Wednesday, March 7, 2018

Sample haproxy config that proxying a https backend and setup as active passive.


Sample haproxy config that proxying a https backend and setup as active passive.



global
   # to have these messages end up in /var/log/haproxy.log you will
   # need to:
   #
   # 1) configure syslog to accept network log events.  This is done
   #    by adding the '-r' option to the SYSLOGD_OPTIONS in
   #    /etc/sysconfig/syslog
   #
   # 2) configure local2 events to go to the /var/log/haproxy.log
   #   file. A line like the following can be added to
   #   /etc/sysconfig/syslog
   #
   #    local2.*                       /var/log/haproxy.log
   #
   log         127.0.0.1 local2
   tune.ssl.default-dh-param 2048
   chroot      /var/lib/haproxy
   pidfile     /var/run/haproxy.pid
   maxconn     4000
   user        haproxy
   group       haproxy
   daemon

   # turn on stats unix socket
   stats socket /var/lib/haproxy/stats

defaults
   mode                    http
   log                     global
   option                  httplog
   option                  dontlognull
   option http-server-close
   option forwardfor       except 127.0.0.0/8
   option                  redispatch
   retries                 3
   timeout http-request    10s
   timeout queue           1m
   timeout connect         10s
   timeout client          1m
   timeout server          1m
   timeout http-keep-alive 10s
   timeout check           10s
   maxconn                 3000


frontend SHINY_APP
   bind 1.2.3.40:443 ssl crt /etc/ssl/mycert.pem force-tlsv12
   reqadd X-Forwarded-Proto:\ https
   default_backend SHINY_BACKEND_443
   option httplog
   log global

frontend WEB_API
   bind 1.2.3.40:8443 ssl crt /etc/ssl/mycert.pem force-tlsv12
   reqadd X-Forwarded-Proto:\ https
   default_backend WEBAPI_BACKEND_8443
   option httplog
   log global


backend SHINY_BACKEND_443
   balance     roundrobin
   server      MAIN_SHINY_WEB_1.2.3.41 1.2.3.41:443 weight 100 minconn 80 maxconn 180 inter 5s check ssl verify none
   server      BACKUP_SHINY_WEB_1.2.3.42 1.2.3.42:443 weight 100 minconn 80 maxconn 180 inter 5s check ssl verify none backup

backend WEBAPI_BACKEND_8443
   balance     roundrobin
   server      MAIN_WEB_API_1.2.3.43 1.2.3.43:8443 weight 100 minconn 100 maxconn 200 inter 5s check ssl verify none
   server      BACKUP_WEB_API_1.2.3.44 1.2.3.44:8443 weight 100 minconn 100 maxconn 200 inter 5s check ssl verify none backup



listen stats
   bind 1.2.3.40:9999
   stats enable
   stats hide-version
   stats uri /stats
   stats show-desc Shiny Load Balancer Node
   stats refresh 10s
   stats auth admin:password #just change this to your preffered
   stats scope SHINY_BACKEND_443
   stats scope WEBAPI_BACKEND_8443
   stats admin if TRUE
   stats show-legends


# The above is at Centos 7
# to configure the logging, need to edit the rsyslog.conf to accept connection either tcp or udp and set the local2.* to /var/log/haproxy.log, then restart the service.

#The backup keyword at the backend is the setting for the backup role, while the primary is up, there should be none will be routed to the backup. See the documentation of haproxy for further explanation.