HAProxy setup help needed



  • Hi
    Trying to learn how to use Haproxy but can't seem to get it working.  I created a config (see below) and activated Haproxy.  The widget seems to indicate that nothing is being processed by Haproxy.  Not certain what I'm missing.  Some help would be appreciated

    Basically I have 4 backend servers, one of which is for HTTPS and I basically want to route certain web site to a specific server.  I have created HTTP frontends which point to each backend server but its like its not intercepting the wan port 80.  What am i missing?

    The HTTPS server is giving errors when I activate it so I know I have a configuration error in it.  But The HTTP servers seem to be OK. Trying to get them working first and then will concentrate on the HTTPS server.

    Any help would be appreciated.

    Thanks

    Config file:

    global
    maxconn 10000
    stats socket /tmp/haproxy.socket level admin
    uid 80
    gid 80
    nbproc 1
    chroot /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param 2048
    log-send-hostname HaproxyMasterNode

    listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats refresh 10
    stats admin if TRUE
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

    resolvers globalresolvers
    nameserver ns1 192.168.120.14:53
    nameserver ns 192.168.120.1:53
    resolve_retries 3
    timeout retry 1s
    hold valid 10s

    frontend httpWEBdomains-merged
    bind 156.134.21.14:80 name 156.134.21.14:80 
    mode http
    log global
    option http-keep-alive
    timeout client 30000
    acl remotehelp_acl hdr(host) -i remotehelp.accra.ca
    acl accra_acl hdr_end(host) -i accra.ca
    acl filopto_acl hdr_end(host) -i filopto.com
    acl dragondreams_acl hdr_end(host) -i dragondreams.ca
    acl dragondoodles_acl hdr_end(host) -i dragondoodles.ca
    acl ajefnb_acl hdr_end(host) -i ajefnb.nb.ca
    acl famille.accra.ca hdr(host) -i NASbackend
    use_backend RemoteHelpServer25_http_ipvANY  if  remotehelp_acl
    use_backend WebServer14_http_ipvANY  if  accra_acl
    use_backend WebServer14_http_ipvANY  if  filopto_acl
    use_backend WebServer14_http_ipvANY  if  dragondreams_acl
    use_backend WebServer14_http_ipvANY  if  dragondoodles_acl
    use_backend WebServer14_http_ipvANY  if  ajefnb_acl
    default_backend WebServer14_http_ipvANY
    default_backend NASWebServer4_http_ipvANY
    default_backend NASWebServer4_http_ipvANY

    backend RemoteHelpServer25_http_ipvANY
    mode http
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    option httpchk OPTIONS /
    server remotehelpserver 192.168.120.125:80 check inter 1000  resolvers globalresolvers

    backend WebServer14_http_ipvANY
    mode http
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    option httpchk OPTIONS /
    server AccraWEBServer 192.168.120.114:80 check inter 1000  resolvers globalresolvers

    backend NASWebServer4_http_ipvANY
    mode http
    log global
    timeout connect 30000
    timeout server 30000
    retries 3
    option httpchk OPTIONS /
    acl famille.accra.ca hdr(host) -i famille
    server Accranas 192.168.120.224:80 check inter 1000  resolvers globalresolvers



  • Config looks alright to me.
    Firewallrule on the wan is passing :80 ?

    I tried some of those domains, and it seems i am getting to different websites.. Did you figure it out already ? ;D .

    Regards,
    PiBa-NL



  • No still working on it, moved it to another network for testing.  Saw in one web site that I cannot point Haproxy to the wan IP but must create a virtual IP and use it for HaProxy.  Is this correct? This might be the piece I'm missing?

    cjb



  • Haproxy can normally listen on the wan-ip, but ive seen a problem reported with it when the wan connection is a PPP connection.In which case a virtual-ip + portforward can work around that.

    If you look at the stats page, all backend servers are 'up' and does it count a request on the frontend when you try to connect?
    b.t.w. the NASWebServer4 does seem to be missing a acl..



  • @cjbujold:

    No still working on it, moved it to another network for testing.  Saw in one web site that I cannot point Haproxy to the wan IP but must create a virtual IP and use it for HaProxy.  Is this correct? This might be the piece I'm missing?

    cjb

    Not exactly.
    Port 80 is below 1024, so sometimes it easier to bind haproxy/squid to localhost:8080 or some other port > 1024, and just NAT from WAN to it.
    Also, check stats page - if your backends are reported as unavailable (though they are live and well, and can be reached from pfsense) - you should change health check metod (for some sites OPTIONS method just don't work)



  • Made progress, Thank for the help, But still having some issues. Got the http sorted and everything is working properly.

    Trying to get the HTTPS working and not quite certain on the SSL certificate.  Is it better to install it in pfsense or is still better to leave that on the webs server?

    Thanks
    cjb



  • Hi cjb,

    Its both possible each with its own (dis)-advantage..

    If you leave the certificates on the webservers then haproxy only has to forward the tcp traffic which is a pretty simple job so little cpu usage on haproxy.
    -only a few acl conditions that are available in 'mode tcp' (basically only the SNI name can be checked among a few others L4 fetches.)
    -Higher cpu usage for decryption on webservers (probably easy to add more webservers in case cpu usage reaches 100% cpu..)
    -Lower cpu usage on haproxy

    If you put the crertificates on haproxy
    -'mode http' with all advantages that come with that:
      -allows inserting/rewriting http headers (x-forwarded-for header)
      -and allows writing acl's for specific paths or other conditions with full access to all L7 information.
      -more detailed logging
    -centralized certificate management. (1 place to upgrade every X time.)
    -Higher cpu usage on haproxy (hard to scale up once haproxy reaches 100% cpu..)
    -Lower cpu usage for decryption on webservers
    -might cause issues with website if forwarded over :80 where it will try to redirect the client to :443 even though the actual request was already made over 443, as a workaround you could then reencrypt the communication on backend side, this would then increase cpu usage on haproxy even more, and the lower cpu on the webserver wouldn't be applicable, though for that last part you could use a 'easy' cipher on backend..

    There might be some other differences i'm forgetting to mention a.t.m. … Anyway youl have to decide if you want more features on haproxy, or need to be conservative with cpu resources.

    Regards,
    PiBa-NL