Hello all.
I discover haproxy few weeks ago and I want to thanks willy for his very
good product.
I'm planing to integrate haproxy to our dmz.
I want to use haproxy for loadbalancing heavy secure php/ajax
applications with cookie persitence: a collaborate scheduler and a
image consult extranet.
stunnel service will handle https connections and forward decrypted
requests to haproxy on port 88. Then haproxy will forward connections
to web server on port 10088, 100089 (and so...) on a mass virtual host
configuration of apache (see below).
In /var/www/vhost-SSL/ on web server, there is some symbolic links to
the php sources. Some domains are not linked to same path because they
don't provide the same application. So i don't want to have to
delete/rename the "running.ok" file on every path when I want to
shutdown the webserver.
I want to use the httpcheck on port 10081 and the file "running.ok" .
But I want a soft stop of service. I want haproxy to stop forwarding new
connection if he don't find the "running.ok" file but continue to
forward connection if cookie is initialised. so i will configure a
backup server with same cookies (like said in Haproxy documentation).
So now my questions :
- is it possible to check only the header like this /HEAD / HTTP/1.0
/for backup server ?
- Like said in the article of willy
(http://1wt.eu/articles/2006_lb/),it is good to load balance the
encryption/decryption flow too. So a haproxy instance in tcp mode
(layer 4), seems to be a good solution. But our applications have to
know the client IP for security reasons. I read that a recompiled
kernel with tproxy support will forward connections keeping the real
client IP. Is that true ?
- I want to manage a multi site configuration keeping the session
persistence. How can I manage to do so?
haproxy configuration : (it 's a test configuration file. I think some
variable are not good valued)
/defaults
log global
mode http
option httplog
retries 3
option redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
stats enable
option forwardfor
balance roundrobin
option httpchk HEAD /running.ok HTTP/1.0
option http-server-close/
/
/
/listen private-admin_stats 192.168.1.60:8088
mode http
stats uri /admin?stats
stats realm Global\ statistics
stats auth stats:stats84/
/frontend public-http-app
bind 192.168.1.62:88
reqadd sce_proxy:\ lbl0101
reqadd sceproxy_secure:\ https
capture request header Location len 80
capture response header Location len 80
capture response header Server len 20
default_backend webfarm-http-app/
/backend webfarm-http-app
cookie SERVERID prefix nocache
server lbl0101-app1 192.168.1.62:10088 check port 100081 inter
2000 rise 2 fall 5 weight 8 cookie lbl0101-app
server lbl0101-app1-bck 192.168.1.62:10088 check inter 2000
rise 2 fall 5 cookie lbl0101-app backup
server lbl0101-app2 192.168.1.62:10089 check //port 100081
//inter 2000 rise 2 fall 5 cookie lbl0101-app2
server lbl0101-app2-bck 192.168.1.62:10089 check inter 2000 rise
2 fall 5 cookie lbl0101-app2 backup/
NameVirtualHost apache configuration :
/NameVirtualHost 192.168.1.62:10081
<VirtualHost 192.168.1.62:10081>
UseCanonicalName Off
ServerName *
VirtualDocumentRoot /var/www/vhosts-SSL/%0
VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/
DirectoryIndex index.html index.htm index.shtml index.php
HostNameLookups off
#CustomLog logs/ssl_access_log vcommon
#CustomLog /var/log/httpd/access_log cawstats
</VirtualHost>/
/NameVirtualHost 192.168.1.62:10088
<VirtualHost 192.168.1.62:10088>
UseCanonicalName Off
ServerName *
VirtualDocumentRoot /var/www/vhosts-SSL/%0
VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/
DirectoryIndex index.html index.htm index.shtml index.php
HostNameLookups off
#CustomLog logs/ssl_access_log vcommon
#CustomLog /var/log/httpd/access_log cawstats
</VirtualHost>/
/NameVirtualHost 192.168.1.62:10089
<VirtualHost 192.168.1.62:10089>
UseCanonicalName Off
ServerName *
VirtualDocumentRoot /var/www/vhosts-SSL/%0
VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/
DirectoryIndex index.html index.htm index.shtml index.php
HostNameLookups off
#CustomLog logs/ssl_access_log vcommon
#CustomLog /var/log/httpd/access_log cawstats
</VirtualHost>/
Some example of the link in /var/www/vhosts-SSL :
/192.168.1.62 -> /var/www/check (=> is where the file "running.ok" will be)
secure.myfirstdomain.com -> /var/www/html/myfirstdomain.com
secure1.myfirstdomain.com -> /var/www/html/myfirstdomain.com
secure.myseconddomain.com -> /var/www/html/myfseconddomain.com
secure.myfthirddomain.com -> /var/www/html/myfirstdomain.com/
Some other configuration in httpd.conf :
/LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
SetEnvIf Request_URI "^/running\.ok$" dontlog
CustomLog /var/log/httpd/access.log combined env=!dontlog/
NB : sorry for my very bad english.
NICOLE Emerik
Newbie french user of haproxy
eni-urge...@scan-eco.com
www.scan-eco.com
www.quickmed.fr