Ping a Specific Port

Question

Minhaj

Asked: 2011-02-24 23:01:35 +0800 CST2011-02-24 23:01:35 +0800 CST 2011-02-24 23:01:35 +0800 CST

Sticky connection and HTTPS support for HAProxy

772

We have 2 HTTP Load balancer with HAproxy and heartbeat. There are 4 apache nodes in this cluster. It's doing round robin load balancing. The HTTP cluster working fine. We are having problem with our portal because it uses SSO. We need sticky connection support in our HAproxy. Also we need load balancing for HTTPS traffic. Here's our HAproxy conf file.

global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events.  This is done
#    by adding the '-r' option to the SYSLOGD_OPTIONS in
#    /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
#   file. A line like the following can be added to
#   /etc/sysconfig/syslog
#
#    local2.*                       /var/log/haproxy.log
#
log         127.0.0.1 local0
log         127.0.0.1 local1 notice

chroot      /var/lib/haproxy
pidfile     /var/run/haproxy.pid
maxconn     4000
user        haproxy
group       haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend  main *:5000
    acl url_static       path_beg       -i /static /images /javascript /stylesheets
    acl url_static       path_end       -i .jpg .gif .png .css .js

    use_backend static          if url_static
    default_backend             app

#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend static
    balance     roundrobin
    server      static 127.0.0.1:4331 check

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend app
listen ha-http 10.190.1.28:80
mode http
stats enable
stats auth admin:xxxxxx
balance roundrobin
cookie JSESSIONID prefix
option httpclose
option forwardfor
option httpchk HEAD /haproxy.txt HTTP/1.0
server apache1 portal-04:80 cookie A check
server apache2 im-01:80 cookie B check
server apache3 im-02:80 cookie B check
server apache4 im-03:80 cookie B check

Please advice. Thanks for your help in advance.

2 Answers

Voted

Coops · Answer 1 · 2011-02-25T00:06:18+08:00

Your config is already setting a persistent cookie, but I believe you need to define a different cookie per backend server to always send a visitor to the same backend.

Does your SSO have it's own cookie it sets? Or are you happy with sticking with whichever box haproxy choice to send the traffic to? If you do have a cookie which your application sets, there is a configuration option to tell haproxy to load balance based on pre-existing cookies rather than setting one itself. (Check "appsession" option).

Regarding SSL, there is plenty of documentation out there which describes why HAProxy doesn't handle SSL itself. Instead if you want to do SSL + layer 7 (cookies etc) load balancing you have to terminate the HTTPS connection on the load balancer (i.e. have the SSL reside of the LB rather than backend server). I've done this before by running nginx on the same box and it was worked well.

However if you are happy with Layer 4 load balancing (no cookies etc), HAProxy can just route the encrypted traffic without looking side their contents.

Ochoto · Answer 2 · 2011-02-25T04:43:07+08:00

Ochoto

2011-02-25T04:43:07+08:002011-02-25T04:43:07+08:00

If you are using spnego/kerberos for user auth you need to keep the connection alive between both client and backend. That's an SPNEGO protocol "feature" it want's to resolve the challenge over the same connection.

Please remember that keeping connections alive will probably cause connection persistence issues since haproxy only checks the headers of the first http verb.

For ssl, I would also choose Nginx, other option is stunnel with a X-FORWARDED-FOR support

0

Sticky connection and HTTPS support for HAProxy

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?