Configuring HAproxy as Loadbalancer
Installation
HAProxy is included in the package management systems of most Linux distributions,use the below command to install haproxy in Ubuntu 16.04 LTS
sudo apt-get install haproxy
Below is the HAproxy config file (configuration file at /etc/haproxy/haproxy.cfg)
which we used in this setup
global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private tune.ssl.default-dh-param 2048 # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http listen filecloud-http bind 192.168.101.160:80 mode http redirect scheme https if !{ ssl_fc } listen filecloud bind 192.168.101.160:443 ssl crt /etc/ssl/private/cloud.pem mode http balance roundrobin option http-server-close timeout http-keep-alive 3000 option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } reqadd X-Forwarded-Proto:\ https server node1 192.168.101.161:80 check server node2 192.168.101.162:80 check listen stats bind 192.168.101.160:32700 ssl crt /etc/ssl/private/cloud.pem stats enable stats uri / stats hide-version stats auth filecloud:password!@
The above configuration is tweaked to use properly with SSL installed also.
You will need to import the SSL cerificate to a pem file in the below order and will have to specify the path as in the sample haproxy,cfg above
cat certificate.crt intermediates.crt private.key > cloud.pem
Configuring webserver to log public IP addresses behind a load balancer
Install mod_remoteip on all the webserver nodes.
sudo a2enmod remoteip
Activate the configuration by restarting Apache2.
sudo service apache2 restart
Edit the Apache configuration located at /etc/apache2/apache2.conf for Ubuntu as follows:
sudo vim /etc/apache2/apache2.conf
Add this line to the configuration file.
Find the matching section that begins with LogFormat. Change this line:
To this: (Replace %h with %a in the configuration file)
To apply the changes, save the configuration file and then restart Apache2 on your Ubuntu instance.
sudo systemctl restart apache2.service
Verify that the client IP is getting logged using this command on your Ubuntu instance and make a request from another instance: