Presentation
For this tutorial, you need 2 virtual/physical servers for the load-balancers and 2 virtual/physical servers to load-balance.
Note: Additional configuration will be required to run HAProxy on the Red Hat OpenStack Platform (see the OpenStack Networking Guide for more information).
In addition to the 4 IP addresses needed by the servers themselves, a fifth virtual IP address (VIP) is necessary. The two load-balancers and the VIP need to be in the same network segment.
Piranha has been replaced in RHEL7 with HAProxy and keepalived. For this reason, HAProxy will be used as load-balancing software, keepalived as high availability solution and apache as software to load-balance.
Here is the addressing schema chosen to write into the /etc/hosts file of each server:
- 192.168.0.100 vip
- 192.168.0.101 haproxy1
- 192.168.0.102 haproxy2
- 192.168.0.103 httpd1
- 192.168.0.104 httpd2
HAProxy Installation
On the haproxy1/haproxy2 servers, execute the following instructions:
Install the HAProxy package:
# yum install -y haproxy
Edit the /etc/haproxy/haproxy.cfg file, replace the line “frontend main *:5000” with “frontend main *:80” and comment out the line “use_backend static if url_static“.
At the end of the same file, remove the lines starting with “server app” and replace them with the following lines:
server httpd1 192.168.0.103:80 check server httpd2 192.168.0.104:80 check
Activate at boot and start the HAProxy service:
# systemctl enable haproxy # systemctl start haproxy
Create the /etc/firewalld/services/haproxy.xml file and paste the following lines:
<?xml version="1.0" encoding="utf-8"?> <service> <short>HAProxy</short> <description>HAProxy load-balancer</description> <port protocol="tcp" port="80"/> </service>
Assign correct SELinux context and file permissions to the haproxy.xml file:
# cd /etc/firewalld/services # restorecon haproxy.xml # chmod 640 haproxy.xml
Update the firewall configuration:
# firewall-cmd --permanent --add-service=haproxy # firewall-cmd --reload
Keepalived Installation
On the haproxy1/haproxy2 servers, execute the following instructions:
Install the keepalived package:
# yum install -y keepalived
Create a new /etc/keepalived/keepalived.conf file and paste the following lines:
vrrp_script chk_haproxy { script "killall -0 haproxy" # check the haproxy process interval 2 # every 2 seconds weight 2 # add 2 points if OK } vrrp_instance VI_1 { interface eth0 # interface to monitor state MASTER # MASTER on haproxy1, BACKUP on haproxy2 virtual_router_id 51 priority 101 # 101 on haproxy1, 100 on haproxy2 virtual_ipaddress { 192.168.0.100 # virtual ip address } track_script { chk_haproxy } }
Activate at boot and start the keepalived service:
# systemctl enable keepalived # systemctl start keepalived
Check the presence of the VIP on the haproxy1 server:
# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:f7:2a:a9 brd ff:ff:ff:ff:ff:ff inet 192.168.0.101/24 brd 192.168.0.255 scope global eth0 valid_lft forever preferred_lft forever inet 192.168.0.100/32 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::5054:ff:fef7:2aa9/64 scope link valid_lft forever preferred_lft forever
Apache Installation
On the httpd1/httpd2 servers, follow the instructions for the Apache installation.
Create a file called index.html in the /var/www/html directory on the httpd1 server and paste the following line:
Test httpd1
Do the same operation on the httpd2 server but replace “httpd1” with “httpd2” in the index.html file.
From another server, test the configuration:
# yum install -y elinks # elinks http://192.168.0.100
HAProxy Intricacies
In some cases, because HaProxy tries to bind to an IP address that doesn’t exist on any interfaces, it doesn’t start and displays an error message like “Starting proxy stats: cannot bind socket“.
The solution is to create a file called /etc/sysctl.d/10-haproxy.conf and paste the following line:
net.ipv4.ip_nonlocal_bind=1
Then, update the configuration:
# sysctl -p
Note1: There is a page dedicated to kernel runtime parameters assignment on this website.
Note2: Additional information about HAProxy boot errors and solutions can be found here.
In some cases, you also need to enable a SELinux boolean to allow HAProxy to bind to non standard ports:
# setsebool -P haproxy_connect_any on
Additional Resources
RedHat documentation provides a guide called RHEL 7 Load Balancer Administration.
Oracle Linux Administrator’s Guide for Release 7 provides a chapter dedicated to HAProxy configuration.
The RedHat CloudForms High Availability Guide provides a chapter about Configuring the HAProxy Load-Balancer.
Note: HAProxy 1.8 is not currently available for RHEL 7 due to a syntax change introduced in this version, breaking the compatibility when parsing the configuration file. Red Hat doesn’t want his customers to experience a production outage after a simple HAProxy upgrade (see details here).
The official HAProxy website offers many interesting articles:
- Smart content switching for news website,
- How to play with maxconn to avoid server slowness or crash,
- Implement HTTP keepalive without killing your apache server,
- Maintain affinity based on SSL session ID,
- Protect your web server against slowloris,
- Send user to the same backend for both HTTP and HTTPS,
- Send users to the same server for imap and smtp,
- Protect Apache against “apache killer” script,
- Benchmarking SSL performance,
- HAProxy load-balancer as a reverse proxy,
- What’s new in HAProxy 1.5-dev7,
- Microsoft Terminal Server / remoteapp load-balancing,
- Fight spam with early talking detection,
- Web traffic limitation,
- How to use a load-balancer as a first row of defense against DDOS,
- Load balancing, affinity, persistence, sticky sessions: what you need to know,
- Enhanced SSL load-balancing with Server Name Indication (SNI) TLS extension,
- Preserve source IP address despite reverse proxies,
- Efficient SMTP relay infrastructure with Postfix and load-balancers
- Use GeoIP database within HAProxy
- HTTP request flood mitigation,
- HAProxy and Varnish comparison,
- HAProxy, Varnish and the single hostname website,
- How to get SSL with HAProxy getting rid of stunnel, stud, nginx or pound,
- How to deal with ecommerce websites,
- What’s New in HAProxy 1.8.
For HAProxy it’s nice to say that it supports a Active-Backup mode.
For example you can have 1 front-end and 1 back-end (multiple front-, back-ends are possible) listening on specific port and to define 1 (or more servers) as primary and 1 (or more for backup) connection. When all primary servers fall down, HAPRoxy will use the backup servers.
Also HAProxy has a Web statistics page to keep an eye on the usage of every interface.
Yes, I plan to bring additional information to this tutorial.