HA Proxy Setup
First set up new CentOS 78 machine from ISO with minimal install and configure per the following article.
New CentOS 7 Server Setup Commands
Then install and configure HA PRoxy:
Install haproxy.
# yum install haproxy
Configure haproxy for SELinux and HTTP.
# vim /etc/firewalld/services/haproxy-http.xml
Add the following lines:
<?xml version="1.0" encoding="utf-8"?> <service> <short>HAProxy-HTTP</short> <description>HAProxy load-balancer</description> <port protocol="tcp" port="80"/> </service>
As root, assign the correct SELinux context and file permissions to the haproxy-http.xml file.
# cd /etc/firewalld/services # restorecon haproxy-http.xml # chmod 640 haproxy-http.xml
If you intend to use HTTPS, configure haproxy for SELinux and HTTPS.
# vim /etc/firewalld/services/haproxy-https.xml
Add the following lines:
<?xml version="1.0" encoding="utf-8"?> <service> <short>HAProxy-HTTPS</short> <description>HAProxy load-balancer</description> <port protocol="tcp" port="443"/> </service>
As root, assign the correct SELinux context and file permissions to the haproxy-https.xml file.
# cd /etc/firewalld/services # restorecon haproxy-https.xml # chmod 640 haproxy-https.xml
The above firewall configuration is annoying and may not work. Instead, just use the following:
# firewall-cmd --add-port=80/tcp # firewall-cmd --permanent --add-port=80/tcp # firewall-cmd --add-port=443/tcp # firewall-cmd --permanent --add-port=443/tcp
If you intend to use HTTPS, generate keys for SSL. If you do not have a certificate, you may use a self-signed certificate. For information on generating keys and on self-signed certificates, see the Red Hat Enterprise Linux System Administrator's Guide. Finally, put the certificate and key into a PEM file.
# cat example.com.crt example.com.key > example.com.pem # cp example.com.pem /etc/ssl/private/
Configure HAProxy.
# vim /etc/haproxy/haproxy.cfg
The global and defaults sections of haproxy.cfg may remain unchanged. After the defaults sections, you will need to configure frontend and backend sections, as in the following example:
frontend http_web *:80 mode http default_backend rgw frontend rgw-https bind <insert vip ipv4>:443 ssl crt /etc/ssl/private/example.com.pem default_backend rgw backend rgw balance roundrobin mode http server rgw1 10.0.0.71:80 check server rgw2 10.0.0.80:80 check
Enable/start haproxy
# systemctl enable haproxy # systemctl start haproxy
If you want to use an HAProxy server to send to destinations based on incoming host header, and rewrite the host header, use the following configuration:
frontend www *:80 mode http acl labrats hdr(host) -i www2.labrats.us acl mtr hdr(host) -i www2.movingtargetracing.com use_backend www.labrats.us if labrats use_backend www.movingtargetracing.com if mtr # One way to set the "host" header attribute. This sets it to a static value for all servers. backend www.labrats.us mode http cookie SERVERID rewrite option forwardfor http-request set-header Host www.labrats.us server host1 66.180.172.109:80 check # Another way to set the host header attribute. This sets it to the host set in the "server" line. backend www.movingtargetracing.com mode http cookie SERVERID rewrite option forwardfor http-send-name-header Host server www.movingtargetracing.com 66.180.172.109:80 check
SELinux loopback configuration
In order to allow HAProxy to listen to the loopback interface, we'll need to tell selinux to allow it.
# setsebool -P haproxy_connect_any=1