How to Setup HAProxy

HAProxy is a reliable, high performance TCP/HTTP Load Balancer, and it works nicely with Helix TeamHub HA setup.

Preparation

Make sure /etc/ssh SSH host keys are synchronized (see Synchronizing SSH host keys section) across all cluster nodes, otherwise a random "SSH RSA host key has been changed" error will occur.

Follow these steps to install and configure HAProxy according to the host operating system:

RHEL and CentOS

Install HAProxy:

cd /tmp
yum install wget openssl-devel pcre-devel make gcc wget
wget http://www.haproxy.org/download/1.5/src/haproxy-1.5.3.tar.gz
tar -zxvf haproxy-1.5.3.tar.gz && cd haproxy-1.5.3
make TARGET=linux2628 CPU=x86_64 USE_OPENSSL=1 USE_ZLIB=1 USE_PCRE=1
make install

Create the init script:

ln -sf /usr/local/sbin/haproxy /usr/sbin/haproxy
cp /tmp/haproxy-1.5.3/examples/haproxy.init /etc/init.d/haproxy
chmod  755 /etc/init.d/haproxy

Add default configuration and user:

mkdir /etc/haproxy
cp /tmp/haproxy-1.5.3/examples/examples.cfg /etc/haproxy/haproxy.cfg
mkdir /var/lib/haproxy
touch /var/lib/haproxy/stats
useradd haproxy

Start the service and enable on boot:

service haproxy check
service haproxy start
chkconfig haproxy on

Sample configuration

Below is the example configuration to use with Helix TeamHub with two Web application servers. Replace the VALUES with the required data.

It is recommended to use at minimum 2048-bit Diffie-Hellman group. You may generate DH parameter file using OpenSSL (openssl dhparam -out dhparams.pem 2048) and append it to your certificate file.

global
    log 127.0.0.1 local0 notice
    maxconn 2000
    user haproxy
    group haproxy
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
defaults
    log     global
    option  dontlognull
    retries 3
    timeout connect  5000
    timeout client  10000
    timeout server  10000
# SSH connections to Helix TeamHub
frontend hth-sshd
    bind *:22
    mode tcp
    default_backend hth-scm
# HTTP -> HTTPS redirection
frontend hth-http
    bind *:80
    mode http
    redirect scheme https code 301 if !{ ssl_fc }
# HTTPS connections to Helix TeamHub
frontend hth-https
    bind *:443 ssl crt __PATH_TO_CERTIFICATE_PEM_FILE__ no-sslv3
    mode http
    option http-server-close
    option forwardfor
    reqadd X-Forwarded-Proto:\ https
    default_backend hth-web
backend hth-scm
    mode tcp
    option tcplog
    balance roundrobin
    server scm1 __IP_ADDRESS_OF_FIRST_NODE__:22 check
    server scm2 __IP_ADDRESS_OF_SECOND_NODE__:22 check
backend hth-web
    mode http
    option httplog
    stats enable
    stats uri /haproxy?stats
    stats realm Strictly\ Private
    stats auth __WEBADMIN_USERNAME__:__WEBADMIN_PASSWORD__
    balance roundrobin
    cookie HTHSTICKY insert indirect nocache
    server web1 __IP_ADDRESS_OF_FIRST_NODE__:80 check cookie web1
    server web2 __IP_ADDRESS_OF_SECOND_NODE__:80 check cookie web2
Updated on: 17 November 2017