Difference between revisions of "HA Proxy Setup"
| (2 intermediate revisions by the same user not shown) | |||
| Line 68: | Line 68: | ||
The global and defaults sections of haproxy.cfg may remain unchanged. After the defaults sections, you will need to configure frontend and backend sections, as in the following example: | The global and defaults sections of haproxy.cfg may remain unchanged. After the defaults sections, you will need to configure frontend and backend sections, as in the following example: | ||
| − | + | <pre> | |
| − | + | frontend http_web *:80 | |
| − | + | mode http | |
| + | default_backend rgw | ||
| − | + | frontend rgw-https | |
| − | + | bind <insert vip ipv4>:443 ssl crt /etc/ssl/private/example.com.pem | |
| − | + | default_backend rgw | |
| − | + | backend rgw | |
| − | + | balance roundrobin | |
| − | + | mode http | |
| − | + | server rgw1 10.0.0.71:80 check | |
| − | + | server rgw2 10.0.0.80:80 check | |
| + | </pre> | ||
Enable/start haproxy | Enable/start haproxy | ||
| − | + | <pre> | |
| − | + | # systemctl enable haproxy | |
| + | # systemctl start haproxy | ||
| + | </pre> | ||
| + | |||
| + | If you want to use an HAProxy server to send to destinations based on incoming host header, and rewrite the host header, use the following configuration: | ||
| + | |||
| + | <pre> | ||
| + | frontend www *:80 | ||
| + | mode http | ||
| + | acl labrats hdr(host) -i www2.labrats.us | ||
| + | acl mtr hdr(host) -i www2.movingtargetracing.com | ||
| + | use_backend www.labrats.us if labrats | ||
| + | use_backend www.movingtargetracing.com if mtr | ||
| + | |||
| + | # One way to set the "host" header attribute. This sets it to a static value for all servers. | ||
| + | |||
| + | backend www.labrats.us | ||
| + | mode http | ||
| + | cookie SERVERID rewrite | ||
| + | option forwardfor | ||
| + | http-request set-header Host www.labrats.us | ||
| + | server host1 66.180.172.109:80 check | ||
| + | |||
| + | # Another way to set the host header attribute. This sets it to the host set in the "server" line. | ||
| + | |||
| + | backend www.movingtargetracing.com | ||
| + | mode http | ||
| + | cookie SERVERID rewrite | ||
| + | option forwardfor | ||
| + | http-send-name-header Host | ||
| + | server www.movingtargetracing.com 66.180.172.109:80 check | ||
| + | </pre> | ||
| + | |||
| + | == SELinux loopback configuration == | ||
| + | |||
| + | In order to allow HAProxy to listen to the loopback interface, we'll need to tell selinux to allow it. | ||
| + | |||
| + | <pre> | ||
| + | # setsebool -P haproxy_connect_any=1 | ||
| + | </pre> | ||
Latest revision as of 15:44, 10 September 2020
First set up new CentOS 78 machine from ISO with minimal install and configure per the following article.
New CentOS 7 Server Setup Commands
Then install and configure HA PRoxy:
Install haproxy.
# yum install haproxy
Configure haproxy for SELinux and HTTP.
# vim /etc/firewalld/services/haproxy-http.xml
Add the following lines:
<?xml version="1.0" encoding="utf-8"?> <service> <short>HAProxy-HTTP</short> <description>HAProxy load-balancer</description> <port protocol="tcp" port="80"/> </service>
As root, assign the correct SELinux context and file permissions to the haproxy-http.xml file.
# cd /etc/firewalld/services # restorecon haproxy-http.xml # chmod 640 haproxy-http.xml
If you intend to use HTTPS, configure haproxy for SELinux and HTTPS.
# vim /etc/firewalld/services/haproxy-https.xml
Add the following lines:
<?xml version="1.0" encoding="utf-8"?> <service> <short>HAProxy-HTTPS</short> <description>HAProxy load-balancer</description> <port protocol="tcp" port="443"/> </service>
As root, assign the correct SELinux context and file permissions to the haproxy-https.xml file.
# cd /etc/firewalld/services # restorecon haproxy-https.xml # chmod 640 haproxy-https.xml
The above firewall configuration is annoying and may not work. Instead, just use the following:
# firewall-cmd --add-port=80/tcp # firewall-cmd --permanent --add-port=80/tcp # firewall-cmd --add-port=443/tcp # firewall-cmd --permanent --add-port=443/tcp
If you intend to use HTTPS, generate keys for SSL. If you do not have a certificate, you may use a self-signed certificate. For information on generating keys and on self-signed certificates, see the Red Hat Enterprise Linux System Administrator's Guide. Finally, put the certificate and key into a PEM file.
# cat example.com.crt example.com.key > example.com.pem # cp example.com.pem /etc/ssl/private/
Configure HAProxy.
# vim /etc/haproxy/haproxy.cfg
The global and defaults sections of haproxy.cfg may remain unchanged. After the defaults sections, you will need to configure frontend and backend sections, as in the following example:
frontend http_web *:80
mode http
default_backend rgw
frontend rgw-https
bind <insert vip ipv4>:443 ssl crt /etc/ssl/private/example.com.pem
default_backend rgw
backend rgw
balance roundrobin
mode http
server rgw1 10.0.0.71:80 check
server rgw2 10.0.0.80:80 check
Enable/start haproxy
# systemctl enable haproxy # systemctl start haproxy
If you want to use an HAProxy server to send to destinations based on incoming host header, and rewrite the host header, use the following configuration:
frontend www *:80
mode http
acl labrats hdr(host) -i www2.labrats.us
acl mtr hdr(host) -i www2.movingtargetracing.com
use_backend www.labrats.us if labrats
use_backend www.movingtargetracing.com if mtr
# One way to set the "host" header attribute. This sets it to a static value for all servers.
backend www.labrats.us
mode http
cookie SERVERID rewrite
option forwardfor
http-request set-header Host www.labrats.us
server host1 66.180.172.109:80 check
# Another way to set the host header attribute. This sets it to the host set in the "server" line.
backend www.movingtargetracing.com
mode http
cookie SERVERID rewrite
option forwardfor
http-send-name-header Host
server www.movingtargetracing.com 66.180.172.109:80 check
SELinux loopback configuration
In order to allow HAProxy to listen to the loopback interface, we'll need to tell selinux to allow it.
# setsebool -P haproxy_connect_any=1
