Setting up HAProxy

HAProxy is a reliable, high performance TCP/HTTP Load Balancer that works nicely with Helix TeamHub High Availability deployment.

Preparation

Make sure /etc/ssh SSH host keys are synchronized across all cluster nodes, see Synchronizing SSH Host Keys.

Important

Random SSH RSA host key has been changed errors will occur if you don't synchronize your /etc/ssh SSH host keys across all cluster nodes.

RHEL and CentOS

Follow these steps to install and configure HAProxy according to the host operating system you are using:

  1. Install HAProxy:

    cd /tmp
    yum install wget openssl-devel pcre-devel make gcc wget
    wget http://www.haproxy.org/download/2.4/src/haproxy-2.4.0.tar.gz
    tar -zxvf haproxy-2.4.0.tar.gz && cd haproxy-2.4.0
    make TARGET=linux-glibc CPU=x86_64 USE_OPENSSL=1 USE_ZLIB=1 USE_PCRE=1
    make install
    
  2. Create the init script:

    ln -sf /usr/local/sbin/haproxy /usr/sbin/haproxy
    cp /tmp/haproxy-2.4.0/examples/haproxy.init /etc/init.d/haproxy
    chmod  755 /etc/init.d/haproxy
    
  3. Add default configuration and user:

    mkdir /etc/haproxy
    cp /tmp/haproxy-2.4.0/examples/option-http_proxy.cfg /etc/haproxy/haproxy.cfg
    mkdir /var/lib/haproxy
    touch /var/lib/haproxy/stats
    useradd haproxy
    
  4. Start the service and enable on boot:

    service haproxy check
    service haproxy start
    chkconfig haproxy on
    

Sample configuration

This sample configuration file can be used for a TeamHub system with two Web application servers. Replace the VALUES in the sample configuration file with values appropriate for your system

We recommend you use, at minimum, a 2048-bit Diffie-Hellman group. You can generate DH parameter file using OpenSSL (openssl dhparam -out dhparams.pem 2048) and append it to your certificate file.

global
    log 127.0.0.1 local0 notice
    maxconn 2000
    user haproxy
    group haproxy
    ssl-default-bind-ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
defaults
    log     global
    option  dontlognull
    retries 3
    timeout connect  5000
    timeout client  10000
    timeout server  10000
# SSH connections to Helix TeamHub
frontend hth-sshd
    bind *:22
    mode tcp
    default_backend hth-scm
# HTTP -> HTTPS redirection
frontend hth-http
    bind *:80
    mode http
    redirect scheme https code 301 if !{ ssl_fc }
# HTTPS connections to Helix TeamHub
frontend hth-https
    bind *:443 ssl crt __PATH_TO_CERTIFICATE_PEM_FILE__ no-sslv3
    mode http
    option http-server-close
    option forwardfor
    http-request add-header X-Forwarded-Proto https
    http-response replace-header Set-Cookie (.*) \1;\ Secure
    default_backend hth-web
# LDAP connections to Helix TeamHub
frontend ldaps-in
    bind *:636 ssl crt __PATH_TO_CERTIFICATE_PEM_FILE__ no-sslv3 
    maxconn 10000
    default_backend hth-ldap
frontend ldap-in
    bind *:389
    maxconn 10000
    default_backend hth-ldap
backend hth-ldap
    mode tcp
    balance leastconn
    server web1 __IP_ADDRESS_OF_FIRST_NODE__:389 check
    server web2 __IP_ADDRESS_OF_SECOND_NODE__:389 check    
backend hth-scm
    mode tcp
    option tcplog
    balance roundrobin
    server scm1 __IP_ADDRESS_OF_FIRST_NODE__:22 check
    server scm2 __IP_ADDRESS_OF_SECOND_NODE__:22 check
backend hth-web
    mode http
    option httplog
    stats enable
    stats uri /haproxy?stats
    stats realm Strictly\ Private
    stats auth __WEBADMIN_USERNAME__:__WEBADMIN_PASSWORD__
    balance roundrobin
    cookie HTHSTICKY insert indirect nocache
    server web1 __IP_ADDRESS_OF_FIRST_NODE__:80 check cookie web1
    server web2 __IP_ADDRESS_OF_SECOND_NODE__:80 check cookie web2