HaProxy
/etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
maxconn 10000
daemon
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
defaults
log global
maxconn 10000
mode http
option dontlognull
option httpclose
option httpchk
option redispatch
retries 3
timeout check 10000
timeout client 150000
timeout connect 4000
timeout server 30000
frontend www
bind public_IP:80
option forwardfor
default_backend web
frontend www_ssl
bind pubic_IP:80
bind public_IP:443 ssl crt /etc/haproxy/ssl/wildcard.domain.pem no-sslv3
reqadd X-Forwarded-Proto:\ https
redirect scheme https code 301 if !{ ssl_fc }
option forwardfor
default_backend web
frontend frontend666
bind public_IP:666
mode tcp
default_backend backend_666
backend web
mode http
option forwardfor
http-request add-header X-CLIENT-IP %[src]
balance roundrobin
server web1 10.1.2.100:8080
server web2 10.1.2.101:8080
backend backend_666
cookie ASP.NET_SessionId insert indirect nocache
server web1 10.1.2.100:80 weight 1 check cookie srv1 inter 1000 rise 5 fall 1
server web2 10.1.2.101:80 weight 1 check cookie srv2 inter 1000 rise 5 fall 1
The LB will be listen on public_IP:80 named "www" - and will send the traffic to the backend named "web".
Enable xforward on httpd.conf
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " combine
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined-forwarded
SSL Offloading
SSL pem file need to be in the folowing format: (.crt - .key - ca bundle).
reqadd X-Forwarded-Proto:\ https: Adds a HTTP header to the request, indicating to the back-end
application that the original request was over TLS, even though the proxy is connecting to the servers over
plain TCP on port 80.
For SNI-enabled frontends, simply add multiple crt entries, for example:
bind PUBLIC_IP:443 ssl crt /etc/haproxy/ssl/firstdomain.pem crt /etc/haproxy/ssl/seconddomain.pem no-sslv3
Cookie
It is also possible to use the session cookie provided by the backend server.
Editing the backend part of /etc.haproxy/haproxy.conf :
backend bk_apache
balance roundrobin
mode http
cookie PHPSESSID prefix indirect nocache
server apache1 10.1.2.100:80 check cookie srv1
server apache2 10.1.2.101:80 check cookie srv2
In this example we will intercept the PHP session cookie and add / remove the reference of the backend server.
The prefix keyword allows you to reuse an application cookie and prefix the server identifier,
then delete it in the following queries.
Default name of cookies by type of feeder backend:
Java : JSESSIONID
ASP.Net : ASP.NET_SessionId
ASP : ASPSESSIONID
PHP : PHPSESSID
httpchk
backend https_relay
mode tcp
option httpchk HEAD * HTTP/1.1\r\nHost:\ domain.com
server apache1 192.168.1.1:443 check port 80
--
Test config file:
haproxy -c -V -f /etc/haproxy/haproxy.cfg
Doc
https://cbonte.github.io/haproxy-dconv/