HAProxy

• Check repository for your OS: https://haproxy.debian.net/
• Documentation: http://www.haproxy.org/download/1.7/doc/configuration.txt

Add header if ssl:

http-request add-header X-Forwarded-Proto https if { ssl_fc }

Check config:

haproxy -c -f /etc/haproxy/haproxy.cfg

Log rotation config /etc/logrotate.d/haproxy:

/var/log/haproxy.log {
    daily
    rotate 52
    missingok
    notifempty
    compress
    delaycompress
    postrotate
        invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true
    endscript
}

haproxy.cfg:

frontend fe

# HTTP log format format, which is the most advanced for HTTP proxying.
# It provides the same information as the TCP format with some HTTP-specific fields such as the request, the status code, and captures of headers and cookies.
# This format is recommended for HTTP proxies.
   option httplog

backend be

    stick-table type string len 32 size 1M peers haproxy-peers
    # type string len 32 - String 32 characters
    # size 1M - maximum number of entries that can fit in the table. Count approximately 50 bytes per entry, plus the size of a string if any.
    # The size supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.

    # Define a request pattern to associate a user to a server
    stick on req.cook(SERVERID)

    # Define a request pattern matching condition to stick a user to a server
    stick match <pattern> [table <table>] [{if | unless} <cond>]

Proxy to backend depending on hostname. Only https. If hostname rule is not exist - proxy to default backend:

frontend https-front-session
        bind *:443 ssl crt /etc/ssl/key.pem
        bind *:80
        redirect scheme https if !{ ssl_fc }

        default_backend back-session

        acl is_old hdr_end(host) -i old.example.com
        use_backend old_example if is_old

        acl is_new hdr_end(host) -i new.example.com
        use_backend new_example if is_new

SSL backend:

backend be
    balance roundrobin
    server s1 example.com:443 check ssl verify none
# ssl verify none - without ssl verification

HATop

HATop is an interactive ncurses client and real-time monitoring, statistics displaying tool for the HAProxy TCP/HTTP load balancer.

http://feurix.org/projects/hatop/

First of all, make sure you have the stats socket enabled in the haproxy config:

global
  stats socket /run/haproxy/admin.sock mode 0600 level admin

That’s all you need to use HATop:

sudo hatop -s /run/haproxy/admin.sock

HAProxy + LetsEncrypt

sudo apt install letsencrypt

haproxy.cfg:

frontend https-front-session
        bind *:443 ssl crt /etc/ssl/le/one.example.com.pem crt /etc/ssl/le/two.example.com.pem
        bind *:80

        redirect scheme https if !{ ssl_fc }

        default_backend back-session

        acl is_le path_beg /.well-known/acme-challenge/
        acl is_old hdr_end(host) -i one.example.com
        acl is_new hdr_end(host) -i two.example.com

        # Order is important
        use_backend le if is_le
        use_backend b1 if is_old
        use_backend b2 if is_new

backend le
        server letsencrypt 127.0.0.1:54321

Get cert:

sudo letsencrypt certonly --agree-tos --renew-by-default --standalone-supported-challenges http-01 --http-01-port 54321 -d <one.example.com>

renewal.sh:

#!/bin/sh

letsencrypt renew --agree-tos --standalone-supported-challenges http-01 --http-01-port 54321

DOMAIN=<one.example.com>
cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/ssl/le/$DOMAIN.pem

DOMAIN=<two.example.com>
cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/ssl/le/$DOMAIN.pem

service haproxy reload

Geolocation

• http://agiletesting.blogspot.com/2014/01/geolocation-detection-with-haproxy.html
• http://blog.haproxy.com/2012/07/02/use-geoip-database-within-haproxy/

Sticky session

• http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/
• https://docs.oracle.com/cd/E37670_01/E41138/html/section_jyh_zhz_4r.html