HAProxy setup help needed
-
Hi
Trying to learn how to use Haproxy but can't seem to get it working. I created a config (see below) and activated Haproxy. The widget seems to indicate that nothing is being processed by Haproxy. Not certain what I'm missing. Some help would be appreciatedBasically I have 4 backend servers, one of which is for HTTPS and I basically want to route certain web site to a specific server. I have created HTTP frontends which point to each backend server but its like its not intercepting the wan port 80. What am i missing?
The HTTPS server is giving errors when I activate it so I know I have a configuration error in it. But The HTTP servers seem to be OK. Trying to get them working first and then will concentrate on the HTTPS server.
Any help would be appreciated.
Thanks
Config file:
global
maxconn 10000
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
log-send-hostname HaproxyMasterNodelisten HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats refresh 10
stats admin if TRUE
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000resolvers globalresolvers
nameserver ns1 192.168.120.14:53
nameserver ns 192.168.120.1:53
resolve_retries 3
timeout retry 1s
hold valid 10sfrontend httpWEBdomains-merged
bind 156.134.21.14:80 name 156.134.21.14:80
mode http
log global
option http-keep-alive
timeout client 30000
acl remotehelp_acl hdr(host) -i remotehelp.accra.ca
acl accra_acl hdr_end(host) -i accra.ca
acl filopto_acl hdr_end(host) -i filopto.com
acl dragondreams_acl hdr_end(host) -i dragondreams.ca
acl dragondoodles_acl hdr_end(host) -i dragondoodles.ca
acl ajefnb_acl hdr_end(host) -i ajefnb.nb.ca
acl famille.accra.ca hdr(host) -i NASbackend
use_backend RemoteHelpServer25_http_ipvANY if remotehelp_acl
use_backend WebServer14_http_ipvANY if accra_acl
use_backend WebServer14_http_ipvANY if filopto_acl
use_backend WebServer14_http_ipvANY if dragondreams_acl
use_backend WebServer14_http_ipvANY if dragondoodles_acl
use_backend WebServer14_http_ipvANY if ajefnb_acl
default_backend WebServer14_http_ipvANY
default_backend NASWebServer4_http_ipvANY
default_backend NASWebServer4_http_ipvANYbackend RemoteHelpServer25_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server remotehelpserver 192.168.120.125:80 check inter 1000 resolvers globalresolversbackend WebServer14_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server AccraWEBServer 192.168.120.114:80 check inter 1000 resolvers globalresolversbackend NASWebServer4_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
acl famille.accra.ca hdr(host) -i famille
server Accranas 192.168.120.224:80 check inter 1000 resolvers globalresolvers -
Config looks alright to me.
Firewallrule on the wan is passing :80 ?I tried some of those domains, and it seems i am getting to different websites.. Did you figure it out already ? ;D .
Regards,
PiBa-NL -
No still working on it, moved it to another network for testing. Saw in one web site that I cannot point Haproxy to the wan IP but must create a virtual IP and use it for HaProxy. Is this correct? This might be the piece I'm missing?
cjb
-
Haproxy can normally listen on the wan-ip, but ive seen a problem reported with it when the wan connection is a PPP connection.In which case a virtual-ip + portforward can work around that.
If you look at the stats page, all backend servers are 'up' and does it count a request on the frontend when you try to connect?
b.t.w. the NASWebServer4 does seem to be missing a acl.. -
No still working on it, moved it to another network for testing. Saw in one web site that I cannot point Haproxy to the wan IP but must create a virtual IP and use it for HaProxy. Is this correct? This might be the piece I'm missing?
cjb
Not exactly.
Port 80 is below 1024, so sometimes it easier to bind haproxy/squid to localhost:8080 or some other port > 1024, and just NAT from WAN to it.
Also, check stats page - if your backends are reported as unavailable (though they are live and well, and can be reached from pfsense) - you should change health check metod (for some sites OPTIONS method just don't work) -
Made progress, Thank for the help, But still having some issues. Got the http sorted and everything is working properly.
Trying to get the HTTPS working and not quite certain on the SSL certificate. Is it better to install it in pfsense or is still better to leave that on the webs server?
Thanks
cjb -
Hi cjb,
Its both possible each with its own (dis)-advantage..
If you leave the certificates on the webservers then haproxy only has to forward the tcp traffic which is a pretty simple job so little cpu usage on haproxy.
-only a few acl conditions that are available in 'mode tcp' (basically only the SNI name can be checked among a few others L4 fetches.)
-Higher cpu usage for decryption on webservers (probably easy to add more webservers in case cpu usage reaches 100% cpu..)
-Lower cpu usage on haproxyIf you put the crertificates on haproxy
-'mode http' with all advantages that come with that:
-allows inserting/rewriting http headers (x-forwarded-for header)
-and allows writing acl's for specific paths or other conditions with full access to all L7 information.
-more detailed logging
-centralized certificate management. (1 place to upgrade every X time.)
-Higher cpu usage on haproxy (hard to scale up once haproxy reaches 100% cpu..)
-Lower cpu usage for decryption on webservers
-might cause issues with website if forwarded over :80 where it will try to redirect the client to :443 even though the actual request was already made over 443, as a workaround you could then reencrypt the communication on backend side, this would then increase cpu usage on haproxy even more, and the lower cpu on the webserver wouldn't be applicable, though for that last part you could use a 'easy' cipher on backend..There might be some other differences i'm forgetting to mention a.t.m. … Anyway youl have to decide if you want more features on haproxy, or need to be conservative with cpu resources.
Regards,
PiBa-NL