How to Setup HAProxy
HAProxy is a reliable, high performance TCP/HTTP Load Balancer, and it works nicely with Helix TeamHub HA setup.
Preparation
Make sure /etc/ssh
SSH host keys are synchronized (see Synchronizing SSH host keys section) across all cluster nodes, otherwise a random "SSH RSA host key has been changed" error will occur.
Follow these steps to install and configure HAProxy according to the host operating system:
RHEL and CentOS
Install HAProxy:
cd /tmp
yum install wget openssl-devel pcre-devel make gcc wget
wget http://www.haproxy.org/download/1.5/src/haproxy-1.5.3.tar.gz
tar -zxvf haproxy-1.5.3.tar.gz && cd haproxy-1.5.3
make TARGET=linux2628 CPU=x86_64 USE_OPENSSL=1 USE_ZLIB=1 USE_PCRE=1
make install
Create the init script:
ln -sf /usr/local/sbin/haproxy /usr/sbin/haproxy
cp /tmp/haproxy-1.5.3/examples/haproxy.init /etc/init.d/haproxy
chmod 755 /etc/init.d/haproxy
Add default configuration and user:
mkdir /etc/haproxy
cp /tmp/haproxy-1.5.3/examples/examples.cfg /etc/haproxy/haproxy.cfg
mkdir /var/lib/haproxy
touch /var/lib/haproxy/stats
useradd haproxy
Start the service and enable on boot:
service haproxy check
service haproxy start
chkconfig haproxy on
Sample configuration
Below is the example configuration to use with Helix TeamHub with two Web application servers. Replace the VALUES with the required data.
It is recommended to use at minimum 2048-bit Diffie-Hellman group. You can generate DH parameter file using OpenSSL (openssl dhparam -out dhparams.pem 2048
) and append it to your certificate file.
global
log 127.0.0.1 local0 notice
maxconn 2000
user haproxy
group haproxy
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
defaults
log global
option dontlognull
retries 3
timeout connect 5000
timeout client 10000
timeout server 10000
# SSH connections to Helix TeamHub
frontend hth-sshd
bind *:22
mode tcp
default_backend hth-scm
# HTTP -> HTTPS redirection
frontend hth-http
bind *:80
mode http
redirect scheme https code 301 if !{ ssl_fc }
# HTTPS connections to Helix TeamHub
frontend hth-https
bind *:443 ssl crt __PATH_TO_CERTIFICATE_PEM_FILE__ no-sslv3
mode http
option http-server-close
option forwardfor
reqadd X-Forwarded-Proto:\ https
rspirep ^(set-cookie:.*) \1;\ Secure
default_backend hth-web
# LDAP connections to Helix TeamHub
frontend ldaps-in
bind *:636 ssl crt __PATH_TO_CERTIFICATE_PEM_FILE__ no-sslv3
maxconn 10000
default_backend hth-ldap
frontend ldap-in
bind *:389
maxconn 10000
default_backend hth-ldap
backend hth-ldap
mode tcp
balance leastconn
server web1 __IP_ADDRESS_OF_FIRST_NODE__:389 check
server web2 __IP_ADDRESS_OF_SECOND_NODE__:389 check
backend hth-scm
mode tcp
option tcplog
balance roundrobin
server scm1 __IP_ADDRESS_OF_FIRST_NODE__:22 check
server scm2 __IP_ADDRESS_OF_SECOND_NODE__:22 check
backend hth-web
mode http
option httplog
stats enable
stats uri /haproxy?stats
stats realm Strictly\ Private
stats auth __WEBADMIN_USERNAME__:__WEBADMIN_PASSWORD__
balance roundrobin
cookie HTHSTICKY insert indirect nocache
server web1 __IP_ADDRESS_OF_FIRST_NODE__:80 check cookie web1
server web2 __IP_ADDRESS_OF_SECOND_NODE__:80 check cookie web2