Homelab<\/h2>\n
We have two CentOS 7 servers installed which we want to configure as follows:<\/p>\n
proxy1.hl.local (10.11.1.19) \u2013 HAProxy with Keepalived (master router node)
proxy2.hl.local (10.11.1.20) \u2013 HAProxy with Keepalived (slave router node)<\/p>\n
SELinux set to enforcing mode.<\/p>\n
See the image below to identify the homelab part this article applies to. <\/p>\n
![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/04\/lisenet-homelab-diagram_haproxy.png\")
<\/p>\n
HAProxy and Virtual IP<\/h2>\n
We use 10.11.1.30 as a virtual IP, with a DNS name of blog.hl.local. This is the DNS of our WordPress site.<\/p>\n
Below is a GIF representing our HA setup using HAProxy (primary and secondary load balancers).<\/p>\n
![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/03\/network-diagram-lisenet.gif\")
<\/p>\n
Configuration with Puppet<\/h2>\n
Puppet master runs on the Katello<\/a> server.<\/p>\n We use the following Puppet modules:<\/p>\n Please see each module\u2019s documentation for features supported and configuration options available.<\/p>\n Configure both proxy servers to allow VRRP and HTTP\/S traffic. Port 8080 will be used for HAProxy statistics. <\/p>\n firewall { ‘007 allow VRRP’:
Load balancing in HAProxy requires the ability to bind to an IP address that is nonlocal. This allows a running load balancer instance to bind to a an IP that is not local for failover.<\/p>\n In order for the Keepalived service to forward network packets properly to the real servers, each router node must have IP forwarding turned on in the kernel.<\/p>\n sysctl { ‘net.ipv4.ip_forward’: value => ‘1’ }
This needs to be applied for both proxy servers.<\/p>\n file {‘\/etc\/pki\/tls\/private\/hl.pem’:
Note how we forward all HTTP traffic to HTTPS. We also enable HAProxy stats.<\/p>\n There are several HAProxy load balancing algorithms available, we use the source algorithm to select a server based on a hash of the source IP. This method helps to ensure that a user will end up on the same server.<\/p>\n Apply the following to the master node proxy1.hl.local:<\/p>\n include ::keepalived
Apply the following to the slave node proxy2.hl.local:<\/p>\n include ::keepalived
If all goes well, we should be able to get some stats from HAProxy.<\/p>\n Our WordPress site should be accessible via https:\/\/blog.hl.local.<\/p>\nPuppet Modules<\/h3>\n
\n
Firewall Configuration<\/h3>\n
\n source => ‘10.11.1.0\/24’,
\n proto => ‘vrrp’,
\n action => accept,
\n}->
\nfirewall { ‘008 allow HTTP\/S’:
\n dport => [80, 443, 8080],
\n source => ‘10.11.1.0\/24’,
\n proto => tcp,
\n action => accept,
\n}<\/p>\nKernel Parameters and IP Forwarding<\/h3>\n
\nsysctl { ‘net.ipv4.ip_nonlocal_bind’: value => ‘1’ }<\/p>\nInstall HAProxy<\/h3>\n
\n ensure => ‘file’,
\n source => ‘puppet:\/\/\/homelab_files\/hl.pem’,
\n path => ‘\/etc\/pki\/tls\/private\/hl.pem’,
\n owner => ‘0’,
\n group => ‘0’,
\n mode => ‘0640’,
\n}->
\nclass { ‘haproxy’:
\n global_options => {
\n ‘log’ => “127.0.0.1 local2″,
\n ‘chroot’ => ‘\/var\/lib\/haproxy’,
\n ‘pidfile’ => ‘\/var\/run\/haproxy.pid’,
\n ‘maxconn’ => ‘4096’,
\n ‘user’ => ‘haproxy’,
\n ‘group’ => ‘haproxy’,
\n ‘daemon’ => ”,
\n ‘ssl-default-bind-ciphers’ => ‘kEECDH+aRSA+AES:kRSA+AES:+AES256:!RC4:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL’,
\n ‘ssl-default-bind-options’ => ‘no-sslv3’,
\n ‘tune.ssl.default-dh-param’ => ‘2048 ‘,
\n },
\n defaults_options => {
\n ‘mode’ => ‘http’,
\n ‘log’ => ‘global’,
\n ‘option’ => [
\n ‘httplog’,
\n ‘dontlognull’,
\n ‘http-server-close’,
\n ‘forwardfor except 127.0.0.0\/8’,
\n ‘redispatch’,
\n ],
\n ‘retries’ => ‘3’,
\n ‘timeout’ => [
\n ‘http-request 10s’,
\n ‘queue 1m’,
\n ‘connect 10s’,
\n ‘client 1m’,
\n ‘server 1m’,
\n ‘http-keep-alive 10s’,
\n ‘check 10s’,
\n ],
\n ‘maxconn’ => ‘2048’,
\n },
\n}
\nhaproxy::listen { ‘frontend00’:
\n mode => ‘http’,
\n options => {
\n ‘balance’ => ‘source’,
\n ‘redirect’ => ‘scheme https code 301 if !{ ssl_fc }’,
\n },
\n bind => {
\n ‘10.11.1.30:80’ => [],
\n ‘10.11.1.30:443’ => [‘ssl’, ‘crt’, ‘\/etc\/pki\/tls\/private\/hl.pem’],
\n },
\n}->
\nhaproxy::balancermember { ‘web1_web2’:
\n listening_service => ‘frontend00’,
\n ports => ‘443’,
\n server_names => [‘web1.hl.local’,’web2.hl.local’],
\n ipaddresses => [‘10.11.1.21′,’10.11.1.22’],
\n options => ‘check ssl verify none’,
\n}->
\nhaproxy::listen { ‘stats’:
\n ipaddress => $::ipaddress,
\n ports => [‘8080’],
\n options => {
\n ‘mode’ => ‘http’,
\n ‘stats’ => [‘enable’,’uri \/’,’realm HAProxy Statistics’,’auth admin:PleaseChangeMe’],
\n },
\n}<\/p>\nInstall Keepalived<\/h3>\n
\nkeepalived::vrrp::script { ‘check_haproxy’:
\n script => ‘\/usr\/bin\/killall -0 haproxy’,
\n}
\nkeepalived::vrrp::instance { ‘LVS_HAP’:
\n interface => ‘eth0’,
\n state => ‘MASTER’,
\n virtual_router_id => ’51’,
\n priority => ‘5’,
\n auth_type => ‘PASS’,
\n auth_pass => ‘PleaseChangeMe’,
\n virtual_ipaddress => ‘10.11.1.30\/32’,
\n track_script => ‘check_haproxy’,
\n}<\/p>\n
\nkeepalived::vrrp::script { ‘check_haproxy’:
\n script => ‘\/usr\/bin\/killall -0 haproxy’,
\n}
\nkeepalived::vrrp::instance { ‘LVS_HAP’:
\n interface => ‘eth0’,
\n state => ‘SLAVE’,
\n virtual_router_id => ’51’,
\n priority => ‘4’,
\n auth_type => ‘PASS’,
\n auth_pass => ‘PleaseChangeMe’,
\n virtual_ipaddress => ‘10.11.1.30\/32’,
\n track_script => ‘check_haproxy’,
\n}<\/p>\nHAProxy Stats<\/h3>\n
![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/05\/lisenet-homelab-haproxy-stats.png\")
<\/p>\nWordPress Site<\/h3>\n