Difference between revisions of "HAProxy"

From air
Jump to navigation Jump to search
 
(10 intermediate revisions by the same user not shown)
Line 29: Line 29:
 
</pre>
 
</pre>
   
  +
./http_svr.js
  +
<pre>
  +
  +
  +
</pre>
  +
  +
./https_svr.js
  +
<pre>
  +
  +
  +
</pre>
   
   
Line 36: Line 47:
 
# lancer 3 serveurs express
 
# lancer 3 serveurs express
 
npm install express
 
npm install express
for port in 8081 8082 8083 ; do nodejs httpsrv.js $port & done
+
for port in 8081 8082 8083 ; do nodejs http_srv.js $port & done
   
   
Line 57: Line 68:
   
 
=Configuration en SSL Terminaison=
 
=Configuration en SSL Terminaison=
  +
Le mode SSL Terminaison permet de diriger les requêtes HTTPS des clients vers les ''backends'' HTTP
TODO
 
   
  +
Créer un certificat auto-signé pour le(s) ''frontend(s)'' HAProxy ([https://serversforhackers.com/using-ssl-certificates-with-haproxy voir])
  +
<pre>
  +
sudo mkdir /etc/ssl/air
  +
sudo openssl genrsa -out /etc/ssl/air/air.key 2048
  +
sudo openssl req -new -key /etc/ssl/air/air.key -multivalue-rdn -subj "/C=FR/L=GRENOBLE/O=UGA/O=POLYTECH/OU=RICM/CN=AIR/emailAddress=air@imag.fr" -out /etc/ssl/air/air.csr
  +
sudo openssl x509 -req -days 365 -in /etc/ssl/air/air.csr -signkey /etc/ssl/air/air.key -out /etc/ssl/air/air.crt
  +
sudo cat /etc/ssl/air/air.crt /etc/ssl/air/air.key | sudo tee /etc/ssl/air/air.pem
  +
</pre>
  +
  +
  +
Editer le fichier de configuration /etc/haproxy/haproxy.cfg
  +
<pre>
  +
# From https://serversforhackers.com/using-ssl-certificates-with-haproxy
  +
  +
global
  +
log /dev/log local0
  +
log /dev/log local1 notice
  +
chroot /var/lib/haproxy
  +
stats socket /run/haproxy/admin.sock mode 660 level admin
  +
stats timeout 30s
  +
user haproxy
  +
group haproxy
  +
daemon
  +
  +
# Default SSL material locations
  +
ca-base /etc/ssl/certs
  +
crt-base /etc/ssl/private
  +
  +
# Default ciphers to use on SSL-enabled listening sockets.
  +
# For more information, see ciphers(1SSL). This list is from:
  +
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
  +
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
  +
ssl-default-bind-options no-sslv3
  +
  +
defaults
  +
log global
  +
mode http
  +
option httplog
  +
option dontlognull
  +
timeout connect 5000
  +
timeout client 50000
  +
timeout server 50000
  +
errorfile 400 /etc/haproxy/errors/400.http
  +
errorfile 403 /etc/haproxy/errors/403.http
  +
errorfile 408 /etc/haproxy/errors/408.http
  +
errorfile 500 /etc/haproxy/errors/500.http
  +
errorfile 502 /etc/haproxy/errors/502.http
  +
errorfile 503 /etc/haproxy/errors/503.http
  +
errorfile 504 /etc/haproxy/errors/504.http
  +
  +
  +
frontend localhost
  +
# bind *:80
  +
bind *:443 ssl crt /etc/ssl/air/air.pem
  +
mode http
  +
default_backend nodes
  +
  +
# JavaEE servers are javaee01 and javaee02
  +
backend nodes
  +
mode http
  +
balance roundrobin
  +
option forwardfor
  +
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
  +
server web01 javaee01:8080 check
  +
server web02 javaee02:8080 check
  +
http-request set-header X-Forwarded-Port %[dst_port]
  +
http-request add-header X-Forwarded-Proto https if { ssl_fc }
  +
</pre>
  +
  +
Exécuter les commandes
  +
<pre>
  +
# verifier si le fichier de configuration est valide (option -c)
  +
sudo haproxy -f /etc/haproxy/haproxy.cfg -c
  +
  +
# Relancer le service
  +
sudo service haproxy restart
  +
  +
# Visualiser le certificat de haproxy
  +
HOST=xxx
  +
HAHOST=xxx
  +
HAPORT=443
  +
echo | openssl s_client -showcerts -servername $HOST -connect $HAHOST:HAPORT 2>/dev/null | openssl x509 -inform pem -noout -text
  +
  +
# voir le log de HAproxy
  +
sudo tail -f /var/log/haproxy.log
  +
</pre>
   
 
=Configuration en SSL Terminaison avec authentification mutuelle=
 
=Configuration en SSL Terminaison avec authentification mutuelle=
Line 70: Line 167:
 
* https://www.howtoforge.com/setting-up-a-high-availability-load-balancer-with-haproxy-keepalived-on-debian-lenny
 
* https://www.howtoforge.com/setting-up-a-high-availability-load-balancer-with-haproxy-keepalived-on-debian-lenny
 
* http://behindtheracks.com/2014/04/redundant-load-balancers-haproxy-and-keepalived/
 
* http://behindtheracks.com/2014/04/redundant-load-balancers-haproxy-and-keepalived/
  +
  +
  +
=Monitoring=
  +
  +
==Interface Web d’admin HAProxy==
  +
  +
Lire https://www.datadoghq.com/blog/how-to-collect-haproxy-metrics/
  +
  +
Ajouter les lignes suivantes à la fin de /etc/haproxy/haproxy.cfg
  +
<pre>
  +
listen admin
  +
bind *:1936
  +
stats enable
  +
</pre>
  +
  +
<pre>
  +
sudo service haproxy restart
  +
wget -O haproxy_stats.html http://localhost:1936/haproxy?stats
  +
</pre>
  +
  +
  +
  +
==Interface en ligne de commande==
  +
Ajouter les lignes dans le fichier de configuration /etc/haproxy/haproxy.cfg
  +
<pre>
  +
stats socket /run/haproxy/admin.sock mode 660 level admin
  +
stats timeout 30s
  +
</pre>
  +
  +
<pre>
  +
echo "show info;show stat" | sudo nc -U /run/haproxy/admin.sock
  +
echo "show stat" | sudo nc -U /run/haproxy/admin.sock
  +
</pre>
  +
  +
==HATop==
  +
http://feurix.org/projects/hatop/
  +
  +
Ajouter les lignes dans le fichier de configuration de HAProxy
  +
<pre>
  +
stats socket /run/haproxy/admin.sock mode 660 level admin
  +
stats timeout 30s
  +
</pre>
  +
  +
Installer HATop
  +
<pre>
  +
wget http://hatop.googlecode.com/files/hatop-0.7.7.tar.gz
  +
tar xf hatop-0.7.7.tar.gz
  +
</pre>
  +
  +
Lancer HATop
  +
<pre>
  +
cd hatop-0.7.7/bin
  +
sudo ./hatop -s /run/haproxy/admin.sock
  +
</pre>
  +
  +
==[[Telegraf]]==
  +
Telegraf inclut un plugin pour HAProxy qui par defaut se connecte au port web d’admin pour récupérer une sortie CSV. Dans la configuration actuelle de HAProxy, l’interface http produit du HTML.
  +
  +
<pre>
  +
wget http://get.influxdb.org/telegraf/telegraf_0.12.0-1_amd64.deb
  +
sudo dpkg -i telegraf_0.12.0-1_amd64.deb
  +
</pre>
  +
  +
(https://github.com/influxdata/telegraf/tree/master/plugins/inputs/haproxy)
   
 
=More=
 
=More=

Latest revision as of 17:02, 13 September 2016

http://www.haproxy.org/ HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms.

Installation


sudo add-apt-repository ppa:vbernat/haproxy-1.6
sudo apt-get update
sudo apt-get install haproxy
sudo service haproxy status

# voir le log de HAproxy
tail -f /var/log/haproxy.log

HAHOST=haproxy
HAHOST=localhost

Open http://localhost/haproxy?stats

Configuration en SSL Pass-throught

TODO

/etc/haproxy/haproxy.cfg



./http_svr.js



./https_svr.js





sudo service haproxy restart
# lancer 3 serveurs express
npm install express
for port in 8081 8082 8083 ; do nodejs http_srv.js $port & done


HOST=localhost
curl $HOST:8081
curl $HOST:8082
curl $HOST:8083
# on peut observer la politique de round-robin
curl $HOST:80
curl $HOST:80
curl $HOST:80
curl $HOST:80
curl -k https://$HOST
curl -k https://$HOST
curl -k https://$HOST
curl -k https://$HOST


Configuration en SSL Terminaison

Le mode SSL Terminaison permet de diriger les requêtes HTTPS des clients vers les backends HTTP

Créer un certificat auto-signé pour le(s) frontend(s) HAProxy (voir)

sudo mkdir /etc/ssl/air
sudo openssl genrsa -out /etc/ssl/air/air.key 2048
sudo openssl req -new -key /etc/ssl/air/air.key -multivalue-rdn -subj "/C=FR/L=GRENOBLE/O=UGA/O=POLYTECH/OU=RICM/CN=AIR/emailAddress=air@imag.fr" -out /etc/ssl/air/air.csr
sudo openssl x509 -req -days 365 -in /etc/ssl/air/air.csr -signkey /etc/ssl/air/air.key -out /etc/ssl/air/air.crt
sudo cat /etc/ssl/air/air.crt /etc/ssl/air/air.key | sudo tee /etc/ssl/air/air.pem


Editer le fichier de configuration /etc/haproxy/haproxy.cfg

# From https://serversforhackers.com/using-ssl-certificates-with-haproxy

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http


frontend localhost
    # bind *:80
    bind *:443 ssl crt /etc/ssl/air/air.pem
    mode http
    default_backend nodes

# JavaEE servers are javaee01 and javaee02
backend nodes
    mode http
    balance roundrobin
    option forwardfor
    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server web01 javaee01:8080 check
    server web02 javaee02:8080 check
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }

Exécuter les commandes

# verifier si le fichier de configuration est valide (option -c)
sudo haproxy -f /etc/haproxy/haproxy.cfg -c

# Relancer le service
sudo service haproxy restart

# Visualiser le certificat de haproxy
HOST=xxx
HAHOST=xxx
HAPORT=443
echo | openssl s_client -showcerts -servername $HOST -connect $HAHOST:HAPORT 2>/dev/null | openssl x509 -inform pem -noout -text

# voir le log de HAproxy
sudo tail -f /var/log/haproxy.log

Configuration en SSL Terminaison avec authentification mutuelle

TODO


Failover du ferme de serveurs

Configuration HA avec Keepalived


Monitoring

Interface Web d’admin HAProxy

Lire https://www.datadoghq.com/blog/how-to-collect-haproxy-metrics/

Ajouter les lignes suivantes à la fin de /etc/haproxy/haproxy.cfg

listen admin
    bind *:1936
    stats enable
sudo service haproxy restart
wget -O haproxy_stats.html  http://localhost:1936/haproxy?stats


Interface en ligne de commande

Ajouter les lignes dans le fichier de configuration /etc/haproxy/haproxy.cfg

    stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
echo "show info;show stat" | sudo nc -U /run/haproxy/admin.sock
echo "show stat" | sudo nc -U /run/haproxy/admin.sock

HATop

http://feurix.org/projects/hatop/

Ajouter les lignes dans le fichier de configuration de HAProxy

stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s

Installer HATop

wget http://hatop.googlecode.com/files/hatop-0.7.7.tar.gz
tar xf hatop-0.7.7.tar.gz

Lancer HATop

cd hatop-0.7.7/bin
sudo ./hatop -s /run/haproxy/admin.sock

Telegraf

Telegraf inclut un plugin pour HAProxy qui par defaut se connecte au port web d’admin pour récupérer une sortie CSV. Dans la configuration actuelle de HAProxy, l’interface http produit du HTML.

wget http://get.influxdb.org/telegraf/telegraf_0.12.0-1_amd64.deb
sudo dpkg -i telegraf_0.12.0-1_amd64.deb   

(https://github.com/influxdata/telegraf/tree/master/plugins/inputs/haproxy)

More