How to Configure Load Balancing with HAProxy

HAProxy is an open source software that functions as a load balancing and proxy for TCP and HTTP. Load balancing is a method for distributing traffic to multiple servers.

Load Balancing Topology

*0.Equipment used*

Equipment used in this tutorial:

· OS Ubuntu 18.04 LTS · HAProxy · Nginx web server · PHP-FPM 7.2 · Node1: 10.130.127.167 · Node2: 10.130.128.35 · LoadBalancer: 128.199.187.215 · Domain: defnex.com

Node1 and Node2 have already installed Nginx web server and PHP-FPM 7.2. Each node is made index.php file containing the text node1 and node2 as a test page to find out which pages are read from which node.

*1.Install HAProxy*

Update and install HAProxy.

[INPUT]

1 2 sudo apt update sudo apt install haproxy -y    

*2.Configure HAProxy*

Open configuration file of HAProxy.

[INPUT]

1 sudo vim /etc/haproxy/haproxy.cfg

Default file configuration haproxy.cfg.

[INPUT]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 global     log /dev/log    local0     log /dev/log    local1 notice     chroot /var/lib/haproxy     stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners     stats timeout 30s     user haproxy     group haproxy     daemon       # Default SSL material locations     ca-base /etc/ssl/certs     crt-base /etc/ssl/private       # Default ciphers to use on SSL-enabled listening sockets.     # For more information, see ciphers(1SSL). This list is from:     #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/     # An alternative list with additional directives can be obtained from     #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy     ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS     ssl-default-bind-options no-sslv3   defaults     log     global     mode    http     option  httplog     option  dontlognull     timeout connect 5000     timeout client  50000     timeout server  50000     errorfile 400 /etc/haproxy/errors/400.http     errorfile 403 /etc/haproxy/errors/403.http     errorfile 408 /etc/haproxy/errors/408.http     errorfile 500 /etc/haproxy/errors/500.http     errorfile 502 /etc/haproxy/errors/502.http     errorfile 503 /etc/haproxy/errors/503.http     errorfile 504 /etc/haproxy/errors/504.http

Add a configuration for the HAProxy listener.

[INPUT]

1 2 3 4 frontend http_front    bind *:80    mode http    default_backend http_back    

Add configuration for web server backend.

[INPUT]

1 2 3 4 5 6 7 8 9 backend http_back         mode http     balance roundrobin     option forwardfor     http-request set-header X-Forwarded-Port %[dst_port]     http-request add-header X-Forwarded-Proto https if { ssl_fc }     option httpchk HEAD / HTTP/1.1rnHost:localhost     server node1 10.130.127.167:80     server node2 10.130.128.35:80

Additional configuration for HAProxy statistics.

[INPUT]

1 2 3 4 5 6 7 8 listen stats     bind  *:1234     stats enable     stats hide-version     stats refresh 30s     stats show-node     stats auth username:password     stats uri /stats    

The final result is HAProxy configuration.

[INPUT]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 global     log /dev/log    local0     log /dev/log    local1 notice     chroot /var/lib/haproxy     stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners     stats timeout 30s     user haproxy     group haproxy     daemon       # Default SSL material locations     ca-base /etc/ssl/certs     crt-base /etc/ssl/private       # Default ciphers to use on SSL-enabled listening sockets.     # For more information, see ciphers(1SSL). This list is from:     #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/     # An alternative list with additional directives can be obtained from     #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy     ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS     ssl-default-bind-options no-sslv3   defaults     log     global     mode    http     option  httplog     option  dontlognull     timeout connect 5000     timeout client  50000     timeout server  50000     errorfile 400 /etc/haproxy/errors/400.http     errorfile 403 /etc/haproxy/errors/403.http     errorfile 408 /etc/haproxy/errors/408.http     errorfile 500 /etc/haproxy/errors/500.http     errorfile 502 /etc/haproxy/errors/502.http     errorfile 503 /etc/haproxy/errors/503.http     errorfile 504 /etc/haproxy/errors/504.http   frontend http_front    bind *:80    mode http    default_backend http_back   backend http_back         mode http     balance roundrobin     option forwardfor     http-request set-header X-Forwarded-Port %[dst_port]     http-request add-header X-Forwarded-Proto https if { ssl_fc }     option httpchk HEAD / HTTP/1.1rnHost:localhost     server node1 10.130.127.167:80     server node2 10.130.128.35:80   listen stats     bind *:1234     stats enable     stats hide-version     stats refresh 30s     stats show-node     stats auth username:password     stats uri /stats        

Verify the configuration and restart HAProxy.

[INPUT]

1 2 sudo haproxy -c -f /etc/haproxy/haproxy.cfg sudo systemctl restart haproxy

*3.Testing*

Browse the domain, refresh the page repeatedly until it displays the index.php file of Node1 and Node2.

index.php page from Node1

index.php page from Node2

*4.Statistics*

Browse *http://domain.com:1234/stats* to read HAProxy statistics.

HAProxy statistics page

Good luck 🙂

Leave a Reply

Your email address will not be published.