haproxy question about check

Fri, 21 May 2010 06:16:24 -0700 

Hello all.
I discover haproxy few weeks ago and I want to thanks willy for his very good product. 
I'm planing to integrate haproxy to our dmz.
I want to use haproxy for loadbalancing heavy secure php/ajax applications with cookie persitence: a collaborate scheduler and a image consult extranet. 


stunnel service will handle  https connections and forward  decrypted 
requests  to haproxy on port 88. Then haproxy will forward connections 
to web server on port 10088, 100089 (and so...) on a mass virtual host 
configuration of apache (see below).
In /var/www/vhost-SSL/ on web server, there is some symbolic links to 
the php sources. Some domains are not linked  to same path because they 
don't provide the same application. So i don't want to have to 
delete/rename the "running.ok" file on every path when I want to 
shutdown the webserver.
I want to use the httpcheck  on port 10081 and the file "running.ok" . 
But I want a soft stop of service. I want haproxy to stop forwarding new 
connection if he don't find the "running.ok" file but continue to 
forward connection if cookie is initialised. so i will configure a 
backup server with same cookies  (like said in Haproxy documentation).


So now my questions :

   - is it possible to check only the header like this /HEAD / HTTP/1.0 
/for backup server ?
   - Like said in the article of willy 
(http://1wt.eu/articles/2006_lb/),it  is good to load balance the 
encryption/decryption flow too. So a haproxy instance in tcp mode  
(layer 4), seems to be a good solution. But our applications have to 
know the client IP for security reasons. I  read that a recompiled 
kernel with tproxy support will forward connections keeping the real 
client IP. Is that true ?
    - I want to manage a multi site configuration keeping the  session 
persistence. How can I manage to do so?



haproxy configuration : (it 's a test configuration file. I think some 
variable are not good valued)


/defaults
       log     global
       mode    http
       option  httplog
       retries 3
       option redispatch
       maxconn 2000
       contimeout      5000
       clitimeout      50000
       srvtimeout      50000
       stats enable
       option forwardfor
       balance roundrobin
       option httpchk HEAD /running.ok HTTP/1.0
       option http-server-close/

/
/

/listen private-admin_stats 192.168.1.60:8088
       mode http
       stats uri    /admin?stats
       stats realm     Global\ statistics
       stats auth  stats:stats84/

/frontend public-http-app
       bind 192.168.1.62:88
       reqadd   sce_proxy:\ lbl0101
       reqadd   sceproxy_secure:\ https
       capture request header Location len 80
       capture response header Location len 80
       capture response header Server len 20
       default_backend webfarm-http-app/

/backend webfarm-http-app
       cookie SERVERID prefix nocache

       server lbl0101-app1 192.168.1.62:10088 check port 100081 inter 
2000 rise 2 fall 5 weight 8 cookie lbl0101-app
       server lbl0101-app1-bck 192.168.1.62:10088 check  inter 2000 
rise 2 fall 5 cookie lbl0101-app backup
       server lbl0101-app2 192.168.1.62:10089 check //port 100081 
//inter 2000 rise 2 fall 5 cookie lbl0101-app2
       server lbl0101-app2-bck 192.168.1.62:10089 check inter 2000 rise 
2 fall 5 cookie lbl0101-app2 backup/




NameVirtualHost apache configuration :

/NameVirtualHost 192.168.1.62:10081
<VirtualHost 192.168.1.62:10081>
       UseCanonicalName Off
       ServerName *
       VirtualDocumentRoot /var/www/vhosts-SSL/%0
       VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/
       DirectoryIndex index.html index.htm index.shtml index.php
       HostNameLookups off
       #CustomLog logs/ssl_access_log vcommon
       #CustomLog /var/log/httpd/access_log cawstats
</VirtualHost>/

/NameVirtualHost 192.168.1.62:10088
<VirtualHost 192.168.1.62:10088>
       UseCanonicalName Off
       ServerName *
       VirtualDocumentRoot /var/www/vhosts-SSL/%0
       VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/
       DirectoryIndex index.html index.htm index.shtml index.php
       HostNameLookups off
       #CustomLog logs/ssl_access_log vcommon
       #CustomLog /var/log/httpd/access_log cawstats
</VirtualHost>/

/NameVirtualHost 192.168.1.62:10089
<VirtualHost 192.168.1.62:10089>
       UseCanonicalName Off
       ServerName *
       VirtualDocumentRoot /var/www/vhosts-SSL/%0
       VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/
       DirectoryIndex index.html index.htm index.shtml index.php
       HostNameLookups off
       #CustomLog logs/ssl_access_log vcommon
       #CustomLog /var/log/httpd/access_log cawstats
</VirtualHost>/

Some example of the link in /var/www/vhosts-SSL :

/192.168.1.62 -> /var/www/check (=> is where the file "running.ok" will be)
secure.myfirstdomain.com -> /var/www/html/myfirstdomain.com
secure1.myfirstdomain.com -> /var/www/html/myfirstdomain.com
secure.myseconddomain.com -> /var/www/html/myfseconddomain.com
secure.myfthirddomain.com -> /var/www/html/myfirstdomain.com/




Some other configuration in httpd.conf :


/LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" 
\"%{User-Agent}i\"" combined

SetEnvIf Request_URI "^/running\.ok$" dontlog
CustomLog /var/log/httpd/access.log combined env=!dontlog/



NB : sorry for my very bad english.

NICOLE Emerik
Newbie french user of haproxy
eni-urge...@scan-eco.com
www.scan-eco.com
www.quickmed.fr























					Reply via email to