Configuring HAproxy as Loadbalancer

Installation

HAproxy IP - 192.168.101.160

webserver node1 - 192.168.101.161

webserver node2 - 192.168.101.162


HAProxy is included in the package management systems of most Linux distributions. Use the below command to install haproxy in RHEL 9.2.

yum update -y 
yum install haproxy -y

Below is the HAproxy config file (/etc/haproxy/haproxy.cfg)which we used in this setup:

global 


  log 127.0.0.1 local2
  chroot /var/lib/haproxy 
  pidfile /var/run/haproxy.pid 
  maxconn 4000 
  user haproxy 
  group haproxy 
  daemon 
  stats socket /var/lib/haproxy/stats 
  ssl-default-bind-ciphers PROFILE=SYSTEM 
  ssl-default-server-ciphers PROFILE=SYSTEM 


defaults 
  mode http 
  log global 
  option httplog 
  option dontlognull 
  option http-server-close 
  option forwardfor except 127.0.0.0/8 
  option redispatch 
  retries 3 
  timeout http-request 10s 
  timeout queue 1m 
  timeout connect 10s 
  timeout client 1m
  timeout server 1m 
  timeout http-keep-alive 10s 
  timeout check 10s 
  maxconn 3000 


frontend filecloud-http 
  bind 192.168.101.164:80 
  redirect scheme https if !{ ssl_fc } 
  default_backend webservers 


frontend filecloud-https 
  bind 192.168.101.164:443 ssl crt /etc/ssl/private/cloud3.pem 
  option http-server-close 


  option forwardfor 
   stats uri /haproxy?stats 
   http-request set-header X-Forwarded-Port %[dst_port] 
   http-request add-header X-Forwarded-Proto https if { ssl_fc } 
   default_backend webservers 


frontend stats 
  bind 192.168.101.164:32700 ssl crt /etc/ssl/private/cloud3.pem 
  stats enable 
  stats uri / 
  stats hide-version 
  stats auth filecloud:password!@ 


backend webservers 
  balance roundrobin 
  mode http 
  stats enable 
  server webserver01 192.168.101.161:80 check 
  server webserver02 192.168.101.162:80 check

The above configuration is tweaked for use with SSL installed.

Import the SSL certificate to a pem file, and specify the path as in the sample haproxy.cfg above

cat certificate.crt intermediates.crt private.key > cloud3.pem

Configuring webserver to log public IP addresses behind a load balancer

The mod_remoteip is already enabled by default in RHEL.

  1. Edit the Apache configuration located at /etc/httpd/conf/httpd.conf for RHEL as follows:

    vi /etc/httpd/conf/httpd.conf
  2. Add this line to the configuration file.

    RemoteIPHeader X-Forwarded-For
  3. Find the matching section that begins with LogFormat. Change this line:

    LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

    to this: (Replace %h with %a in the configuration file)

    LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined


  4. To apply the changes, save the configuration file, and then restart Apache on your RHEL instance.

    systemctl restart httpd  
  5. Verify that the client IP is getting logged using this command on your RHEL instance and make a request from another instance.