Haproxy as Single Point to Failure Node With Glusterfs and MariaDB Maxscale Cluster

0
3691

HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world’s most visited ones. Over the years it has become the de-facto standard opensource load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms. Since it does not advertise itself, we only know it’s used when the admins report it 🙂

This tutorial needs you to install

We need 4 server

server1.domain.com 192.168.1.1 (Centminmod Installed) (Galera Cluster)

server1.domain.com 192.168.1.2 (Centminmod Installed) (Galera Cluster)

server1.domain.com 192.168.1.3 (Centminmod Installed) (Galera Cluster)

server1.domain.com 192.168.1.4 (Haproxy Installed) (Maxscale)

Lets Proceed with haproxy setup on 192.168.1.4

wget http://www.haproxy.org/download/2.1/src/haproxy-2.1.7.tar.gz
tar zxvf haproxy-2.1.7.tar.gz
cd haproxy-2.1.7
yum install epel-release -y
yum install -y make gcc perl pcre-devel zlib-devel openssl-devel systemd-devel
make \
    TARGET=linux-glibc USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_PCRE=1 USE_PCRE_JIT=1 \
    USE_OPENSSL=1 USE_SYSTEMD=1 SSL_INC=/usr/include SSL_LIB=/usr/lib ADDLIB=-ldl \
    CFLAGS="-O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18"
make install
cp /usr/local/sbin/haproxy /usr/sbin/haproxy
useradd --system haproxy
mkdir /run/haproxy
mkdir /etc/haproxy
cd /etc/haproxy

Create haproxy service

cat >> /usr/lib/systemd/system/haproxy.service <EOF
[Unit]
Description=HAProxy Load Balancer
After=network.target

[Service]
Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid"
ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q
ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE
ExecReload=/usr/sbin/haproxy -f $CONFIG -c -q
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
Restart=always
SuccessExitStatus=143
Type=notify

[Install]
WantedBy=multi-user.target
EOF
cat >> /etc/sysconfig/haproxy <EOF
# Add extra options to the haproxy daemon here. This can be useful for
# specifying multiple configuration files with multiple -f options.
# See haproxy(1) for a complete list of options.
OPTIONS=""
EOF

Start Haproxy Service

systemctl daemon-reload
systemctl start haproxy

Create Haproxy configuration

vi haproxy.cfg

In below example bind *:443 ssl crt /etc/letsencrypt/live/web.bullten.work/web.bullten.work.pem alpn h2,http/1.1 change with your letsencrypt certificate. Below I will show how to generate certificate.

global
    log 127.0.0.1:514 local0
#    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
#    user haproxy
#    group haproxy
    daemon

    # Tuning
    maxconn 4096 # max connections, should match or exceed your nginx servers
    nbproc  4    # number of CPUs
    # CPU Affinity
    #cpu-map 1 0 # first number is 1-indexed process, second is 0-indexed core

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3


   defaults
    log global
    mode http
    option httplog
    timeout connect 5s
    timeout client  50s
    timeout server  50s

#---------------------------------------------------------------------
# FrontEnd Configuration
#---------------------------------------------------------------------
frontend main
    bind *:80
    mode http
    option http-server-close

    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl
    http-request redirect scheme https code 301 if ! letsencrypt-acl



frontend https
   mode http
   bind *:443 ssl crt /etc/letsencrypt/live/web.bullten.work/web.bullten.work.pem alpn h2,http/1.1


   option forwardfor

 #   http-request track-sc0 src table per_ip_rates
 #   http-request deny deny_status 429 if { sc_http_req_rate(0) gt 10 }

 #   acl from_cf    src -f /etc/haproxy/cloudflare_ips.lst
 #   http-request set-src req.hdr(CF-Connecting-IP) if from_cf

   default_backend app-main


# backend per_ip_rates
# stick-table type ip size 1m expire 10m store http_req_rate(60s)


# LE Backend
backend letsencrypt-backend
    mode http
    server letsencrypt 127.0.0.1:8888

#---------------------------------------------------------------------
# BackEnd roundrobin as balance algorithm
#---------------------------------------------------------------------
backend app-main
    mode http
    balance roundrobin                                     #Balance algorithm
    option httpchk HEAD / HTTP/1.1\r\nHost:\ localhost    #Check the server application is up and healty - 200 status code
    #timeout queue 10s
    server nginx1 192.168.1.1:443 check ssl verify none        #Nginx1
    server nginx2 192.168.1.2:443 check ssl verify none              #Nginx2
    server nginx3 192.168.1.2:443 check ssl verify none backup       #Nginx3

listen stats
## HAProxy stats web gui.
        bind      :9000
        mode http
        stats enable
        stats uri /haproxy_stats
        stats realm HAProxy Statistics
        stats auth haproxy:haproxy
        stats admin if TRUE

How to generate letsencrypt certificate for haproxy. Replace web.bullten.work with your domain and add generated certificate in above config.

yum install epel-release -y
yum install certbot -y

sudo certbot certonly --standalone -d web.bullten.work \
    --non-interactive --agree-tos --email [email protected] \
    --http-01-port=8888

Restart haproxy

systemctl restart haproxy

To check haproxy gui

http://192.168.1.4:9000/haproxy_stats
user: haproxy
pass: haproxy