Difference between revisions of "HAProxy"
Line 82: | Line 82: | ||
Editer le fichier de configuration /etc/haproxy/haproxy.cfg |
Editer le fichier de configuration /etc/haproxy/haproxy.cfg |
||
<pre> |
<pre> |
||
+ | # From https://serversforhackers.com/using-ssl-certificates-with-haproxy |
||
− | TODO |
||
+ | global |
||
+ | log /dev/log local0 |
||
+ | log /dev/log local1 notice |
||
+ | chroot /var/lib/haproxy |
||
+ | stats socket /run/haproxy/admin.sock mode 660 level admin |
||
+ | stats timeout 30s |
||
+ | user haproxy |
||
+ | group haproxy |
||
+ | daemon |
||
+ | |||
+ | # Default SSL material locations |
||
+ | ca-base /etc/ssl/certs |
||
+ | crt-base /etc/ssl/private |
||
+ | |||
+ | # Default ciphers to use on SSL-enabled listening sockets. |
||
+ | # For more information, see ciphers(1SSL). This list is from: |
||
+ | # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
||
+ | ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS |
||
+ | ssl-default-bind-options no-sslv3 |
||
+ | |||
+ | defaults |
||
+ | log global |
||
+ | mode http |
||
+ | option httplog |
||
+ | option dontlognull |
||
+ | timeout connect 5000 |
||
+ | timeout client 50000 |
||
+ | timeout server 50000 |
||
+ | errorfile 400 /etc/haproxy/errors/400.http |
||
+ | errorfile 403 /etc/haproxy/errors/403.http |
||
+ | errorfile 408 /etc/haproxy/errors/408.http |
||
+ | errorfile 500 /etc/haproxy/errors/500.http |
||
+ | errorfile 502 /etc/haproxy/errors/502.http |
||
+ | errorfile 503 /etc/haproxy/errors/503.http |
||
+ | errorfile 504 /etc/haproxy/errors/504.http |
||
+ | |||
+ | |||
+ | frontend localhost |
||
+ | # bind *:80 |
||
+ | bind *:443 ssl crt /etc/ssl/air/air.pem |
||
+ | mode http |
||
+ | default_backend nodes |
||
+ | |||
+ | backend nodes |
||
+ | mode http |
||
+ | balance roundrobin |
||
+ | option forwardfor |
||
+ | option httpchk HEAD / HTTP/1.1\r\nHost:localhost |
||
+ | server web01 javaee01:8080 check |
||
+ | server web02 javaee02:8080 check |
||
+ | http-request set-header X-Forwarded-Port %[dst_port] |
||
+ | http-request add-header X-Forwarded-Proto https if { ssl_fc } |
||
</pre> |
</pre> |
||
Revision as of 20:24, 29 August 2016
http://www.haproxy.org/ HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms.
Installation
sudo add-apt-repository ppa:vbernat/haproxy-1.6 sudo apt-get update sudo apt-get install haproxy sudo service haproxy status # voir le log de HAproxy tail -f /var/log/haproxy.log HAHOST=haproxy HAHOST=localhost
Open http://localhost/haproxy?stats
Configuration en SSL Pass-throught
TODO
/etc/haproxy/haproxy.cfg
./http_svr.js
./https_svr.js
sudo service haproxy restart # lancer 3 serveurs express npm install express for port in 8081 8082 8083 ; do nodejs http_srv.js $port & done HOST=localhost curl $HOST:8081 curl $HOST:8082 curl $HOST:8083 # on peut observer la politique de round-robin curl $HOST:80 curl $HOST:80 curl $HOST:80 curl $HOST:80 curl -k https://$HOST curl -k https://$HOST curl -k https://$HOST curl -k https://$HOST
Configuration en SSL Terminaison
Le mode SSL Terminaison permet de diriger les requêtes HTTPS des clients vers les backends HTTP
Créer un certificat auto-signé pour le(s) frontend(s) HAProxy (voir)
sudo mkdir /etc/ssl/air sudo openssl genrsa -out /etc/ssl/air/air.key 1024 sudo openssl req -new -key /etc/ssl/air/air.key -multivalue-rdn -subj "/C=FR/L=GRENOBLE/O=UGA/O=POLYTECH/OU=RICM/CN=AIR/emailAddress=air@imag.fr" -out /etc/ssl/air/air.csr sudo openssl x509 -req -days 365 -in /etc/ssl/air/air.csr -signkey /etc/ssl/air/air.key -out /etc/ssl/air/air.crt sudo cat /etc/ssl/air/air.crt /etc/ssl/air/air.key | sudo tee /etc/ssl/air/air.pem
Editer le fichier de configuration /etc/haproxy/haproxy.cfg
# From https://serversforhackers.com/using-ssl-certificates-with-haproxy global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend localhost # bind *:80 bind *:443 ssl crt /etc/ssl/air/air.pem mode http default_backend nodes backend nodes mode http balance roundrobin option forwardfor option httpchk HEAD / HTTP/1.1\r\nHost:localhost server web01 javaee01:8080 check server web02 javaee02:8080 check http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc }
Exécuter les commandes
# verifier si le fichier de configuration est valide (option -c) sudo haproxy -f /etc/haproxy/haproxy.cfg -c # Relancer le service sudo service haproxy restart # voir le log de HAproxy sudo tail -f /var/log/haproxy.log
Configuration en SSL Terminaison avec authentification mutuelle
TODO
Failover du ferme de serveurs
Configuration HA avec Keepalived
- https://www.howtoforge.com/setting-up-a-high-availability-load-balancer-with-haproxy-keepalived-on-debian-lenny
- http://behindtheracks.com/2014/04/redundant-load-balancers-haproxy-and-keepalived/