Haproxy as Single Point to Failure Node With Glusterfs and MariaDB Maxscale Cluster


HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world’s most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms. Since it does not advertise itself, we only know it’s used when the admins report it 🙂

This tutorial needs you to install

We need 4 server

server1.domain.com (Centminmod Installed) (Galera Cluster)

server1.domain.com (Centminmod Installed) (Galera Cluster)

server1.domain.com (Centminmod Installed) (Galera Cluster)

server1.domain.com (Haproxy Installed) (Maxscale)

Lets Proceed with haproxy setup on

wget http://www.haproxy.org/download/2.1/src/haproxy-2.1.7.tar.gz
tar zxvf haproxy-2.1.7.tar.gz
cd haproxy-2.1.7
yum install epel-release -y
yum install -y make gcc perl pcre-devel zlib-devel openssl-devel systemd-devel
make \
    USE_OPENSSL=1 USE_SYSTEMD=1 SSL_INC=/usr/include SSL_LIB=/usr/lib ADDLIB=-ldl \
    CFLAGS="-O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18"
make install
cp /usr/local/sbin/haproxy /usr/sbin/haproxy
useradd --system haproxy
mkdir /run/haproxy
mkdir /etc/haproxy
cd /etc/haproxy

Create haproxy service

cat >> /usr/lib/systemd/system/haproxy.service <EOF
Description=HAProxy Load Balancer

Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid"
ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q
ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE
ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q
ExecReload=/bin/kill -USR2 $MAINPID

cat >> /etc/sysconfig/haproxy <EOF
# Add extra options to the haproxy daemon here. This can be useful for
# specifying multiple configuration files with multiple -f options.
# See haproxy(1) for a complete list of options.

Start Haproxy Service

systemctl daemon-reload
systemctl start haproxy

Create Haproxy configuration

vi haproxy.cfg

In below example bind *:443 ssl crt /etc/letsencrypt/live/web.bullten.work/web.bullten.work.pem alpn h2,http/1.1 change with your letsencrypt certificate. Below I will show how to generate certificate.

    log local0
#    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
#    user haproxy
#    group haproxy

    # Tuning
    maxconn 4096 # max connections, should match or exceed your nginx servers
    nbproc  4    # number of CPUs
    # CPU Affinity
    #cpu-map 1 0 # first number is 1-indexed process, second is 0-indexed core

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-options no-sslv3

    log global
    mode http
    option httplog
    timeout connect 5s
    timeout client  50s
    timeout server  50s

# FrontEnd Configuration
frontend main
    bind *:80
    mode http
    option http-server-close

    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl
    http-request redirect scheme https code 301 if ! letsencrypt-acl

frontend https
   mode http
   bind *:443 ssl crt /etc/letsencrypt/live/web.bullten.work/web.bullten.work.pem alpn h2,http/1.1

   option forwardfor

 #   http-request track-sc0 src table per_ip_rates
 #   http-request deny deny_status 429 if { sc_http_req_rate(0) gt 10 }

 #   acl from_cf    src -f /etc/haproxy/cloudflare_ips.lst
 #   http-request set-src req.hdr(CF-Connecting-IP) if from_cf

   default_backend app-main

# backend per_ip_rates
# stick-table type ip size 1m expire 10m store http_req_rate(60s)

# LE Backend
backend letsencrypt-backend
    mode http
    server letsencrypt

# BackEnd roundrobin as balance algorithm
backend app-main
    mode http
    balance roundrobin                                     #Balance algorithm
    option httpchk HEAD / HTTP/1.1\r\nHost:\ localhost    #Check the server application is up and healty - 200 status code
    #timeout queue 10s
    server nginx1 check ssl verify none        #Nginx1
    server nginx2 check ssl verify none              #Nginx2
    server nginx3 check ssl verify none backup       #Nginx3

listen stats
## HAProxy stats web gui.
        bind      :9000
        mode http
        stats enable
        stats uri /haproxy_stats
        stats realm HAProxy Statistics
        stats auth haproxy:haproxy
        stats admin if TRUE

How to generate letsencrypt certificate for haproxy. Replace web.bullten.work with your domain and add generated certificate in above config.

yum install epel-release -y
yum install certbot -y

sudo certbot certonly --standalone -d web.bullten.work \
    --non-interactive --agree-tos --email [email protected] \

Restart haproxy

systemctl restart haproxy

To check haproxy gui
user: haproxy
pass: haproxy