HAProxy¶
- Check repository for your OS: https://haproxy.debian.net/
- Documentation: http://www.haproxy.org/download/1.7/doc/configuration.txt
Add header if ssl:
http-request add-header X-Forwarded-Proto https if { ssl_fc }
Check config:
haproxy -c -f /etc/haproxy/haproxy.cfg
Log rotation config /etc/logrotate.d/haproxy
:
/var/log/haproxy.log {
daily
rotate 52
missingok
notifempty
compress
delaycompress
postrotate
invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true
endscript
}
haproxy.cfg:
frontend fe
# HTTP log format format, which is the most advanced for HTTP proxying.
# It provides the same information as the TCP format with some HTTP-specific fields such as the request, the status code, and captures of headers and cookies.
# This format is recommended for HTTP proxies.
option httplog
backend be
stick-table type string len 32 size 1M peers haproxy-peers
# type string len 32 - String 32 characters
# size 1M - maximum number of entries that can fit in the table. Count approximately 50 bytes per entry, plus the size of a string if any.
# The size supports suffixes "k", "m", "g" for 2^10, 2^20 and 2^30 factors.
# Define a request pattern to associate a user to a server
stick on req.cook(SERVERID)
# Define a request pattern matching condition to stick a user to a server
stick match <pattern> [table <table>] [{if | unless} <cond>]
Proxy to backend depending on hostname. Only https. If hostname rule is not exist - proxy to default backend:
frontend https-front-session
bind *:443 ssl crt /etc/ssl/key.pem
bind *:80
redirect scheme https if !{ ssl_fc }
default_backend back-session
acl is_old hdr_end(host) -i old.example.com
use_backend old_example if is_old
acl is_new hdr_end(host) -i new.example.com
use_backend new_example if is_new
SSL backend:
backend be
balance roundrobin
server s1 example.com:443 check ssl verify none
# ssl verify none - without ssl verification
HATop¶
HATop is an interactive ncurses client and real-time monitoring, statistics displaying tool for the HAProxy TCP/HTTP load balancer.
http://feurix.org/projects/hatop/
First of all, make sure you have the stats socket enabled in the haproxy config:
global
stats socket /run/haproxy/admin.sock mode 0600 level admin
That’s all you need to use HATop:
sudo hatop -s /run/haproxy/admin.sock
HAProxy + LetsEncrypt¶
sudo apt install letsencrypt
haproxy.cfg
:
frontend https-front-session
bind *:443 ssl crt /etc/ssl/le/one.example.com.pem crt /etc/ssl/le/two.example.com.pem
bind *:80
redirect scheme https if !{ ssl_fc }
default_backend back-session
acl is_le path_beg /.well-known/acme-challenge/
acl is_old hdr_end(host) -i one.example.com
acl is_new hdr_end(host) -i two.example.com
# Order is important
use_backend le if is_le
use_backend b1 if is_old
use_backend b2 if is_new
backend le
server letsencrypt 127.0.0.1:54321
Get cert:
sudo letsencrypt certonly --agree-tos --renew-by-default --standalone-supported-challenges http-01 --http-01-port 54321 -d <one.example.com>
renewal.sh
:
#!/bin/sh
letsencrypt renew --agree-tos --standalone-supported-challenges http-01 --http-01-port 54321
DOMAIN=<one.example.com>
cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/ssl/le/$DOMAIN.pem
DOMAIN=<two.example.com>
cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/ssl/le/$DOMAIN.pem
service haproxy reload