxy/admin.sock



Ajouter les lignes dans le fichier de configuration de HAProxy

stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s

Installer HATop

wget http://hatop.googlecode.com/files/hatop-0.7.7.tar.gz
tar xf hatop-0.7.7.tar.gz

Lancer HATop

cd hatop-0.7.7/bin
sudo ./hatop -s /run/haproxy/admin.sock


Telegraf inclut un plugin pour HAProxy qui par defaut se connecte au port web d’admin pour récupérer une sortie CSV. Dans la configuration actuelle de HAProxy, l’interface http produit du HTML.

wget http://get.influxdb.org/telegraf/telegraf_0.12.0-1_amd64.deb
sudo dpkg -i telegraf_0.12.0-1_amd64.deb