HAProxy Load Balancing: Part One


Configuring HAProxy in pfSense 2.1.5.

HAProxy is an application offering high-availability, load balancing and proxying for TCP and HTTP-based applications. It is particularly suited for high traffic web sites, and is used by a number of high-profile websites including GitHub, Stack Overflow, Reddit, Tumblr, and Twitter. Over the years, it has become the de facto standard open source load balancer, is shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms. It is written in C and has a reputation for being fast, efficient and stable. HAProxy is free and open source software licensed under the GPL.

HAProxy: Installation and Configuration

To install HAProxy in pfSense, navigate to System -> Packages, scroll down to HAProxy on the list of packages, and press the “plus” button on the right. On the next page, press “Confirm” to confirm installation. It should take about three minutes for installation to complete.

Once HAProxy is installed, there will be a new entry on the “Services” menu called “HAProxy“. From there, you can configure settings. There are three tabs: “Settings“, “Listener“, and “Server Pool“. Under “General Settings“, the “Enable HAProxy” check box allows you to enable the load balancer. “Maximum connections” allows you to set the maximum per-process number of concurrent connections to X. Setting this value too high will result in HAProxy not being able to allocate enough memory. “Number of processes to start” indicates the number of HAProxy processes to start. The default is the number of cores/processors installed. “Remote syslog host” allows you to enter an IP address for the syslog host if there is a remote one.

The next setting, the “Syslog facility” dropdown box, allows you to indicate what type of connection HAProxy will make to syslog. The default is “local0“. By default, your syslog configuration probably does not accept socket connections, and doesn’t have a local0 facility, so if you leave it this way, you will have no HAProxy log. If you want it, configure suslog to accept TCP connections by adding -r to syslogd paramters. You can do this by editing the value of SYSLOGD in /etc/default/syslogd. Then follow these steps:

  1. Set up syslog facility local0 and direct it to file /var/log/haproxy.log by adding this line to /etc/syslog.conf:local0* /var/log/haproxy.log
  2. Restart the syslog service by entering the following command:service syslog restart

The next setting, “Syslog level“, allows you to determine what information is logged. “emerg” only logs emergency notifications, “debug” includes debugging information, “warning” includes warnings, and so on. Finally “Carp monitor” allows you to monitor the CARP interface and only run haproxy on the firewall which is the master. [A CARP, or Common Address Redundancy Protocol, firewall setup involves having a group of redundant firewalls. One firewall is designated as the master, and the others are designated as slaves. If the main firewall breaks down or is disconnected from the network, the virtual IP address allocated for the firewall will be taken by one of the firewall slaves and the service availability will not be interrupted.]

In the next article, we will continue our look at HAProxy configuration.

External Links:

The official HAProxy site

HAProxy on Wikipedia

Syslog Configuration in pfSense

Introducing Syslog

Syslog is a standard for computer data logging. It separates the software that generates messages from the system that stores them and the software that reports and analyzes them. It was developed in the 1980s by Eric Allman as part of the Sendmail project, and proved so valuable that other applications began using it as well. Since then, Syslog has become the standard logging solution on Unix and Unix-like systems, and there have been a variety of syslog implementations on other operating systems.

Syslog initially functioned as a de facto standard, without any authoritative published specification, and many implementations existed; some of them were incompatible with each other. Eventually the Internet Engineering Task Force documented the standard in RFC 3164. It was made obsolete by subsequent additions in RFC 5424.

Centralized logging to a specific logging host can reduce some of the administrative burden of log file administration. Log file aggregation, merging and rotation acan be configured in one location using syslog. In syslog, messages are labeled with a facility code indicating what type of program is logging the message. The codes are as follows:

Facility Levels
Facility Number Keyword Facility Description
0 kem kernel messages
1 user user-level messages
2 mail mail system
3 daemon system daemons
4 auth security/authorization messages
5 syslog messages generated internally by syslog
6 lpr line printer subsystem
7 news network news subsystem
8 uucp UUCP subsystem
9 clock daemon
10 authpriv security/authorization messages
11 ftp FTP daemon
12 network news subsystem
13 log audit
14 log alert
15 cron clock daemon
16 local0 local use 0 (local0)
17 local1 local use 1 (local1)
18 local2 local use 2 (local2)
19 local3 local use 3 (local3)
20 local4 local use 4 (local4)
21 local5 local use 5 (local5)
22 local6 local use 6 (local6)
23 local7 local use 7 (local7)

For cron either 9 or 15 may be used. With auth/authpriv, 4 and 10 are commonly used but 13 and 14 can be used too.

Finally, here are the eight security levels:

Severity Levels
Code Severity Keyword Description
0 Emergency emerg (panic) System is unstable
1 Alert alert Action must be taken immediately
2 Critical crit Critical conditions
3 Error err (error) Error conditions
4 Warning warning (warn) Warning conditions
5 Notice notice Normal but significant condition
6 Informational info Informational messages
7 Debug debug Debug-level messages

A mnemonic used to remember these levels is: “Do I Notice When Evenings Come Around Early”.

Configuring Syslong in pfSense


Configuring Syslog for remote logging under pfSense 2.0.

To configure syslog, first navigate to Status -> System Logs. From there, click the “Settings” tab. Check the “Enable syslog’ing to remote syslog server” check box to send syslog messages to a remote server. At “Remote syslog servers“, enter the IP addresses of up to three remote syslog servers. Below that, there are nine check boxes. Eight check boxes are for logging different events (system, firewall, DHCP service, portal authorization, VPN, gateway monitor, server load balancer, and wireless); the ninth check box is labeled “Everything” and will cause syslog to record all messages. Check whichever items you wish to monitor, or check “Everything” to monitor record everything. Then press the “Save” button to save the changes.

Now that we have enabled remote syslog logging, we have removed a considerable burden from the resources of the pfSense machine, which should have a positive effect. This will especially be the case if the machine is light on memory and hard disk space (or for that matter, if we are running it from the live CD and the log entries are being made to a floppy disk).

There are several other settings worth noting, which are applicable to a scenario where remote logging is not enabled. At the top of the Settings page, checking “Show log entries in reverse order” will cause the newest entries to appear on top. Checking “Log packets blocked by the default rule” (checked by default) will cause syslog to log packets blocked by the implicit default block rule. Checking “Show raw filter logs” will result in filter logs being show as generated by the packet filter, without any formatting. This will reveal more detailed information. Finally, checking “Disable writing log files to the local RAM disk” will cause syslog to stop writing logs to the RAM disk, thereby freeing up memory.

External Links:

Syslog on Wikipedia

Copying Logs to a Remote Host with Syslog at doc.pfsense.org

Custom pfSense Firewall Log Analyzer – step-by-step instructions on how to set up a custom pfSense log analyzer using shell scripts and Python code

pfSense Remote Logging to Kiwi Syslog Server – shows how to send pfSense logs to a Kiwi server running under Windows

© 2013 David Zientara. All rights reserved. Privacy Policy