From HoerupWiki
Jump to: navigation, search

Haproxy as content switch

        log   local0
        log   local1 notice
        #log loghost    local0 info
        maxconn 4096
        #chroot /usr/share/haproxy
        user haproxy
        group haproxy
#	uid 80
#	gid 80

        log     global
        mode    http
        option  httplog
	option  forwardfor
        option  dontlognull
        retries 3
        option redispatch
        contimeout      5000
        clitimeout      50000
        srvtimeout      50000

frontend test-1
    acl glassfish hdr_beg(host) app.t-hoerup.dk
    acl transmission hdr_beg(host) t.t-hoerup.dk
    acl donkey hdr_beg(host) donkey.t-hoerup.dk
    acl glassfish-dev hdr_beg(host) app2.t-hoerup.dk

    use_backend be_donkey if donkey
    use_backend be_transmission if transmission
    use_backend be_glassfish_dev if glassfish-dev
    use_backend be_glassfish if glassfish
    default_backend be_apache
#    use_backend be_apache unless glassfish

#if this was a listener instead of a frontend-section then we could use the dispatch statement instead
#    dispatch if transmission
#    dispatch if donkey
#    dispatch if glassfish-pumba
#    dispatch

backend be_donkey

backend be_transmission

backend be_glassfish_dev

backend be_glassfish #if you want http-check you must use a loadbalancing setup like this
    option httpchk /
    balance roundrobin     
    server check inter 2000

backend be_apache
    stats enable
    stats uri /haproxy  


Since haproxy is issuing new http requests the backend systems sees haproxy as the client. To circumvent this put these two options in haproxy (eg. under defaults):

        reqidel X-Forwarded-For #delete any existing x-forwarded-for headers befor option forwardfor injects its own
        option forwardfor #enable sending the X-Forwarded-For http header to the servers
        option httpclose 

You also need to make the backend servers understand the X-Forwarded-For header:


You can either use a mod to make apache interpret the X-Forwarded-for header as the real remote ip. For apache 2.2 use mod_rpaf, apache 2.3+ can use mod_remoteip. Otherwise you can rewrite the LogFormat's and replace "%h" (host) with "%{X-Forwarded-For}i"


Configuration -> http service -> access logging -> Format : replace %client.name% with %header.x-forwarded-for%

Tomcat users may want to look into RemoteIpValve


Haproxy can not decrypt ssl connections, so if you need https you can set up an stunnel service in front of haproxy which decrypts the ssl and forwards the requests to haproxy. If you use the "proxy" protocol included in stunnel 4.45 and haproxy 1.5, stunnel can forward the clients IP adress to haproxy.