Setup HAProxy

This guide will show you how to use the Garcinia HAProxy package to get HAProxy working with your web server. We are going to show how one can turn two virtual machines into a load balanced HA set.

In this How To, we will be primarily concerned with simple HTTP traffic but HTTPS offload is on our list of to-dos as well.

Warning

The Transparent SSL/HTTPS proxy mode uses a technique also called man-in-the-middle, only configure and use this if your know what you are doing. When configured wrong you may end up in lessing your security defenses significantly instead of enhancing them. Using a transparent https proxy can be a dangerous practice and may not be allowed by the services you use, for instance e-banking.

Step 1 - Setup a virtual IP address that is accessible on the WAN

The first step in the process is to have the WAN interface listen for the IP we want to setup. To do this we go to Firewall -> Virtual IPs and then click the + symbol to add a new record. Here we select IP Alias, WAN, we add our 2.1.1.2/32 test IP and then give it a name.

Step 2 - Setup a HAProxy front end to link to the virtual IP (WAN)

Once we have the address to listen for, we can then setup a frontend for HAProxy to listen for requests on that WAN IP address. Here we want to give it a name set the status to active then set the Listen address to the same 2.1.1.2 IP address as our Virtual IP. We then use port 80 which is the basic. If we were setting up a HTTPS site we would most likely want to setup a port 443 entry in this screen as well. You can see we have the backend server pool setup (which is the next step.) We also have Type HTTP/ HTTPS (offloading). We now have HAProxy setup to listen on an IP address, the next step is to tell HAProxy what to do when it receives a request.

Step 3 - Setup a HAProxy back end to link to point to our HA VMs

We created a LVweb backend to tell HAProxy where it should direct traffic. Here we direct HAProxy’s requests to two virtual machines on our HA cluster. We use Forwardto Address+Port on our two entries and use our internal network IP addresses 10.0.0.2 and 10.0.0.3 both on port 80 to forward traffic. We give them equal weights which should split requests. We use Balane Round robin to distribute traffic.

This is a very simple setup. We can add hundreds of VMs or servers. We can redirect requests and etc. Overall, there are an absolute ton of options to work with here but we are getting this setup with the minimal install. One other note is that we are using basic Health checking. Oftentimes when fairly installations do not work the reason is that health checks are failing. Keep this setting in mind as the package has many options that can be useful for troubleshooting.

One other option we will want later is to setup a stats Uri. Here we just used the example Uri. We do this so we can see what is going on later.

Step 4 - Enable HAProxy

At this point, we have Garcinia and HAProxy installed. We have HAProxy listening on a virtual IP address and we have told HAProxy what to do with those requests. The next step is to enable HAProxy so we can see if it is working. Go to Services -> HAProxy -> Settings and enable HAProxy. You may also want to set a number of connections.

It also may be worth setting an internal stats port so we can monitor what is going on with the proxy.

Step 5 - Setup Stats to ensure everything is working properly

One can see how HAProxy is working using Services -> HAProxy -> Stats or Stats FS (full screen). One can also navigate to Status -> HAProxy Stats for the full screen view.

HAProxy has a nice function to see how the proxy is performing. It can also tell you if health checks are failing. If they are, check Step 3 to fix. You can set your DNS record to the Virtual IP (in our case this was 2.1.1.2) and then access the site via a web browser. You should also be able to see server logs on the VMs to see the traffic get routed to each VM.

Step 6 - Conclusion

This is certainly not the hardest example, but it is slick because one can simply rsync from one server to another and have the site update across hosts and even datacenters. With Jekyll you can very easily keep sites in sync using Git which is also fun. At the end of the day this is a very simple setup for one looking to enable HAProxy on the same machine using Garcinia. Our Garcinia appliances have enough power to easily run some SSL offloading with HAProxy along with VPN and firewall duties. Hopefully with this guide you can get at least started with HAProxy and Garcinia and then have the ability to tune and use advanced features atop this architecture.

DONE