In an older post I showed how to create highly available HAProxy load balancer and front-end it with Pound for SSL termination. With the release of HAProxy 1.5 the SSL termination is now built in, along with a nice set of new features, such as stick tables.
In this post I'll setup HAProxy with SSL offloading and load balance HTTP, MySQL and rabbitmq in an active/passive mode.
First lets install HAProxy from source (you can of course use a package, but I'll be using Debian Squeeze for this deployment):
Since we are installing from source, we'll need an init script in /etc/init.d and the default options file in /etc/default. You can get one from an older package and make sure that the paths match the installation or just use the one bellow:
Time to configure HAProxy for 4 different services - plain HTTP, HTTPS terminated by the load balancer, and MySQL and RabbitMQ in active/passive mode:
All of the options are documented [1], but the most interesting once are the "stats socket", which allows you to connect to a socket and perform simple operations on HAProxy and gather statistics without needing to restart the server. You can do this in either interactive or non-interactive mode using the socat utility:
To enable the static HTTP status page add the following to the config file:
To have some real time view of what's going on, you can use the ncurses hatop, just install and run:
The SSL termination is configured by specifying the "ssl" option and providing a PEM file, containing the cert and the private key on line 34.
To setup MySQL and RabbitMQ in an active/passive mode, where only one of the servers will be accepting connections, and when the main server comes back up after a failure the connections will still stick to the backup server, you specify the "backup" option and define a stick-table on line 87 and line 83.
One more option worth mentioning is the MySQL health check specified on line 82. The check consists of sending two MySQL packets, one Client Authentication packet, and one QUIT packet, to correctly close
the MySQL session, using the specified user - in this case haproxy_check - so make sure you create it first:
Another useful option is the tcp-check. With this it's easy to send and receive certain messages to the back-ends and act on them. This is particularly useful in managing Redis master and slave instances controlled by Sentinel:
In the example above HAProxy queries Redis nodes about their role, and it will fail-over only if a back-end became the new master. If Sentinel is controlling the cluster and a new master is elected HAProxy will fail-over traffic to it.
To allow HAProxy to send separate logs to rsyslog you can use a file similar to this:
And finally start the service:
Resources:
[1]. http://cbonte.github.io/haproxy-dconv/configuration-1.5.html