I wanted to have a deeper understanding of load balancing.
I tested with several different open source products, but the most recent release of HAProxy (1.5.21) was the easiest to get running.
I wanted to test the following on RHEL 6 with JBOSS backend application servers:
Browser –> load balancer –> web application server
Functionally, I wanted the following:
1) load balancer to maintain session persistence by means of an application server cookie
2) terminate HTTP SSL traffic on the load balancer
3) Run SSL on the backend application server, so traffic is encrypted on each hop above (it’s the internal users you worry about 🙂 )
As such, HAProxy needs a certificate on the load balancer to terminate SSL traffic from the browser. It also needs to decrypt the cookie used for session persistence and forward it as SSL to the web server.
I installed openssl from the RPM repository:
yum install openssl
yum install openssl-devel
I created a key as follows:
openssl genrsa -out /etc/ssl/certs/private.key 2048
openssl req -new -x509 -key /etc/ssl/certs/private.key -out /etc/ssl/certs/cert.pem -days 432
cat /etc/ssl/certs/private.key /etc/ssl/certs/cert.pem > /etc/haproxy.pem
For our simple testing, you can take all defaults (even the “empty” ones) when prompted above.
I then compiled haproxy from source.
make TARGET=linux2628 CPU=native USE_OPENSSL=1 USE_ZLIB=1
make install
For an HAProxy configuration file, I used what is below, which worked absolutely flawlessly for both session persistence and SSL forward to the backend servers.
global
daemon #daemonize process in the background
log /dev/log local0 info
log /dev/log local0 notice
user somelowprivuser #setuid() call, as we don't want to run as root
defaults
option forwardfor #send X-Forward-For in header, to represent "real" client IP (tru-client-ip in Akamai)
option http-server-close
option httplog #log detail similar to standard HTTP log format in Apache
log global
timeout client 10s #HTTP 504 if set too low
timeout connect 10s #HTTP 408 if set too low
timeout server 10s #HTTP 504 if set too low
frontend ft_web
bind 0.0.0.0:80
mode http
default_backend bk_web
frontend ft_webssl
bind *:443 ssl crt /etc/haproxy.pem
mode http
default_backend bk_webssl
backend bk_web
mode http
balance roundrobin
cookie JSESSIONID prefix
server serv01 1.28.38.148:10180 cookie a1 check #in F5, this is similar to a pool member (node and service)
server serv02 1.28.38.153:10180 cookie b1 check #in F5, this is similar to a pool member (node and service)
backend bk_webssl
mode http
balance roundrobin
cookie JSESSIONID prefix
server serv01 1.28.38.148:10543 cookie a1 check ssl #in F5, this is similar to a pool member (node and service)
server serv02 1.28.38.153:10543 cookie b1 check ssl #in F5, this is similar to a pool member (node and service)
I also added the following lines to /etc/rsyslog.conf (RHAT 6)
local0.* /var/log/haproxy.log
local1.* /var/log/haproxy.log
…then restarted rsyslog…
[root@box01 etc]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@box01 etc]#
After this, I started haproxy with the following command line…
haproxy -f /etc/hap2.cfg
…and all was well with the world.
You can view the log data, which will be similar to Apache style logging, by reading /var/log/haproxy.log.