HAProxy: Difference between revisions

From air
Jump to navigation Jump to search
Line 82: Line 82:
Editer le fichier de configuration /etc/haproxy/haproxy.cfg
Editer le fichier de configuration /etc/haproxy/haproxy.cfg
<pre>
<pre>
# From https://serversforhackers.com/using-ssl-certificates-with-haproxy
TODO


global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http


frontend localhost
# bind *:80
bind *:443 ssl crt /etc/ssl/air/air.pem
mode http
default_backend nodes

backend nodes
mode http
balance roundrobin
option forwardfor
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server web01 javaee01:8080 check
server web02 javaee02:8080 check
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
</pre>
</pre>


Revision as of 18:24, 29 August 2016

http://www.haproxy.org/ HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms.

Installation


sudo add-apt-repository ppa:vbernat/haproxy-1.6
sudo apt-get update
sudo apt-get install haproxy
sudo service haproxy status

# voir le log de HAproxy
tail -f /var/log/haproxy.log

HAHOST=haproxy
HAHOST=localhost

Open http://localhost/haproxy?stats

Configuration en SSL Pass-throught

TODO

/etc/haproxy/haproxy.cfg

./http_svr.js

./https_svr.js 







sudo service haproxy restart
# lancer 3 serveurs express
npm install express
for port in 8081 8082 8083 ; do nodejs http_srv.js $port & done


HOST=localhost
curl $HOST:8081
curl $HOST:8082
curl $HOST:8083
# on peut observer la politique de round-robin
curl $HOST:80
curl $HOST:80
curl $HOST:80
curl $HOST:80
curl -k https://$HOST
curl -k https://$HOST
curl -k https://$HOST
curl -k https://$HOST

Configuration en SSL Terminaison

Le mode SSL Terminaison permet de diriger les requêtes HTTPS des clients vers les backends HTTP

Créer un certificat auto-signé pour le(s) frontend(s) HAProxy (voir) 

sudo mkdir /etc/ssl/air
sudo openssl genrsa -out /etc/ssl/air/air.key 1024
sudo openssl req -new -key /etc/ssl/air/air.key -multivalue-rdn -subj "/C=FR/L=GRENOBLE/O=UGA/O=POLYTECH/OU=RICM/CN=AIR/emailAddress=air@imag.fr" -out /etc/ssl/air/air.csr
sudo openssl x509 -req -days 365 -in /etc/ssl/air/air.csr -signkey /etc/ssl/air/air.key -out /etc/ssl/air/air.crt
sudo cat /etc/ssl/air/air.crt /etc/ssl/air/air.key | sudo tee /etc/ssl/air/air.pem


Editer le fichier de configuration /etc/haproxy/haproxy.cfg 

# From https://serversforhackers.com/using-ssl-certificates-with-haproxy

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http


frontend localhost
    # bind *:80
    bind *:443 ssl crt /etc/ssl/air/air.pem
    mode http
    default_backend nodes

backend nodes
    mode http
    balance roundrobin
    option forwardfor
    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server web01 javaee01:8080 check
    server web02 javaee02:8080 check
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }

Exécuter les commandes 

# verifier si le fichier de configuration est valide (option -c)
sudo haproxy -f /etc/haproxy/haproxy.cfg -c

# Relancer le service
sudo service haproxy restart

# voir le log de HAproxy
sudo tail -f /var/log/haproxy.log

Configuration en SSL Terminaison avec authentification mutuelle

TODO


Failover du ferme de serveurs

Configuration HA avec Keepalived

More

Retrieved from "https://air.imag.fr/index.php?title=HAProxy&oldid=30319"