Reading Time: 3 mins

Overview

HAProxy is an open-source High availability proxy and load balancer that is popularly known for its efficiency and speed. Works for TCP and HTTP protocols, it is used to enhance the performance of a website by splitting up the load across multiple servers and to simplify the request processing tasks. 

The HAProxy can be separately used for a proxy and load balancing purposes and also used as both proxy and load balancer at a time on your system. 

Installing HAProxy on Ubuntu 18.04

Step 1: Preconditions

  • It is to be noted that the given instructions are strictly applied to installing HAProxy on Ubuntu 18.04.
  • Presuming that you are logged in as a non-root user with sudo privileges. 

Step 2: Updating the default packages

In order to install HAProxy on your Ubuntu system, it is important for you to have some of the necessary packages. To update the required packages to install HAProxy, use the command:

sudo apt-get update

Step 3: Installing HAProxy

Now, start installing HAProxy using the command:

sudo apt-get install haproxy

On the other hand, if you want to install a specific version of HAProxy, you need to install via add-apt repositories. To get HAProxy started on system start-ups, you need to enable it via init script.

sudo nano /etc/default/haproxy

In the above, you need to set the value as ENABLED=1

Step 4: Configuring HAProxy

HAProxy configuration is done in order to set, in which port the server needs to listen and to where the requests must be forwarded. Further, before start configuring HAProxy, it is essential for you to understand the four major section of HAProxy configuration file. 

Global

The very top-section of the HAProxy file is the global section which is once configured for all, need not be changed. Some of the aspects which are supported by the ‘global’ section include; process-wide security, performance tuning and debugging.

Default

Configuring in this section comes handy as whatever changes done in this section will be ultimately reflected in both the front end and back end sections (as it comes next to the default section). You can also set subsequent defaults and decide which default to contain what settings on what order. The default configuration file of HAProxy, /etc/haproxy/haproxy.cfg is what controls every function of HAProxy.

This is how the default configuration file of HAProxy looks like:

global
log /dev/log    local0
log /dev/log    local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log     global
mode    http
option  httplog
option  dontlognull

timeout connect 5000
timeout client  50000
timeout server  50000

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

Front-end

This section helps you to identify which IP address and port, the client can connect and listen to. You can include several front-end sections (to maintain various websites) as much as you need but at the same time, need to differentiate one front-end from the other via labelling. 

Now, in the front-end section, add your IP address.

frontend haproxynode
bind ip_address:443 ssl crt
mode http
default_backend backendnodes

Back-end

Here where the group of servers handles the forwarded requests and load balancing. As mentioned in the front-end case, you can label the different servers of yours in order to distinguish one from the other. 

You need to add your server’s IP address along with port. The name you provided to define the back-end section (default_backend backendnodes) at the end of the front-end section is what must be included in the back-end section too (as backend forwarded by backendnodes).

backend backendnodes
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server vpsieprod 127.0.0.1:80
option httpchk HEAD / HTTP/1.1\r\nHost:localhost

Enabling Stats

To enable the HAProxy statistics, add the following in the HAProxy configuration file. In case, if you need to secure your stats page from third-party viewing, you can set a username and password.

listen stats
bind ip_address:1935
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats auth username:password
stats uri /stats

Note: Here, stats refers to the landing page on the browser which opens once you run the above code.

Soon after you complete configuring the file, this is how it looks like:

global

log /dev/log    local0
log /dev/log    local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log     global
mode    http
option  httplog
option  dontlognull

timeout connect 5000
timeout client  50000
timeout server  50000

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend haproxynode
bind ip_address:443 ssl crt
mode http
default_backend backendnodes

backend backendnodes
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server vpsieprod 127.0.0.1:80
option httpchk HEAD / HTTP/1.1\r\nHost:localhost

listen stats
bind ip_address:1935
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats auth username:password
stats uri /stats

Step 4: Verifying HAProxy

To check for syntax errors, run the following command:

sudo haproxy -c -f /etc/haproxy/haproxy.cfg

To restart HAProxy, run the following command:

sudo service haproxy restart

To verify in terminal, use the command:

sudo service haproxy status

To confirm and verify your website stats via browser using the below command,

http://ip_address/stats

The above steps explains the procedure involved in installing, configuring and verifying HAProxy on Ubuntu 18.04 system. If you want to use HAProxy as a Load Balancer, visit our blog post, How to Set Up HAProxy as a Load Balancer on Ubuntu 18.04  Here, HAProxy is used only as a reverse proxy and thus, the above-mentioned code is applicable only for setting a reverse proxy.