How to Setup High-Availability Load Balancer with ‘HAProxy’ to Control Web Server Traffic

HAProxy stands for High Availability proxy. It is a Free and open source application written in C programming Language. HAProxy application is used as TCP/HTTP Load Balancer and for proxy Solutions. The most common use of the HAProxy application is to distribute the workload across multiple servers e.g., web server, database server, etc thus improving the overall performance and reliability of server environment.

The highly efficient and fast application is used by many of the world’s reputed organization which includes but not limited to – Twitter, Reddit, GitHub and Amazon. It is available for Linux, BSD, Solaris and AIX platform.

In this tutorial, we will discuss the process of setting up a high availability load balancer using HAProxy to control the traffic of HTTP-based applications (web servers) by separating requests across multiple servers.

For this article, we’re using the most recent stable release of HAProxy version i.e. 1.5.10 released on December 31st 2014. And also we’re using CentOS 6.5 for this setup, but the below given instructions also works on CentOS/RHEL/Fedora and Ubuntu/Debian distributions.

My Environment Setup

Here our load-balancer HAProxy server having hostname as websrv.tecmintlocal.com with IP address 192.168.0.125.

HAProxy Server Setup

Operating System	:	CentOS 6.5
IP Address		: 	192.168.0.125
Hostname		: 	websrv.tecmintlocal.com

Client Web Servers Setup

The other four machines are up and running with web servers such as Apache.

Web Server #1 :	CentOS 6.5 [IP: 192.168.0.121] - [hostname: web1srv.tecmintlocal.com]
Web Server #2 :	CentOS 6.5 [IP: 192.168.0.122] - [hostname: web2srv.tecmintlocal.com]
Web Server #3 :	CentOS 6.5 [IP: 192.168.0.123] - [hostname: web3srv.tecmintlocal.com]
Web Server #4 :	CentOS 6.5 [IP: 192.168.0.124] - [hostname: web4srv.tecmintlocal.com]

Step 1: Installing Apache on Client Machines

1. First we have to install Apache in all four server’s and share any one of site, for installing Apache in all four server’s here we going to use following command.

# yum install httpd		[On RedHat based Systems]
# apt-get install apache2	[On Debian based Systems]

2. After installing Apache web server on all four client machines, you can verify anyone of the server whether Apache is running by accessing it via IP address in browser.

http://192.168.0.121

Step 2: Installing HAProxy Server

3. In most of the today’s modern Linux distributions, HAPRoxy can be easily installed from the default base repository using default package manager yum or apt-get.

For example, to install HAProxy on RHEL/CentOS/Fedora and Debian/Ubuntu versions, run the following command. Here I’ve included openssl package too, because we’re going to setup HAProxy with SSL and NON-SSL support.

# yum install haproxy openssl-devel	[On RedHat based Systems]
# apt-get install haproxy		[On Debian based Systems]

Note: On Debian Whezzy 7.0, we need to enable the backports repository by adding a new file backports.listunder “/etc/apt/sources.list.d/” directory with the following content.

# echo "deb http://cdn.debian.net/debian wheezy-backports main" >> /etc/apt/sources.list.d/backports.list

Next, update the repository database and install HAProxy.

# apt-get update
# apt-get install haproxy -t wheezy-backports

Step 3: Configure HAProxy Logs

4. Next, we need to enable logging feature in HAProxy for future debugging. Open the main HAProxy configuration file ‘/etc/haproxy/haproxy.cfg‘ with your choice of editor.

# vim /etc/haproxy/haproxy.cfg

Next, follow the distro-specific instructions to configure logging feature in HAProxy.

On RHEL/CentOS/Fedora

Under #Global settings, enable the following line.

log         127.0.0.1 local2

On Ubuntu/Debian

Under #Global settings, replace the following lines,

log /dev/log        local0
log /dev/log        local1 notice 

With,

log         127.0.0.1 local2

5. Next, we need to enable UDP syslog reception in ‘/etc/rsyslog.conf‘ configuration file to separate log files for HAProxy under /var/log directory. Open your your ‘rsyslog.conf‘ file with your choice of editor.

# vim /etc/rsyslog.conf

Uncommnet ModLoad and UDPServerRun, Here our Server will listen to Port 514 to collect the logs into syslog.

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

6. Next, we need to create a separate file ‘haproxy.conf‘ under ‘/etc/rsyslog.d/‘ directory to configure separate log files.

# vim /etc/rsyslog.d/haproxy.conf

Append following line to the newly create file.

local2.*	/var/log/haproxy.log

Finally, restart the rsyslog service to update the new changes.

# service rsyslog restart

Step 4: Configuring HAProxy Global Settings

7. Now, here we need to set default variables in ‘/etc/haproxy/haproxy.cfg‘ for HAProxy. The changes needs to make for default under default section as follows, Here some of the changes like timeout for queue, connect, client, server and max connections need to be defined.

In this case, I suggest you to go through the HAProxy man pages and tweak it as per your requirements.

#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    20
    timeout queue           86400
    timeout connect         86400
    timeout client          86400
    timeout server          86400
    timeout http-keep-alive 30
    timeout check           20
    maxconn                 50000

8. Then we need to define front-end and back-end as shown below for Balancer in ‘/etc/haproxy/haproxy.cfg‘ global configuration file. Make sure to replace the IP addresses, hostnames and HAProxy login credentials as per your requirements.

frontend LB
   bind 192.168.0.125:80
   reqadd X-Forwarded-Proto:\ http
   default_backend LB

backend LB 192.168.0.125:80
   mode http
   stats enable
   stats hide-version
   stats uri /stats
   stats realm Haproxy\ Statistics
   stats auth haproxy:redhat		# Credentials for HAProxy Statistic report page.
   balance roundrobin			# Load balancing will work in round-robin process.
   option httpchk
   option  httpclose
   option forwardfor
   cookie LB insert
   server web1-srv 192.168.0.121:80 cookie web1-srv check		# backend server.
   server web2-srv 192.168.0.122:80 cookie web2-srv check		# backend server.
   server web3-srv 192.168.0.123:80 cookie web3-srv check		# backend server.
   server web4-srv 192.168.0.124:80 check backup			# backup fail-over Server, If three of the above fails this will be activated.

9. After adding above settings, our load balancer can be accessed at ‘http://192.168.0.125/stats‘ with HTTP authentication using login name as ‘haproxy‘ and password ‘redhat‘ as mentioned in the above settings, but you can replace them with your own credentials.

10. After you’ve done with the configuration, make sure to restrat the HAProxy and make it persistent at system startup on RedHat based systems.

# service haproxy restart
# chkconfig haproxy on
# chkconfig --list haproxy

For Ubuntu/Debian users to need to set “ENABLED” option to “1” in ‘/etc/default/haproxy‘ file.

ENABLED=1

Step 5: Verify HAProxy Load Balancer

11. Now it’s time to access our Load balancer URL/IP and verify for the site whether loading. Let me put one HTML file in all four servers. Create a file index.html in all four servers in web servers document root directory and add the following content to it.

<html>
<head>
  <title>Tecmint HAProxy Test Page</title>
</head>

<body>
<!-- Main content -->
<h1>My HAProxy Test Page</h1>

<p>Welcome to HA Proxy test page!

<p>There should be more here, but I don't know
what to be write :p.

<address>Made 11 January 2015<br>
  by Babin Lonston.</address>

</body>
</html>

12. After creating ‘index.html‘ file, now try to access the site and see whether I can able access the copied html file.

http://192.168.0.125/

Site has been successfully accessed.

Step 6: Verify Statistic of Load Balancer

13. To get the statistic page of HAProxy, you can use the following link. While asking for Username and password we have to provide the haproxy/redhat.

http://192.168.0.125/stats

Step 7: Enabling SSL in HAProxy

14. To enable SSL in HAProxy, you need to install mod_ssl package for creating SSL Certificate for HAProxy.

On RHEL/CentOS/Fedora

To install mod_ssl run the following command

# yum install mod_ssl -y

On Ubuntu/Debian

By default under Ubuntu/Debian SSL support comes standard with Apache package. We just need to enable it..

# a2enmod ssl

After you’ve enabled SSL, restart the Apache server for the change to be recognized.

# service apache2 restart

15. After restarting, Navigate to the SSL directory and create SSL certificate using following commands.

# cd /etc/ssl/
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/tecmint.key -out /etc/ssl/tecmint.crt
# cat tecmint.crt tecmint.key > tecmint.pem

16. Open and edit the haproxy configuration and add the SSL front-end as below.

# vim /etc/haproxy/haproxy.cfg 

Add the following configuration as frontend.

frontend LBS
   bind 192.168.0.125:443 ssl crt /etc/ssl/tecmint.pem
   reqadd X-Forwarded-Proto:\ https
   default_backend LB

17. Next, add the redirect rule in backend configuration.

redirect scheme https if !{ ssl_fc }

18. After making above changes, make sure to restart the haproxy service.

# service haproxy restart

While restarting if we get the below warning, we can fix it by adding a parameter in Global Section of  haproxy.

tune.ssl.default-dh-param 2048

19. After restarting, try to access the site 192.168.0.125, Now it will forward to https.

http://192.168.0.25

20. Next, verify the haproxy.log under ‘/var/log/‘ directory.

# tail -f /var/log/haproxy.log

Step 8: Open HAProxy Ports on Firewall

21. Open the port’s for web service and Log reception UDP port using below rules.

On CentOS/RHEL 6

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 514 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

On CentOS/RHEL 7 and Fedora 21

# firewall­cmd ­­permanent ­­zone=public ­­add­port=514/tcp
# firewall­cmd ­­permanent ­­zone=public ­­add­port=80/tcp
# firewall­cmd ­­permanent ­­zone=public ­­add­port=443/tcp
# firewall­cmd ­­reload 

On Debian/Ubuntu

Add the following line to ‘/etc/iptables.up.rules‘ to enable ports on firewall.

A INPUT ­p tcp ­­dport 514 ­j ACCEPT 
A INPUT ­p tcp ­­dport 80 ­j ACCEPT 
A INPUT ­p tcp ­­dport 443 ­j ACCEPT 

Conclusion

In this article, we’ve installed Apache in 4 server’s and shared a website for reducing the traffic load. I Hope this article will help you to setup a Load Balancer for web server’s using HAProxy and make your applications more stable and available

If you have any questions regarding the article, feel free to post your comments or suggestions, I will love to help you out in whatever the best way I can.

Source