Reading Time: 3 mins
Overview
HAProxy is an open-source High availability proxy and load balancer that is popularly known for its efficiency and speed. Works for TCP and HTTP protocols, it is used to enhance the performance of a website by splitting up the load across multiple servers and to simplify the request processing tasks.
The HAProxy can be separately used for a proxy and load balancing purposes and also used as both proxy and load balancer at a time on your system.
Installing HAProxy on Ubuntu 18.04
Step 1: Preconditions
- It is to be noted that the given instructions are strictly applied to installing HAProxy on Ubuntu 18.04.
- Presuming that you are logged in as a non-root user with Sudo privileges.
Step 2: Updating the default packages
In order to install HAProxy on your Ubuntu system, it is important for you to have some of the necessary packages. To update the required packages to install HAProxy, use the command:
sudo apt-get update
Step 3: Installing HAProxy
Now, start installing HAProxy using the command:
sudo apt-get install haproxy
On the other hand, if you want to install a specific version of HAProxy, you need to install via add-apt repositories. To get HAProxy started on system start-ups, you need to enable it via init script.
sudo nano /etc/default/haproxy
In the above, you need to set the value as ENABLED=1
Step 4: Configuring HAProxy
HAProxy configuration is done in order to set, in which port the server needs to listen and to where the requests must be forwarded. Further, before start configuring HAProxy, it is essential for you to understand the four major section of HAProxy configuration file.
Global
The very top-section of the HAProxy file is the global section which is once configured for all, need not be changed. Some of the aspects which are supported by the ‘global’ section include; process-wide security, performance tuning and debugging.
Default
Configuring in this section comes handy as whatever changes done in this section will be ultimately reflected in both the front end and back end sections (as it comes next to the default section). You can also set subsequent defaults and decide which default to contain what settings on what order. The default configuration file of HAProxy, /etc/haproxy/haproxy.cfg is what controls every function of HAProxy.
This is how the default configuration file of HAProxy looks like:
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon tune.ssl.default-dh-param 2048 # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http
Front-end
This section helps you to identify which IP address and port; the client can connect and listen to. You can include several front-end sections (to maintain various websites) as much as you need but at the same time, need to differentiate one front-end from the other via labelling.
Now, in the front-end section, add your IP address.
frontend haproxynode bind ip_address:443 ssl crt mode http default_backend backendnodes
Back-end
Here where the group of servers handles the forwarded requests and load balancing. As mentioned in the front-end case, you can label the different servers of yours in order to distinguish one from the other.
You need to add your server’s IP address along with the port. The name you provided to define the back-end section (default_backend backendnodes) at the end of the front-end section is what must be included in the back-end section too (as backend forwarded by backendnodes).
backend backendnodes
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server vpsieprod 127.0.0.1:80
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
Enabling Stats
To enable the HAProxy statistics, add the following in the HAProxy configuration file. In case, if you need to secure your stats page from third-party viewing, you can set a username and password.
listen stats bind ip_address:1935 stats enable stats hide-version stats refresh 30s stats show-node stats auth username:password stats uri /stats
Note: Here, stats refer to the landing page on the browser which opens once you run the above code.
Soon after you complete configuring the file, this is how it looks like:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend haproxynode
bind ip_address:443 ssl crt
mode http
default_backend backendnodes
backend backendnodes
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server vpsieprod 127.0.0.1:80
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
listen stats
bind ip_address:1935
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats auth username:password
stats uri /stats
Step 4: Verifying HAProxy
To check for syntax errors, run the following command:
sudo haproxy -c -f /etc/haproxy/haproxy.cfg
To restart HAProxy, run the following command:
sudo service haproxy restart
To verify in the terminal, use the command:
sudo service haproxy status
To confirm and verify your website stats via browser using the below command,
http://ip_address/stats
The above steps explain the procedure involved in installing, configuring and verifying HAProxy on Ubuntu 18.04 system. If you want to use HAProxy as a Load Balancer, visit our blog post, How to Set Up HAProxy as a Load Balancer on Ubuntu 18.04 Here, HAProxy is used only as a reverse proxy, and thus, the above-mentioned code is applicable only for setting a reverse proxy.