HAProxy Load Balancing: Part Three

HAProxy

Editing the HAProxy pool under pfSense 2.1.5.

In the previous two articles in this series, we introduced HAProxy and began looking at configuration of HAProxy under pfSense. In this article, we conclude our look at HAProxy configuration.

In the HAProxy Listener configuration tab, we had gotten as far as “Balance“. The next setting is “Stats Enabled“, which simply enables the saving of HAProxy statistics. If this check box is checked, 4 additional settings will appear: “Stats Realm“, “Stats Uri“, “Stats Username“, and “Stats Password“. “Stats Realm” is simply the authentication realm. It can be set to anything, although you need to escape space characters with a backslash. “Stats Uri” is the virtual URL to access the stats page. “Username” and “Password” are simply the username/password you want to use.


Moving along to the remaining advanced settings, “Max connections” is the maximum number of allowed connections. “Client timeout” is the time (in milliseconds) HA Proxy will wait for data from the client, or for the client to accept data (default is 30000). The next option is the “Use ‘forwardfor’ option“. This option creates an HTTP ‘X-Forwarded-For’ header which contains the client’s IP address. This is useful to let the final web server know what the client address was. The “Use ‘httpclose’ option” removes any ‘Connection’ header both ways, and adds a ‘Connection: close’ header in each direction. This makes it easier to disable HTTP keep-alive than the previous 4-rules block. Finally, the “Advanced pass thru” text box is for pasting text you would like to pass through.

The final tab is the “Server Pool” tab. Press the “plus” button on the right to add a server. In the “Name” field you can enter any name. For “Cookie“, you need to enter a cookie value, which will be checked in incoming requests. The first operational pool possessing the same value will be selected. In return, in cookie insertion or rewrite modes, this value will be assigned to the cookie sent to the client. At “Server list“, you can enter a list of servers, press the “plus” button under “Server list” to add a server. At “Check freq“, you can enter the interval at which HAProxy checks the server pool (default is 1000 milliseconds). “Health check URI” allows you to specify the virtual URL to check the health of the server pool (default is “/”). Finally, there is an “Advanced pass thru” text box for text you would like to pass through.


External Links:

The official HAProxy site

HAProxy on Wikipedia

HAProxy Load Balancing: Part Two

HAProxy

Listener configuration in HAProxy under pfSense 2.1.5.

In the previous article, we introduced HAProxy as a load balancing solution for TCP and HTTP-based applications. In this article, we will continue our look at HAProxy configuration.

The next setting in the “Settings” tab is “Global Advanced pass thru“, which is for text that you would like to pass through to the global settings area. The next section is “Configuration synchronization“. The first check box allows you to synchronize the HAProxy configuration to back up CARP members via XML-RPC, a remote procedure call which uses XML to encode its calls and uses HTTP as a transport mechanism. The next two fields are for the username and password that will be used during configuration synchronization. The username is general “admin” or an admin-level privileged account on the target system, and the password is generally the remote web configurator password. The next three fields are for sync hosts 1, 2, and 3. HAProxy will synchronize settings to the host’s IP address, if it is specified here. Finally, there are two buttons at the bottom. “Save” will just save the configuration, whereas “Save and Check Config” will parse the automatically generated config file and check for errors.


HAProxy: Configuring Listener Settings

The next tab is “Listener“. By pressing the “plus” button on the right side, you can specify a server to which HAProxy will listen. “Name” is the IP address of the interface to listen to. You can also specify an option “Description“. “Status” indicates whether the server pool is active or disabled. In the next field, “External address“, if you want the rule to apply to an IP address other than the IP address of the interface chosen here, you can select it here. You need to define virtual IP addresses for it first. If you are trying to redirect connections on the LAN, select the “any” option. You can also specify the port to listen to at “External port“, a backend server pool, the default server port, and the protocol at “Type” (HTTP, HTTPS, TCP, or a check for health). You can specifyy an ACL at “Access Control lists“.

Under “Advanced settings“, you can specify several other paramters. “Connection timout” allows you to specify the amount of time in milliseconds HAProxy will wait for a connection to complete, while “Server timeout” indicates the amount of time to wait for data from the server. “Retries” indicates the number of retry attempts. “Balance” indicates what method is used to load balance. If “Round robin” is selected, each server is used in turns, according to their weights. The algorithm is dynamic, which means that server weights may be adjusted on the fly for slow starts. If “Source” is selected, the source IP address will be hashed and divided by the total weight of the running servers to designate which server will receive the request. As a result, the same client IP address will always reach the same server as long as no server goes up or down. If the hash result changes due to the number of running servers changing, many clients will be directed to a different server.

In the next article, we we conclude our look at HAProxy configuration.


External Links:

The official HAProxy site

HAProxy on Wikipedia

HAProxy Load Balancing: Part One

HAProxy

Configuring HAProxy in pfSense 2.1.5.

HAProxy is an application offering high-availability, load balancing and proxying for TCP and HTTP-based applications. It is particularly suited for high traffic web sites, and is used by a number of high-profile websites including GitHub, Stack Overflow, Reddit, Tumblr, and Twitter. Over the years, it has become the de facto standard open source load balancer, is shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms. It is written in C and has a reputation for being fast, efficient and stable. HAProxy is free and open source software licensed under the GPL.

HAProxy: Installation and Configuration

To install HAProxy in pfSense, navigate to System -> Packages, scroll down to HAProxy on the list of packages, and press the “plus” button on the right. On the next page, press “Confirm” to confirm installation. It should take about three minutes for installation to complete.

Once HAProxy is installed, there will be a new entry on the “Services” menu called “HAProxy“. From there, you can configure settings. There are three tabs: “Settings“, “Listener“, and “Server Pool“. Under “General Settings“, the “Enable HAProxy” check box allows you to enable the load balancer. “Maximum connections” allows you to set the maximum per-process number of concurrent connections to X. Setting this value too high will result in HAProxy not being able to allocate enough memory. “Number of processes to start” indicates the number of HAProxy processes to start. The default is the number of cores/processors installed. “Remote syslog host” allows you to enter an IP address for the syslog host if there is a remote one.


The next setting, the “Syslog facility” dropdown box, allows you to indicate what type of connection HAProxy will make to syslog. The default is “local0“. By default, your syslog configuration probably does not accept socket connections, and doesn’t have a local0 facility, so if you leave it this way, you will have no HAProxy log. If you want it, configure suslog to accept TCP connections by adding -r to syslogd paramters. You can do this by editing the value of SYSLOGD in /etc/default/syslogd. Then follow these steps:

  1. Set up syslog facility local0 and direct it to file /var/log/haproxy.log by adding this line to /etc/syslog.conf:local0* /var/log/haproxy.log
  2. Restart the syslog service by entering the following command:service syslog restart

The next setting, “Syslog level“, allows you to determine what information is logged. “emerg” only logs emergency notifications, “debug” includes debugging information, “warning” includes warnings, and so on. Finally “Carp monitor” allows you to monitor the CARP interface and only run haproxy on the firewall which is the master. [A CARP, or Common Address Redundancy Protocol, firewall setup involves having a group of redundant firewalls. One firewall is designated as the master, and the others are designated as slaves. If the main firewall breaks down or is disconnected from the network, the virtual IP address allocated for the firewall will be taken by one of the firewall slaves and the service availability will not be interrupted.]

In the next article, we will continue our look at HAProxy configuration.


External Links:

The official HAProxy site

HAProxy on Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy