Configuring HAproxy as Loadbalancer

Installation

HAproxy IP - 192.168.101.160

webserver node1 - 192.168.101.161

webserver node2 - 192.168.101.162


HAProxy is included in the package management systems of most Linux distributions,use the below command to install haproxy in Ubuntu 16.04 LTS

sudo apt-get install haproxy

Below is the HAproxy config file (configuration file at /etc/haproxy/haproxy.cfg)which we used in this setup

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
     crt-base /etc/ssl/private
    tune.ssl.default-dh-param 2048
    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

listen filecloud-http
    bind 192.168.101.160:80
    mode http
    redirect scheme https if !{ ssl_fc }

listen filecloud
    bind 192.168.101.160:443 ssl crt /etc/ssl/private/cloud.pem
    mode http
   balance roundrobin
    option http-server-close
    timeout http-keep-alive 3000
   
   option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    reqadd X-Forwarded-Proto:\ https
    server node1 192.168.101.161:80 check
    server node2 192.168.101.162:80 check


listen stats
    bind 192.168.101.160:32700 ssl crt /etc/ssl/private/cloud.pem
    stats enable
    stats uri /
    stats hide-version
    stats auth filecloud:password!@


The above configuration is tweaked to use properly with SSL installed also.

You will need to import the SSL cerificate to a pem file in the below order and will have to specify the path as in the sample haproxy,cfg above

cat certificate.crt intermediates.crt private.key > cloud.pem

Configuring webserver to log public IP addresses behind a load balancer


Install mod_remoteip on all the webserver nodes.

sudo a2enmod remoteip


 Activate the configuration by restarting Apache2.

sudo service apache2 restart


Edit the Apache configuration located at /etc/apache2/apache2.conf for Ubuntu as follows:

sudo vim /etc/apache2/apache2.conf


Add this line to the configuration file.

RemoteIPHeader X-Forwarded-For


Find the matching section that begins with LogFormat. Change this line:

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined


To this: (Replace %h with %a in the configuration file)

LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined


To apply the changes, save the configuration file and then restart Apache2 on your Ubuntu instance.

sudo systemctl restart apache2.service

Verify that the client IP is getting logged using this command on your Ubuntu instance and make a request from another instance: