HAProxy

From air
Revision as of 15:02, 13 September 2016 by Donsez (talk | contribs) (→‎Configuration en SSL Terminaison)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

http://www.haproxy.org/ HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world's most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms.

Installation


sudo add-apt-repository ppa:vbernat/haproxy-1.6
sudo apt-get update
sudo apt-get install haproxy
sudo service haproxy status

# voir le log de HAproxy
tail -f /var/log/haproxy.log

HAHOST=haproxy
HAHOST=localhost

Open http://localhost/haproxy?stats

Configuration en SSL Pass-throught

TODO

/etc/haproxy/haproxy.cfg



./http_svr.js



./https_svr.js





sudo service haproxy restart
# lancer 3 serveurs express
npm install express
for port in 8081 8082 8083 ; do nodejs http_srv.js $port & done


HOST=localhost
curl $HOST:8081
curl $HOST:8082
curl $HOST:8083
# on peut observer la politique de round-robin
curl $HOST:80
curl $HOST:80
curl $HOST:80
curl $HOST:80
curl -k https://$HOST
curl -k https://$HOST
curl -k https://$HOST
curl -k https://$HOST


Configuration en SSL Terminaison

Le mode SSL Terminaison permet de diriger les requêtes HTTPS des clients vers les backends HTTP

Créer un certificat auto-signé pour le(s) frontend(s) HAProxy (voir)

sudo mkdir /etc/ssl/air
sudo openssl genrsa -out /etc/ssl/air/air.key 2048
sudo openssl req -new -key /etc/ssl/air/air.key -multivalue-rdn -subj "/C=FR/L=GRENOBLE/O=UGA/O=POLYTECH/OU=RICM/CN=AIR/emailAddress=air@imag.fr" -out /etc/ssl/air/air.csr
sudo openssl x509 -req -days 365 -in /etc/ssl/air/air.csr -signkey /etc/ssl/air/air.key -out /etc/ssl/air/air.crt
sudo cat /etc/ssl/air/air.crt /etc/ssl/air/air.key | sudo tee /etc/ssl/air/air.pem


Editer le fichier de configuration /etc/haproxy/haproxy.cfg

# From https://serversforhackers.com/using-ssl-certificates-with-haproxy

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http


frontend localhost
    # bind *:80
    bind *:443 ssl crt /etc/ssl/air/air.pem
    mode http
    default_backend nodes

# JavaEE servers are javaee01 and javaee02
backend nodes
    mode http
    balance roundrobin
    option forwardfor
    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server web01 javaee01:8080 check
    server web02 javaee02:8080 check
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }

Exécuter les commandes

# verifier si le fichier de configuration est valide (option -c)
sudo haproxy -f /etc/haproxy/haproxy.cfg -c

# Relancer le service
sudo service haproxy restart

# Visualiser le certificat de haproxy
HOST=xxx
HAHOST=xxx
HAPORT=443
echo | openssl s_client -showcerts -servername $HOST -connect $HAHOST:HAPORT 2>/dev/null | openssl x509 -inform pem -noout -text

# voir le log de HAproxy
sudo tail -f /var/log/haproxy.log

Configuration en SSL Terminaison avec authentification mutuelle

TODO


Failover du ferme de serveurs

Configuration HA avec Keepalived


Monitoring

Interface Web d’admin HAProxy

Lire https://www.datadoghq.com/blog/how-to-collect-haproxy-metrics/

Ajouter les lignes suivantes à la fin de /etc/haproxy/haproxy.cfg

listen admin
    bind *:1936
    stats enable
sudo service haproxy restart
wget -O haproxy_stats.html  http://localhost:1936/haproxy?stats


Interface en ligne de commande

Ajouter les lignes dans le fichier de configuration /etc/haproxy/haproxy.cfg

    stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
echo "show info;show stat" | sudo nc -U /run/haproxy/admin.sock
echo "show stat" | sudo nc -U /run/haproxy/admin.sock

HATop

http://feurix.org/projects/hatop/

Ajouter les lignes dans le fichier de configuration de HAProxy

stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s

Installer HATop

wget http://hatop.googlecode.com/files/hatop-0.7.7.tar.gz
tar xf hatop-0.7.7.tar.gz

Lancer HATop

cd hatop-0.7.7/bin
sudo ./hatop -s /run/haproxy/admin.sock

Telegraf

Telegraf inclut un plugin pour HAProxy qui par defaut se connecte au port web d’admin pour récupérer une sortie CSV. Dans la configuration actuelle de HAProxy, l’interface http produit du HTML.

wget http://get.influxdb.org/telegraf/telegraf_0.12.0-1_amd64.deb
sudo dpkg -i telegraf_0.12.0-1_amd64.deb   

(https://github.com/influxdata/telegraf/tree/master/plugins/inputs/haproxy)

More