Skip to main content

HaProxy

haproxy.cfg

 

global
        log /dev/log local0
        log /dev/log local1 notice
        chroot  /var/lib/haproxy
        user    haproxy
        group   haproxy
        maxconn 10000
        daemon
        tune.ssl.default-dh-param 2048
        ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

defaults
        log global
        maxconn 10000
        mode http
        option dontlognull
        option httpclose
        option httpchk
        option redispatch
        retries 3
        timeout check 10000
        timeout client 150000
        timeout connect 4000
        timeout server 30000

frontend www
        bind public_IP:80
        option forwardfor
        default_backend web

frontend www_ssl
        bind pubic_IP:80 # You can replace the * with the public IP
        bind public_IP:443 ssl crt /etc/haproxy/ssl/wildcard.domain.pem no-sslv3
        reqadd X-Forwarded-Proto:\ https
        redirect scheme https code 301 if !{ ssl_fc }
        option forwardfor
        default_backend web

 frontend frontend666
        bind public_IP:666
        mode tcp
        default_backend backend_666

backend web
        mode http
        option forwardfor
        http-request add-header X-CLIENT-IP %[src]
        balance roundrobin
        server web1 192.168.1.100:8080
        server web2 192.168.1.101:8080

 backend backend_666
        server web1 192.168.1.100:666
        server web2 192.168.1.101:666

The  LB will be listen on public_IP:80 named "www" - and will send the traffic to the backend named "web".

Enable xforward on httpd.conf

LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " combine
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined-forwarded

SSL Offloading

SSL pem file need to be in the folowing format: (.crt - .key - ca bundle).

reqadd X-Forwarded-Proto:\ https: Adds a HTTP header to the request, indicating to the back-end
application that the original request was over TLS, even though the proxy is connecting to the servers over
plain TCP on port 80.

For SNI-enabled frontends, simply add multiple crt entries, for example:
bind PUBLIC_IP:443 ssl crt /etc/haproxy/ssl/firstdomain.pem crt /etc/haproxy/ssl/seconddomain.pem no-sslv3 
--
Test config file:
haproxy -c -V -f /etc/haproxy/haproxy.cfg