HA Proxy Setup

From Labrats.us
Jump to navigationJump to search

First set up new CentOS 78 machine from ISO with minimal install and configure per the following article.

New CentOS 7 Server Setup Commands

Then install and configure HA PRoxy:

Install haproxy.

   # yum install haproxy

Configure haproxy for SELinux and HTTP.

   # vim /etc/firewalld/services/haproxy-http.xml

Add the following lines:

   <?xml version="1.0" encoding="utf-8"?>
   <service>
   <short>HAProxy-HTTP</short>
   <description>HAProxy load-balancer</description>
   <port protocol="tcp" port="80"/>
   </service>

As root, assign the correct SELinux context and file permissions to the haproxy-http.xml file.

   # cd /etc/firewalld/services
   # restorecon haproxy-http.xml
   # chmod 640 haproxy-http.xml

If you intend to use HTTPS, configure haproxy for SELinux and HTTPS.

   # vim /etc/firewalld/services/haproxy-https.xml

Add the following lines:

   <?xml version="1.0" encoding="utf-8"?>
   <service>
   <short>HAProxy-HTTPS</short>
   <description>HAProxy load-balancer</description>
   <port protocol="tcp" port="443"/>
   </service>

As root, assign the correct SELinux context and file permissions to the haproxy-https.xml file.

   # cd /etc/firewalld/services
   # restorecon haproxy-https.xml
   # chmod 640 haproxy-https.xml

The above firewall configuration is annoying and may not work. Instead, just use the following:

# firewall-cmd --add-port=80/tcp
# firewall-cmd --permanent --add-port=80/tcp
# firewall-cmd --add-port=443/tcp
# firewall-cmd --permanent --add-port=443/tcp

If you intend to use HTTPS, generate keys for SSL. If you do not have a certificate, you may use a self-signed certificate. For information on generating keys and on self-signed certificates, see the Red Hat Enterprise Linux System Administrator's Guide. Finally, put the certificate and key into a PEM file.

   # cat example.com.crt example.com.key > example.com.pem
   # cp example.com.pem /etc/ssl/private/

Configure HAProxy.

   # vim /etc/haproxy/haproxy.cfg

The global and defaults sections of haproxy.cfg may remain unchanged. After the defaults sections, you will need to configure frontend and backend sections, as in the following example:

frontend http_web *:80
    mode http
    default_backend rgw

frontend rgw­-https
    bind <insert vip ipv4>:443 ssl crt /etc/ssl/private/example.com.pem
    default_backend rgw

backend rgw
    balance roundrobin
    mode http
    server  rgw1 10.0.0.71:80 check
    server  rgw2 10.0.0.80:80 check

Enable/start haproxy

# systemctl enable haproxy
# systemctl start haproxy

If you want to use an HAProxy server to send to destinations based on incoming host header, and rewrite the host header, use the following configuration:

frontend www *:80
    mode http
    acl labrats hdr(host) -i www2.labrats.us
    acl mtr hdr(host) -i www2.movingtargetracing.com
    use_backend www.labrats.us    if labrats
    use_backend www.movingtargetracing.com    if mtr

# One way to set the "host" header attribute.  This sets it to a static value for all servers.

backend www.labrats.us
    mode http
    cookie SERVERID rewrite
    option forwardfor
    http-request set-header Host www.labrats.us
    server host1 66.180.172.109:80 check

# Another way to set the host header attribute.  This sets it to the host set in the "server" line.

backend www.movingtargetracing.com
    mode http
    cookie SERVERID rewrite
    option forwardfor
    http-send-name-header Host
    server www.movingtargetracing.com 66.180.172.109:80 check

SELinux loopback configuration

In order to allow HAProxy to listen to the loopback interface, we'll need to tell selinux to allow it.

# setsebool -P haproxy_connect_any=1