I wanted to have a deeper understanding of load balancing.<\/p>\n
I tested with several different open source products, but the most recent release of HAProxy (1.5.21) was the easiest to get running.<\/p>\n
I wanted to test the following on RHEL 6 with JBOSS backend application servers:<\/p>\n
Browser –> load balancer –> web application server<\/p>\n
Functionally, I wanted the following:<\/p>\n
1) load balancer to maintain session persistence by means of an application server cookie
\n2) terminate HTTP SSL traffic on the load balancer
\n3) Run SSL on the backend application server, so traffic is encrypted on each hop above (it’s the internal users you worry about \ud83d\ude42 )<\/p>\n
As such, HAProxy needs a certificate on the load balancer to terminate SSL traffic from the browser. It also needs to decrypt the cookie used for session persistence and forward it as SSL to the web server.<\/p>\n
I installed openssl from the RPM repository:<\/p>\n
\r\nyum install openssl\r\nyum install openssl-devel\r\n<\/pre>\nI created a key as follows:<\/p>\n
\r\nopenssl genrsa -out \/etc\/ssl\/certs\/private.key 2048\r\nopenssl req -new -x509 -key \/etc\/ssl\/certs\/private.key -out \/etc\/ssl\/certs\/cert.pem -days 432\r\ncat \/etc\/ssl\/certs\/private.key \/etc\/ssl\/certs\/cert.pem > \/etc\/haproxy.pem\r\n<\/pre>\nFor our simple testing, you can take all defaults (even the “empty” ones) when prompted above.<\/p>\n
I then compiled haproxy from source.<\/p>\n
\r\nmake TARGET=linux2628 CPU=native USE_OPENSSL=1 USE_ZLIB=1\r\nmake install\r\n<\/pre>\nFor an HAProxy configuration file, I used what is below, which worked absolutely flawlessly for both session persistence and SSL forward to the backend servers.<\/p>\n
\r\nglobal\r\n daemon #daemonize process in the background\r\n log \/dev\/log local0 info\r\n log \/dev\/log local0 notice\r\n user somelowprivuser #setuid() call, as we don't want to run as root\r\n\r\ndefaults\r\n option forwardfor #send X-Forward-For in header, to represent \"real\" client IP (tru-client-ip in Akamai)\r\n option http-server-close\r\n option httplog #log detail similar to standard HTTP log format in Apache\r\n log global\r\n timeout client 10s #HTTP 504 if set too low\r\n timeout connect 10s #HTTP 408 if set too low\r\n timeout server 10s #HTTP 504 if set too low\r\n\r\nfrontend ft_web\r\n bind 0.0.0.0:80\r\n mode http\r\n default_backend bk_web\r\n\r\nfrontend ft_webssl\r\n bind *:443 ssl crt \/etc\/haproxy.pem\r\n mode http\r\n default_backend bk_webssl\r\n\r\nbackend bk_web\r\n mode http\r\n balance roundrobin\r\n cookie JSESSIONID prefix\r\n server serv01 1.28.38.148:10180 cookie a1 check #in F5, this is similar to a pool member (node and service)\r\n server serv02 1.28.38.153:10180 cookie b1 check #in F5, this is similar to a pool member (node and service)\r\n\r\nbackend bk_webssl\r\n mode http\r\n balance roundrobin\r\n cookie JSESSIONID prefix\r\n server serv01 1.28.38.148:10543 cookie a1 check ssl #in F5, this is similar to a pool member (node and service)\r\n server serv02 1.28.38.153:10543 cookie b1 check ssl #in F5, this is similar to a pool member (node and service)\r\n<\/pre>\nI also added the following lines to \/etc\/rsyslog.conf (RHAT 6)<\/p>\n
\r\nlocal0.* \/var\/log\/haproxy.log\r\nlocal1.* \/var\/log\/haproxy.log\r\n<\/pre>\n…then restarted rsyslog…<\/p>\n
\r\n[root@box01 etc]# service rsyslog restart\r\nShutting down system logger: [ OK ]\r\nStarting system logger: [ OK ]\r\n[root@box01 etc]#\r\n<\/pre>\nAfter this, I started haproxy with the following command line…<\/p>\n
\r\nhaproxy -f \/etc\/hap2.cfg\r\n<\/pre>\n…and all was well with the world.<\/p>\n
You can view the log data, which will be similar to Apache style logging, by reading \/var\/log\/haproxy.log.<\/p>\n","protected":false},"excerpt":{"rendered":"
I wanted to have a deeper understanding of load balancing. I tested with several different open source products, but the most recent release of HAProxy (1.5.21) was the easiest to get running. I wanted to test the following on RHEL…<\/p>\n