{"id":11717,"date":"2019-03-15T23:56:50","date_gmt":"2019-03-15T23:56:50","guid":{"rendered":"http:\/\/www.appservgrid.com\/paw92\/?p=11717"},"modified":"2019-03-15T23:56:50","modified_gmt":"2019-03-15T23:56:50","slug":"how-to-setup-high-availability-load-balancer-with-haproxy-to-control-web-server-traffic","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2019\/03\/15\/how-to-setup-high-availability-load-balancer-with-haproxy-to-control-web-server-traffic\/","title":{"rendered":"How to Setup High-Availability Load Balancer with \u2018HAProxy\u2019 to Control Web Server Traffic"},"content":{"rendered":"

HAProxy<\/strong>\u00a0stands for High Availability proxy. It is a Free and open source application written in C programming Language. HAProxy application is used as TCP\/HTTP Load Balancer and for proxy Solutions. The most common use of the HAProxy application is to distribute the workload across multiple servers e.g., web server, database server, etc thus improving the overall performance and reliability of server environment.<\/p>\n

The highly efficient and fast application is used by many of the world\u2019s reputed organization which includes but not limited to \u2013 Twitter, Reddit, GitHub and Amazon. It is available for Linux, BSD, Solaris and AIX platform.<\/p>\n

\n

\"Install<\/a><\/p>\n

Install HAProxy Load Balancer in Linux<\/p>\n<\/div>\n

In this tutorial, we will discuss the process of setting up a high availability load balancer using\u00a0HAProxy<\/strong>\u00a0to control the traffic of HTTP-based applications (web servers) by separating requests across multiple servers.<\/p>\n

For this article, we\u2019re using the most recent stable release of HAProxy version i.e.\u00a01.5.10<\/strong>\u00a0released on December 31st 2014. And also we\u2019re using\u00a0CentOS 6.5<\/strong>\u00a0for this setup, but the below given instructions also works on CentOS\/RHEL\/Fedora and Ubuntu\/Debian distributions.<\/p>\n

My Environment Setup<\/h4>\n

Here our load-balancer HAProxy server having hostname as\u00a0websrv.tecmintlocal.com<\/b>\u00a0with IP address\u00a0192.168.0.125<\/strong>.<\/p>\n

HAProxy Server Setup<\/h5>\n
Operating System<\/strong>\t:\tCentOS 6.5\r\nIP Address<\/strong>\t\t: \t192.168.0.125\r\nHostname<\/strong>\t\t: \twebsrv.tecmintlocal.com\r\n<\/pre>\n
Client Web Servers Setup<\/h5>\n
The other four machines are up and running with web servers such as Apache.<\/p>\n
Web Server #1<\/strong> :\tCentOS 6.5 [IP: 192.168.0.121] - [hostname: web1srv.tecmintlocal.com]\r\nWeb Server #2<\/strong> :\tCentOS 6.5 [IP: 192.168.0.122] - [hostname: web2srv.tecmintlocal.com]\r\nWeb Server #3<\/strong> :\tCentOS 6.5 [IP: 192.168.0.123] - [hostname: web3srv.tecmintlocal.com]\r\nWeb Server #4<\/strong> :\tCentOS 6.5 [IP: 192.168.0.124] - [hostname: web4srv.tecmintlocal.com]\r\n<\/pre>\n
Step 1: Installing Apache on Client Machines<\/h3>\n
1.<\/strong>\u00a0First we have to install Apache in all four server\u2019s and share any one of site, for installing Apache in all four server\u2019s here we going to use following command.<\/p>\n
# yum install httpd\t\t[On RedHat<\/strong> based Systems]\r\n# apt-get install apache2\t[On Debian<\/strong> based Systems]\r\n<\/pre>\n
2.<\/strong>\u00a0After installing Apache web server on all four client machines, you can verify anyone of the server whether Apache is running by accessing it via IP address in browser.<\/p>\n
http:\/\/192.168.0.121\r\n<\/pre>\n
\n
\"Check<\/a><\/p>\n
Check Apache Status<\/p>\n<\/div>\n
Step 2: Installing HAProxy Server<\/h3>\n
3.<\/strong>\u00a0In most of the today\u2019s modern Linux distributions, HAPRoxy can be easily installed from the default base repository using default package manager\u00a0yum<\/strong>\u00a0or\u00a0apt-get<\/strong>.<\/p>\n
For example, to install HAProxy on RHEL\/CentOS\/Fedora and Debian\/Ubuntu versions, run the following command. Here I\u2019ve included\u00a0openssl<\/strong>\u00a0package too, because we\u2019re going to setup HAProxy with SSL and NON-SSL support.<\/p>\n
# yum install haproxy openssl-devel\t[On RedHat<\/strong> based Systems]\r\n# apt-get install haproxy\t\t[On Debian<\/strong> based Systems]\r\n<\/pre>\n
Note<\/strong>: On\u00a0Debian Whezzy 7.0<\/strong>, we need to enable the backports repository by adding a new file\u00a0backports.list<\/a><\/strong>under \u201c\/etc\/apt\/sources.list.d\/<\/strong>\u201d directory with the following content.<\/p>\n
# echo \"deb http:\/\/cdn.debian.net\/debian wheezy-backports main\" >> \/etc\/apt\/sources.list.d\/backports.list\r\n<\/pre>\n
Next, update the repository database and install HAProxy.<\/p>\n
# apt-get update\r\n# apt-get install haproxy -t wheezy-backports\r\n<\/pre>\n
Step 3: Configure HAProxy Logs<\/h3>\n
4.<\/strong>\u00a0Next, we need to enable logging feature in HAProxy for future debugging. Open the main HAProxy configuration file \u2018\/etc\/haproxy\/haproxy.cfg<\/strong>\u2018 with your choice of editor.<\/p>\n
# vim \/etc\/haproxy\/haproxy.cfg\r\n<\/pre>\n
Next, follow the distro-specific instructions to configure logging feature in HAProxy.<\/p>\n
On RHEL\/CentOS\/Fedora<\/h5>\n
Under\u00a0#Global settings<\/b>, enable the following line.<\/p>\n
log         127.0.0.1 local2\r\n<\/pre>\n
On Ubuntu\/Debian<\/h5>\n
Under\u00a0#Global settings<\/b>, replace the following lines,<\/p>\n
log \/dev\/log        local0\r\nlog \/dev\/log        local1 notice \r\n<\/pre>\n
With,<\/p>\n
log         127.0.0.1 local2\r\n<\/pre>\n
\n
\"Enable<\/a><\/p>\n
Enable HAProxy Logging<\/p>\n<\/div>\n
5.<\/strong>\u00a0Next, we need to enable UDP syslog reception in \u2018\/etc\/rsyslog.conf<\/strong>\u2018 configuration file to separate log files for HAProxy under\u00a0\/var\/log<\/b>\u00a0directory. Open your your \u2018rsyslog.conf<\/strong>\u2018 file with your choice of editor.<\/p>\n
# vim \/etc\/rsyslog.conf\r\n<\/pre>\n
Uncommnet\u00a0ModLoad<\/strong>\u00a0and\u00a0UDPServerRun<\/strong>, Here our Server will listen to\u00a0Port 514<\/strong>\u00a0to collect the logs into syslog.<\/p>\n
# Provides UDP syslog reception\r\n$ModLoad imudp\r\n$UDPServerRun 514\r\n<\/pre>\n
\n
\"Configure<\/a><\/p>\n
Configure HAProxy Logging<\/p>\n<\/div>\n
6.<\/strong>\u00a0Next, we need to create a separate file \u2018haproxy.conf<\/strong>\u2018 under \u2018\/etc\/rsyslog.d\/<\/strong>\u2018 directory to configure separate log files.<\/p>\n
# vim \/etc\/rsyslog.d\/haproxy.conf\r\n<\/pre>\n
Append following line to the newly create file.<\/p>\n
local2.*\t\/var\/log\/haproxy.log\r\n<\/pre>\n
\n
\"HAProxy<\/a><\/p>\n
HAProxy Logs<\/p>\n<\/div>\n
Finally, restart the rsyslog service to update the new changes.<\/p>\n
# service rsyslog restart<\/pre>\n
Step 4: Configuring HAProxy Global Settings<\/h3>\n
7.<\/strong>\u00a0Now, here we need to set default variables in \u2018\/etc\/haproxy\/haproxy.cfg<\/strong>\u2018 for HAProxy. The changes needs to make for default under default section as follows, Here some of the changes like timeout for queue, connect, client, server and max connections need to be defined.<\/p>\n
In this case, I suggest you to go through the HAProxy man pages and tweak it as per your requirements.<\/p>\n
#---------------------------------------------------------------------\r\ndefaults\r\n    mode                    http\r\n    log                     global\r\n    option                  httplog\r\n    option                  dontlognull\r\n    option http-server-close\r\n    option forwardfor       except 127.0.0.0\/8\r\n    option                  redispatch\r\n    retries                 3\r\n    timeout http-request    20\r\n    timeout queue           86400\r\n    timeout connect         86400\r\n    timeout client          86400\r\n    timeout server          86400\r\n    timeout http-keep-alive 30\r\n    timeout check           20\r\n    maxconn                 50000\r\n<\/pre>\n
\n
\"HAProxy<\/a><\/p>\n
HAProxy Default Settings<\/p>\n<\/div>\n
8.<\/strong>\u00a0Then we need to define\u00a0front-end<\/strong>\u00a0and\u00a0back-end<\/strong>\u00a0as shown below for Balancer in \u2018\/etc\/haproxy\/haproxy.cfg<\/strong>\u2018 global configuration file. Make sure to replace the IP addresses, hostnames and HAProxy login credentials as per your requirements.<\/p>\n
frontend LB\r\n   bind 192.168.0.125<\/b>:80\r\n   reqadd X-Forwarded-Proto:\\ http\r\n   default_backend LB\r\n\r\nbackend LB 192.168.0.125<\/b>:80\r\n   mode http\r\n   stats enable\r\n   stats hide-version\r\n   stats uri \/stats\r\n   stats realm Haproxy\\ Statistics\r\n   stats auth haproxy:redhat<\/b>\t\t# Credentials for HAProxy Statistic report page.\r\n   balance roundrobin\t\t\t# Load balancing will work in round-robin process.\r\n   option httpchk\r\n   option  httpclose\r\n   option forwardfor\r\n   cookie LB insert\r\n   server web1-srv 192.168.0.121:80 cookie web1-srv<\/b> check\t\t# backend server.\r\n   server web2-srv 192.168.0.122:80 cookie web2-srv<\/b> check\t\t# backend server.\r\n   server web3-srv 192.168.0.123:80 cookie web3-srv<\/b> check\t\t# backend server.\r\n   server web4-srv 192.168.0.124:80 check backup<\/b>\t\t\t# backup fail-over Server, If three of the above fails this will be activated.\r\n<\/pre>\n
\n
\"HAProxy<\/a><\/p>\n
HAProxy Global Configuration<\/p>\n<\/div>\n
9.<\/strong>\u00a0After adding above settings, our load balancer can be accessed at \u2018http:\/\/192.168.0.125\/stats<\/strong>\u2018 with HTTP authentication using login name as \u2018haproxy<\/strong>\u2018 and password \u2018redhat<\/strong>\u2018 as mentioned in the above settings, but you can replace them with your own credentials.<\/p>\n
10.<\/strong>\u00a0After you\u2019ve done with the configuration, make sure to restrat the HAProxy and make it persistent at system startup on RedHat based systems.<\/center><\/p>\n
# service haproxy restart\r\n# chkconfig haproxy on\r\n# chkconfig --list haproxy\r\n<\/pre>\n
\n
\"Start<\/a><\/p>\n
Start HAProxy<\/p>\n<\/div>\n
For Ubuntu\/Debian users to need to set \u201cENABLED<\/strong>\u201d option to \u201c1<\/strong>\u201d in \u2018\/etc\/default\/haproxy<\/strong>\u2018 file.<\/p>\n
ENABLED=1\r\n<\/pre>\n
Step 5: Verify HAProxy Load Balancer<\/h3>\n
11.<\/strong>\u00a0Now it\u2019s time to access our Load balancer URL\/IP and verify for the site whether loading. Let me put one HTML file in all four servers. Create a file\u00a0index.html<\/b>\u00a0in all four servers in web servers document root directory and add the following content to it.<\/p>\n
<html>\r\n<head>\r\n  <title>Tecmint HAProxy Test Page<\/title>\r\n<\/head>\r\n\r\n<body>\r\n<!-- Main content -->\r\n<h1>My HAProxy Test Page<\/h1>\r\n\r\n<p>Welcome to HA Proxy test page!\r\n\r\n<p>There should be more here, but I don't know\r\nwhat to be write :p.\r\n\r\n<address>Made 11 January 2015<br>\r\n  by Babin Lonston.<\/address>\r\n\r\n<\/body>\r\n<\/html>\r\n<\/pre>\n
12.<\/strong>\u00a0After creating \u2018index.html<\/strong>\u2018 file, now try to access the site and see whether I can able access the copied html file.<\/p>\n
http:\/\/192.168.0.125\/\r\n<\/pre>\n
\n
\"Verify<\/a><\/p>\n
Verify HAProxy Load Balancer<\/p>\n<\/div>\n
Site has been successfully accessed.<\/p>\n
Step 6: Verify Statistic of Load Balancer<\/h3>\n
13.<\/strong>\u00a0To get the statistic page of HAProxy, you can use the following link. While asking for Username and password we have to provide the\u00a0haproxy<\/strong>\/redhat<\/strong>.<\/p>\n
http:\/\/192.168.0.125\/stats\r\n<\/pre>\n
\n
\"HAProxy<\/a><\/p>\n
HAProxy Statistics Login<\/p>\n<\/div>\n
\n
\"HAProxy<\/a><\/p>\n
HAProxy Statistics<\/p>\n<\/div>\n
Step 7: Enabling SSL in HAProxy<\/h3>\n
14.<\/strong>\u00a0To enable SSL in HAProxy, you need to install\u00a0mod_ssl<\/strong>\u00a0package for creating SSL Certificate for HAProxy.<\/p>\n
On RHEL\/CentOS\/Fedora<\/h5>\n
To install\u00a0mod_ssl<\/strong>\u00a0run the following command<\/p>\n
# yum install mod_ssl -y<\/p>\n
On Ubuntu\/Debian<\/h5>\n
By default under Ubuntu\/Debian SSL support comes standard with Apache package. We just need to enable it..<\/p>\n
# a2enmod ssl\r\n<\/pre>\n
After you\u2019ve enabled SSL, restart the Apache server for the change to be recognized.<\/p>\n
# service apache2 restart\r\n<\/pre>\n
15.<\/strong>\u00a0After restarting, Navigate to the SSL directory and create SSL certificate using following commands.<\/p>\n
# cd \/etc\/ssl\/\r\n# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \/etc\/ssl\/tecmint.key -out \/etc\/ssl\/tecmint.crt\r\n# cat tecmint.crt tecmint.key > tecmint.pem\r\n<\/pre>\n
\n
\"Create<\/a><\/p>\n
Create SSL for HAProxy<\/p>\n<\/div>\n
\n
\"SSL<\/a><\/p>\n
SSL Certificate for HAProxy<\/p>\n<\/div>\n
16.<\/strong>\u00a0Open and edit the haproxy configuration and add the SSL front-end as below.<\/p>\n
# vim \/etc\/haproxy\/haproxy.cfg \r\n<\/pre>\n
Add the following configuration as frontend.<\/p>\n
frontend LBS\r\n   bind 192.168.0.125:443 ssl crt \/etc\/ssl\/tecmint.pem\r\n   reqadd X-Forwarded-Proto:\\ https\r\n   default_backend LB\r\n<\/pre>\n
17.<\/strong>\u00a0Next, add the redirect rule in backend configuration.<\/p>\n
redirect scheme https if !{ ssl_fc }\r\n<\/pre>\n
\n
\"Enable<\/a><\/p>\n
Enable SSL on HAProxy<\/p>\n<\/div>\n
18.<\/strong>\u00a0After making above changes, make sure to restart the haproxy service.<\/p>\n
# service haproxy restart\r\n<\/pre>\n
While restarting if we get the below warning, we can fix it by adding a parameter in Global Section of\u00a0 haproxy.<\/p>\n
\n
\"SSL<\/a><\/p>\n
SSL HAProxy Error<\/p>\n<\/div>\n
tune.ssl.default-dh-param 2048\r\n<\/pre>\n
19.<\/strong>\u00a0After restarting, try to access the site 192.168.0.125, Now it will forward to https.<\/p>\n
http:\/\/192.168.0.25\r\n<\/pre>\n
\n
\"Verify<\/a><\/p>\n
Verify SSL HAProxy<\/p>\n<\/div>\n
\n
\"SSL<\/a><\/p>\n
SSL Enabled HAProxy<\/p>\n<\/div>\n
20.<\/strong>\u00a0Next, verify the\u00a0haproxy.log<\/strong>\u00a0under \u2018\/var\/log\/<\/strong>\u2018 directory.<\/p>\n
# tail -f \/var\/log\/haproxy.log\r\n<\/pre>\n
\n
\"Check<\/a><\/p>\n
Check HAProxy Logs<\/p>\n<\/div>\n
Step 8: Open HAProxy Ports on Firewall<\/h3>\n
21.<\/strong>\u00a0Open the port\u2019s for web service and Log reception UDP port using below rules.<\/p>\n
On CentOS\/RHEL 6<\/h5>\n
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\r\niptables -A INPUT -i eth0 -p udp --dport 514 -j ACCEPT\r\niptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT\r\niptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT\r\n<\/pre>\n
On CentOS\/RHEL 7 and Fedora 21<\/h5>\n
# firewall\u00adcmd \u00ad\u00adpermanent \u00ad\u00adzone=public \u00ad\u00adadd\u00adport=514\/tcp\r\n# firewall\u00adcmd \u00ad\u00adpermanent \u00ad\u00adzone=public \u00ad\u00adadd\u00adport=80\/tcp\r\n# firewall\u00adcmd \u00ad\u00adpermanent \u00ad\u00adzone=public \u00ad\u00adadd\u00adport=443\/tcp\r\n# firewall\u00adcmd \u00ad\u00adreload \r\n<\/pre>\n
On Debian\/Ubuntu<\/h5>\n
Add the following line to \u2018\/etc\/iptables.up.rules<\/strong>\u2018 to enable ports on firewall.<\/p>\n
A INPUT \u00adp tcp \u00ad\u00addport 514 \u00adj ACCEPT \r\nA INPUT \u00adp tcp \u00ad\u00addport 80 \u00adj ACCEPT \r\nA INPUT \u00adp tcp \u00ad\u00addport 443 \u00adj ACCEPT \r\n<\/pre>\n
Conclusion<\/h3>\n
In this article, we\u2019ve installed Apache in 4 server\u2019s and shared a website for reducing the traffic load. I Hope this article will help you to setup a Load Balancer for web server\u2019s using HAProxy and make your applications more stable and available<\/p>\n
If you have any questions regarding the article, feel free to post your comments or suggestions, I will love to help you out in whatever the best way I can.<\/p>\n
Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
HAProxy\u00a0stands for High Availability proxy. It is a Free and open source application written in C programming Language. HAProxy application is used as TCP\/HTTP Load Balancer and for proxy Solutions. The most common use of the HAProxy application is to distribute the workload across multiple servers e.g., web server, database server, etc thus improving the … <\/p>\n
Continue reading “How to Setup High-Availability Load Balancer with \u2018HAProxy\u2019 to Control Web Server Traffic”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-11717","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11717","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=11717"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11717\/revisions"}],"predecessor-version":[{"id":11718,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/11717\/revisions\/11718"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=11717"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=11717"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=11717"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}