Skip to main content

HaProxy

/etc/haproxy/haproxy.cfg

global
        log /dev/log local0 log /dev/log local1 notice
        chroot  /var/lib/haproxy
        user    haproxy
        group   haproxy
        maxconn 10000
        daemon
        tune.ssl.default-dh-param 2048
        ssl-default-bind-ciphers ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

defaults
        log global
        maxconn 10000
        mode http
        option dontlognull
        option httpclose
        option httpchk
        option redispatch
        retries 3
        timeout check 10000
        timeout client 150000
        timeout connect 4000
        timeout server 30000


frontend www
        bind public_IP:80
        option forwardfor
        default_backend web

frontend www_ssl
        bind pubic_IP:IP-ADDR:80
        bind public_IP:IP-ADDR:443 ssl crt /etc/haproxy/ssl/wildcard.domain.pem no-sslv3
        reqadd X-Forwarded-Proto:\ https
        redirect scheme https code 301 if !{ ssl_fc }
        option forwardfor
        default_backend web

 frontend frontend666
        bind public_IP:IP-ADDR:666
        mode tcp
        default_backend backend_666

backend web
        mode http
        option forwardfor
        http-request add-header X-CLIENT-IP %[src]
        balance roundrobin
        server web1 10.1.2.100:8080
        server web2 10.1.2.101:8080

 backend backend_666
        cookie  ASP.NET_SessionId insert indirect nocache
        server  web1 10.1.2.100:80 weight 1 check cookie srv1 inter 1000 rise 5 fall 1
        server  web2 10.1.2.101:80 weight 1 check cookie srv2 inter 1000 rise 5 fall 1

 backend backend_666
        server web1 10.1.2.100:8080
        server web2 10.1.2.101:8080

The  LB will be listen on public_IP:80 named "www" - and will send the traffic to the backend named "web".

Enable xforward on httpd.conf

LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " combine
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined-forwarded

SSL Offloading

SSL pem file need to be in the folowing format: (.crt - .key - ca bundle).

reqadd X-Forwarded-Proto:\ https: Adds a HTTP header to the request, indicating to the back-end
application that the original request was over TLS, even though the proxy is connecting to the servers over
plain TCP on port 80.

For SNI-enabled frontends, simply add multiple crt entries, for example:
bind PUBLIC_IP:IP-ADDR:443 ssl crt /etc/haproxy/ssl/firstdomain.pem crt /etc/haproxy/ssl/seconddomain.pem no-sslv3 

It is also possible to use the session cookie provided by the backend server.
Editing the backend part of /etc.haproxy/haproxy.conf :

backend bk_apachewww
        balance roundrobin
        mode http
        cookie PHPSESSID prefix indirect nocache
        server apache1web1 10.1.2.100:80 check cookie srv1
        server apache2web2 10.1.2.101:80 check cookie srv2

In this example we will intercept the PHP session cookie and add / remove the reference of the backend server.

The prefix keyword allows you to reuse an application cookie and prefix the server identifier,
then delete it in the following queries.

Default name of cookies by type of feeder backend:
Java : JSESSIONID
ASP.Net : ASP.NET_SessionId
ASP : ASPSESSIONID
PHP : PHPSESSID

httpchk

backend https_relay
    mode tcp
    option httpchk HEAD * HTTP/1.1\r\nHost:\ domain.com
    server apache1 192.168.1.1:443 check port 80
--
Test config file:
haproxy -c -V -f /etc/haproxy/haproxy.cfg

Doc

https://cbonte.github.io/haproxy-dconv/