rodolfo.io

<< All Posts

Configuring HAProxy with ssl and two webservers behind

Jul 13, 2015

LoadBalancing with HAProxy

In this post I’ll teach you how to set up 3 ubuntu servers in order to create the follow architecture:

1 LoadBalancer Server;
2 Web Application Servers;

Ok, what’s load balancer? What’s the idea behind it? So, if you wanna create a web application the most basic idea is buy a domain name, point this domain name to the server IP and set up

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    ssl-default-bind-ciphers EECDH+aRSA+AES:TLSv1+kRSA+AES:TLSv1+kRSA+3DES
    ssl-default-bind-options no-sslv3

defaults
    log global
    mode    http
    option  httplog
    option  dontlognull
    option forwardfor
    option http-server-close
        stats uri /haproxy?stats
        stats auth haproxy:YourPassowordHere
        timeout connect 5000
        timeout client  50000
        timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http


frontend http-in
        bind *:80
        reqadd X-Forwarded-Proto:\ http
        default_backend application-backend

frontend https-in
        bind *:443 ssl crt /etc/haproxy/sslpem/your.server.pem.file.pem
        reqadd X-Forwarded-Proto:\ https
        default_backend application-backend

backend application-backend
        redirect scheme https if !{ ssl_fc }
        balance leastconn
        option httpclose
        option forwardfor

        #enter the IP of your application here
        server SERVER-1 10.10.10.1:8080 check
        server SERVER-2 10.10.10.2:8080 check

<< All Posts

Previous post:
Getting rid of my Wordpress and start using GoHugo

Next post:
Nice ZSH configuration for your Mac OS