RHEL7: Configure a high available load-balancer.

Presentation

For this tutorial, you need 2 virtual/physical servers for the load-balancers and 2 virtual/physical servers to load-balance.

Note: Additional configuration will be required to run HAProxy on the Red Hat OpenStack Platform (see the OpenStack Networking Guide for more information).

In addition to the 4 IP addresses needed by the servers themselves, a fifth virtual IP address (VIP) is necessary. The two load-balancers and the VIP need to be in the same network segment.

Piranha has been replaced in RHEL7 with HAProxy and keepalived. For this reason, HAProxy will be used as load-balancing software, keepalived as high availability solution and apache as software to load-balance.

Here is the addressing schema chosen to write into the /etc/hosts file of each server:

• 192.168.0.100 vip
• 192.168.0.101 haproxy1
• 192.168.0.102 haproxy2
• 192.168.0.103 httpd1
• 192.168.0.104 httpd2

HAProxy Installation

On the haproxy1/haproxy2 servers, execute the following instructions:

Install the HAProxy package:

# yum install -y haproxy

Edit the /etc/haproxy/haproxy.cfg file, replace the line “frontend  main *:5000” with “frontend  main *:80” and comment out the line “use_backend static if url_static“.
At the end of the same file, remove the lines starting with “server app” and replace them with the following lines:

server httpd1 192.168.0.103:80 check
server httpd2 192.168.0.104:80 check

Activate at boot and start the HAProxy service:

# systemctl enable haproxy
# systemctl start haproxy

Create the /etc/firewalld/services/haproxy.xml file and paste the following lines:

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>HAProxy</short>
<description>HAProxy load-balancer</description>
<port protocol="tcp" port="80"/>
</service>

Assign correct SELinux context and file permissions to the haproxy.xml file:

# cd /etc/firewalld/services
# restorecon haproxy.xml
# chmod 640 haproxy.xml

Update the firewall configuration:

# firewall-cmd --permanent --add-service=haproxy
# firewall-cmd --reload

Keepalived Installation

On the haproxy1/haproxy2 servers, execute the following instructions:

Install the keepalived package:

# yum install -y keepalived

Create a new /etc/keepalived/keepalived.conf file and paste the following lines:

vrrp_script chk_haproxy {
  script "killall -0 haproxy" # check the haproxy process
  interval 2 # every 2 seconds
  weight 2 # add 2 points if OK
}

vrrp_instance VI_1 {
  interface eth0 # interface to monitor
  state MASTER # MASTER on haproxy1, BACKUP on haproxy2
  virtual_router_id 51
  priority 101 # 101 on haproxy1, 100 on haproxy2
  virtual_ipaddress {
    192.168.0.100 # virtual ip address 
  }
  track_script {
    chk_haproxy
  }
}

Activate at boot and start the keepalived service:

# systemctl enable keepalived
# systemctl start keepalived

Check the presence of the VIP on the haproxy1 server:

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:f7:2a:a9 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.101/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.0.100/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fef7:2aa9/64 scope link
valid_lft forever preferred_lft forever

Apache Installation

On the httpd1/httpd2 servers, follow the instructions for the Apache installation.
Create a file called index.html in the /var/www/html directory on the httpd1 server and paste the following line:

Test httpd1

Do the same operation on the httpd2 server but replace “httpd1” with “httpd2” in the index.html file.

From another server, test the configuration:

# yum install -y elinks
# elinks http://192.168.0.100

HAProxy Intricacies

In some cases, because HaProxy tries to bind to an IP address that doesn’t exist on any interfaces, it doesn’t start and displays an error message like “Starting proxy stats: cannot bind socket“.

The solution is to create a file called /etc/sysctl.d/10-haproxy.conf and paste the following line:

net.ipv4.ip_nonlocal_bind=1

Then, update the configuration:

# sysctl -p

Note1: There is a page dedicated to kernel runtime parameters assignment on this website.
Note2: Additional information about HAProxy boot errors and solutions can be found here.

In some cases, you also need to enable a SELinux boolean to allow HAProxy to bind to non standard ports:

# setsebool -P haproxy_connect_any on

Additional Resources

RedHat documentation provides a guide called RHEL 7 Load Balancer Administration.
Oracle Linux Administrator’s Guide for Release 7 provides a chapter dedicated to HAProxy configuration.
The RedHat CloudForms High Availability Guide provides a chapter about Configuring the HAProxy Load-Balancer.

Note: HAProxy 1.8 is not currently available for RHEL 7 due to a syntax change introduced in this version, breaking the compatibility when parsing the configuration file. Red Hat doesn’t want his customers to experience a production outage after a simple HAProxy upgrade (see details here).

The official HAProxy website offers many interesting articles:

• Smart content switching for news website,
• How to play with maxconn to avoid server slowness or crash,
• Implement HTTP keepalive without killing your apache server,
• Maintain affinity based on SSL session ID,
• Protect your web server against slowloris,
• Send user to the same backend for both HTTP and HTTPS,
• Send users to the same server for imap and smtp,
• Protect Apache against “apache killer” script,
• Benchmarking SSL performance,
• HAProxy load-balancer as a reverse proxy,
• What’s new in HAProxy 1.5-dev7,
• Microsoft Terminal Server / remoteapp load-balancing,
• Fight spam with early talking detection,
• Web traffic limitation,
• How to use a load-balancer as a first row of defense against DDOS,
• Load balancing, affinity, persistence, sticky sessions: what you need to know,
• Enhanced SSL load-balancing with Server Name Indication (SNI) TLS extension,
• Preserve source IP address despite reverse proxies,
• Efficient SMTP relay infrastructure with Postfix and load-balancers
• Use GeoIP database within HAProxy
• HTTP request flood mitigation,
• HAProxy and Varnish comparison,
• HAProxy, Varnish and the single hostname website,
• How to get SSL with HAProxy getting rid of stunnel, stud, nginx or pound,
• How to deal with ecommerce websites,
• What’s New in HAProxy 1.8.