Difference between revisions of "Haproxy"

From HoerupWiki
Jump to: navigation, search
(logging)
(SSL)
 
(4 intermediate revisions by 2 users not shown)
Line 71: Line 71:
  
 
==logging==
 
==logging==
 
note! an existing x-forwarded-for header (injected by a client-side proxy) may break this system !!!!
 
  
 
Since haproxy is issuing new http requests the backend systems sees haproxy as the client. To circumvent this put these two options in haproxy (eg. under defaults):
 
Since haproxy is issuing new http requests the backend systems sees haproxy as the client. To circumvent this put these two options in haproxy (eg. under defaults):
 
<pre>
 
<pre>
 +
        reqidel X-Forwarded-For #delete any existing x-forwarded-for headers befor option forwardfor injects its own
 
         option forwardfor #enable sending the X-Forwarded-For http header to the servers
 
         option forwardfor #enable sending the X-Forwarded-For http header to the servers
 
         option httpclose  
 
         option httpclose  
Line 89: Line 88:
  
 
Tomcat users may want to look into [http://blog.techstacks.com/2010/01/tomcat-6-remoteipvalve.html RemoteIpValve]
 
Tomcat users may want to look into [http://blog.techstacks.com/2010/01/tomcat-6-remoteipvalve.html RemoteIpValve]
 +
 +
 +
==SSL==
 +
Haproxy can not decrypt ssl connections, so if you need https you can set up an [http://www.stunnel.org/ stunnel] service in front of haproxy which decrypts the ssl and forwards the requests to haproxy.
 +
If you use the "proxy" protocol included in stunnel 4.45 and haproxy 1.5, stunnel can forward the clients IP adress to haproxy.

Latest revision as of 08:41, 4 November 2011

Haproxy as content switch

global
        log 127.0.0.1   local0
        log 127.0.0.1   local1 notice
        #log loghost    local0 info
        maxconn 4096
        #chroot /usr/share/haproxy
        user haproxy
        group haproxy
#	uid 80
#	gid 80
        daemon
        #debug
        #quiet

defaults
        log     global
        mode    http
        option  httplog
	option  forwardfor
        option  dontlognull
        retries 3
        option redispatch
        contimeout      5000
        clitimeout      50000
        srvtimeout      50000


frontend test-1 0.0.0.0:88
    acl glassfish hdr_beg(host) app.t-hoerup.dk
    acl transmission hdr_beg(host) t.t-hoerup.dk
    acl donkey hdr_beg(host) donkey.t-hoerup.dk
    acl glassfish-dev hdr_beg(host) app2.t-hoerup.dk

    use_backend be_donkey if donkey
    use_backend be_transmission if transmission
    use_backend be_glassfish_dev if glassfish-dev
    use_backend be_glassfish if glassfish
    default_backend be_apache
#    use_backend be_apache unless glassfish

#if this was a listener instead of a frontend-section then we could use the dispatch statement instead
#    dispatch 192.168.10.5:9091 if transmission
#    dispatch 192.168.10.5:4080 if donkey
#    dispatch 192.168.10.10:8080 if glassfish-pumba
#    dispatch 192.168.10.5:80

backend be_donkey
    dispatch 192.168.10.5:4080

backend be_transmission
    dispatch 192.168.10.5:9091

backend be_glassfish_dev
    dispatch 192.168.10.10:8080

backend be_glassfish #if you want http-check you must use a loadbalancing setup like this
    option httpchk /
    balance roundrobin     
    server 192.168.10.5:8080 check inter 2000

backend be_apache
    stats enable
    stats uri /haproxy  
    dispatch 192.168.10.5:80


logging

Since haproxy is issuing new http requests the backend systems sees haproxy as the client. To circumvent this put these two options in haproxy (eg. under defaults):

        reqidel X-Forwarded-For #delete any existing x-forwarded-for headers befor option forwardfor injects its own
        option forwardfor #enable sending the X-Forwarded-For http header to the servers
        option httpclose 

You also need to make the backend servers understand the X-Forwarded-For header:

apache

You can either use a mod to make apache interpret the X-Forwarded-for header as the real remote ip. For apache 2.2 use mod_rpaf, apache 2.3+ can use mod_remoteip. Otherwise you can rewrite the LogFormat's and replace "%h" (host) with "%{X-Forwarded-For}i"

glassfish

Configuration -> http service -> access logging -> Format : replace %client.name% with %header.x-forwarded-for%

Tomcat users may want to look into RemoteIpValve


SSL

Haproxy can not decrypt ssl connections, so if you need https you can set up an stunnel service in front of haproxy which decrypts the ssl and forwards the requests to haproxy. If you use the "proxy" protocol included in stunnel 4.45 and haproxy 1.5, stunnel can forward the clients IP adress to haproxy.