Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
WHAT IS HAPROXY?
• Even though you try to optimize your service configurations but
Sometimes your service will fail
• This is normal because any software or hardware has a maximum
capacity, that it cannot afford any more connections
• But how ?
CLIENT REQUESTS DISTRIBUTION
• How can you distribute client requests among your web servers?
Myservice.com A 5.5.5.1
Myservice.com A 5.5.5.2
Myservice.com A 5.5.5.3
SOLUTION
• Use Load Balancer
• All requests will be directed to the load balancer
• Load balancer will forward requests to the web
servers according to configurations
WHAT IS HAPROXY?
• a TCP proxy : it can accept a TCP connection from a listening socket,
connect to a server and attach these sockets together allowing traffic to
flow in both directions
WHAT IS HAPROXY?
• HTTP reverse-proxy: it presents itself as a server, receives HTTP requests over
connections accepted on a listening TCP socket, and passes the requests from
these connections to servers using different connections.
WHAT IS HAPROXY?
• an SSL terminator: SSL/TLS may be used on the connection coming from the
client, on the connection going to the server, or even on both connections.
Secure Connection
WHAT IS HAPROXY?
• a TCP normalizer: abnormal traffic such as invalid packets or incomplete
connections (SYN floods) can be dropped here
WHAT IS HAPROXY?
• an HTTP normalizer : when configured to process HTTP traffic, only valid complete
requests are passed.
• This protects against a lot of protocol-based attacks.
WHAT IS HAPROXY?
• a server load balancer : it can load balance TCP connections and HTTP requests.
• In TCP mode, load balancing decisions are taken for the whole connection.
• In HTTP mode, decisions are taken per request.
WHAT IS HAPROXY?
• a Traffic Regulator: it can apply some rate limiting at various points, protect the
servers against overloading, adjust traffic priorities based on the contents, and
even pass such information to lower layers and outer network components by
marking packets.
• log specifies log address and syslog facilities to which log entries are written.
• option httplog enables logging of various values of an HTTP session, including HTTP requests, session
status, connection numbers, source address, and connection timers among other values.
• option dontlognull disables logging of null connections, meaning that HAProxy will not log connections
wherein no data has been transferred.
null connections could indicate malicious activities such as open port-scanning for vulnerabilities.
HAPROXY CONFIGURATION
• retries : is the number of times a connection attempt should be retried on a server when a
connection either is refused or times out
• http-request 10s : period to wait for a complete HTTP request from a client.
• queue 1m : period to wait before a connection is dropped and a client receives a 503 or
"Service Unavailable" error.
• connect 10s : period to wait for a successful connection to a server.
• client 1m : period a client can remain inactive (it neither accepts nor sends data).
• server 1m : period a server is given to accept or send data before timeout occurs
HAPROXY CONFIGURATION
(3) Frontend Section:
The frontend settings configure the servers' listening sockets for client
connection requests
Apache Apache
Websrv01 Websrv02
192.168.132.143 192.168.132.144
STATISTICS
• You can enable statistics in HAProxy to monitor the status of your servers
STATISTICS
• Add the following to the frontend
stats enable
stats auth admin:password
stats hide-version
stats show-node
stats refresh 60s
stats uri /haproxy?stats
TCP AND HTTP MODE
• You need to choose one mode to your backends (TCP or HTTP)
• What is the difference between them?
TCP AND HTTP MODES
• TCP works in Lower Layers (Networking concepts and OSI model)
• You have to understand that HTTP mode data is carried by TCP protocol
• TCP Protocol has general information about :
• Source and Destination Ports
• Specific flags like Ack , Syn and Fin
• To guarantee receiving and ordering data
TCP Protocol
Source Port: 5158 HTTP Traffic
Destination Port: 80
TCP AND HTTP MODES
• HTTP has more information about the http request
TCP Protocol
Source Port: 5158 HTTP Traffic
Destination Port: 80
TCP AND HTTP MODE
• If you need to redirect any traffic received on frontend port to your backend with
scheduling algorithms like i.e roundrobbin use TCP mode
• If you need to use Scheduling algorithms that need information from the http
header or access lists that reads http header then you have to use the http mode
FORWARDFOR OPTIONS
Why we need the forwardfor option?
FORWARDFOR OPTIONS Client
192.168.132.1
Apache server access logs show clients IP : 192.168.132.145
HAProxy
haproxy
192.168.132.145
Apache Apache
Websrv01 Websrv02
192.168.132.143 192.168.132.144
FORWARDFOR OPTIONS Client
192.168.132.1
HAProxy
haproxy
192.168.132.145
Apache Apache
Websrv01 Websrv02
192.168.132.143 192.168.132.144
FORWARDFOR OPTIONS Client
192.168.132.1
• To see the original IP you need to:
• Keep forwardfor option enabled in haproxy
• Add %{X-Forwarded-For}i to your log configurations in Apache
HAProxy
haproxy
192.168.132.145
Apache Apache
Websrv01 Websrv02
192.168.132.143 192.168.132.144
ACCESS LISTS
• The purpose in using Access Control Lists (ACL) is to provide a flexible solution to
make decisions based on content extracted from the request, the response, or
any environmental status.
ACCESS LISTS
• The ACL Syntax
# now use backend "static" for all static-only hosts, and for static urls # of host "www". Use backend
"www" for the rest.
Apache Apache
Websrv01 Websrv02
192.168.132.143 192.168.132.144
STICKY SESSIONS IN HAPROXY HAProxy
haproxy
192.168.132.145
• Solutions !!
• Make a shared storage for session files !
• Save Sessions in Database!
Apache Apache
Websrv01 Websrv02
192.168.132.143 192.168.132.144
Sessions
STICKY SESSIONS IN HAPROXY Client
192.168.132.1
• Solutions!!
• Use the source scheduling algorithm
• This will guarantee that the same client will access the same server
HAProxy
• What if we have a proxy server accessing our environments? haproxy
192.168.132.145
Apache Apache
Websrv01 Websrv02
192.168.132.143 192.168.132.144
STICKY SESSIONS IN HAPROXY
• Solution(1)
• Inject Cookie in the Client Browser
• This will make the client tell haproxy that I was redirected to server 01
• always redirect me to server 01
STICKY SESSIONS IN HAPROXY
• Solutions(2)
Apache Apache
Websrv01 Websrv02
192.168.132.143 192.168.132.144
SSL CERTIFICATES Client
192.168.132.1
• Configurations :
• Create a .pem combined certificates
• Then add a frontend to receive https traffic
HAProxy
haproxy
frontend www-https 192.168.132.145
bind *:443 ssl crt /etc/haproxy/mydomain.combined.pem
reqadd X-Forwarded-Proto:\ https
default_backend app
Apache Apache
Websrv01 Websrv02
192.168.132.143 192.168.132.144
SPOF
Client
192.168.132.1
HAProxy
haproxy
192.168.132.145
Apache Apache
Websrv01 Websrv02
192.168.132.143 192.168.132.144
AVOID SPOF
How can we avoid SPOF for HAProxy??
Pacemaker HAProxy
haproxy
HAProxy
haproxy
VIP: 192.168.132.147 192.168.132.146 192.168.132.145
Apache Apache
Websrv01 Websrv02
192.168.132.143 192.168.132.144
CONCLUSION
• HAProxy can be used for Load Balancing and fault tolerance
• It is stable, free and open source
• It can work with http protocol and it can extract information from the http header
• It can also be used for any Application Layer protocol that uses TCP protocol.
• Provides many different scheduling algorithms
• It can be configured to display statistics and monitoring information
• You can configure it as an SSL terminator’
• It can work together with Pacemaker to avoid SPOF
Rate how much this course was helpful for you
If you have any questions , you can add them to the course comments