HaProxy
/etc/haproxy/haproxy.cfg
global
log /dev/log local0 notice
user haproxy
group haproxy
maxconn 10000
daemon
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
defaults
log global
maxconn 10000
mode http
option dontlognull
option httpclose
option httpchk
option redispatch
retries 3
timeout check 10000
timeout client 150000
timeout connect 4000
timeout server 30000
frontend www_ssl
bind IP-ADDR:80
bind IP-ADDR:443 ssl crt /etc/haproxy/ssl/wildcard.domain.pem no-sslv3
reqadd X-Forwarded-Proto:\ https
redirect scheme https code 301 if !{ ssl_fc }
option forwardfor
default_backend web
frontend frontend666
bind IP-ADDR:666
mode tcp
default_backend backend_666
backend web
mode http
option forwardfor
http-request add-header X-CLIENT-IP %[src]
balance roundrobin
cookie ASP.NET_SessionId insert indirect nocache
server web1 10.1.2.100:80 weight 1 check cookie srv1 inter 1000 rise 5 fall 1
server web2 10.1.2.101:80 weight 1 check cookie srv2 inter 1000 rise 5 fall 1
backend backend_666
server web1 10.1.2.100:8080
server web2 10.1.2.101:8080The LB will be listen on public_IP:80 named "www" - and will send the traffic to the backend named "web".
Enable xforward on httpd.conf
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\ " combine
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-agent}i\"" combined-forwardedSSL Offloading
SSL pem file need to be in the folowing format: (.crt - .key - ca bundle).
reqadd X-Forwarded-Proto:\ https: Adds a HTTP header to the request, indicating to the back-end
application that the original request was over TLS, even though the proxy is connecting to the servers over
plain TCP on port 80.
For SNI-enabled frontends, simply add multiple crt entries, for example:
bind IP-ADDR:443 ssl crt /etc/haproxy/ssl/firstdomain.pem crt /etc/haproxy/ssl/seconddomain.pem no-sslv3 Cookie
It is also possible to use the session cookie provided by the backend server.
Editing the backend part of /etc.haproxy/haproxy.conf :
backend www
balance roundrobin
mode http
cookie PHPSESSID prefix indirect nocache
server web1 10.1.2.100:80 check cookie srv1
server web2 10.1.2.101:80 check cookie srv2In this example we will intercept the PHP session cookie and add / remove the reference of the backend server.
The prefix keyword allows you to reuse an application cookie and prefix the server identifier,
then delete it in the following queries.
Default name of cookies by type of feeder backend:
Java : JSESSIONID
ASP.Net : ASP.NET_SessionId
ASP : ASPSESSIONID
PHP : PHPSESSID
httpchk
backend https_relay
mode tcp
option httpchk HEAD * HTTP/1.1\r\nHost:\ domain.com
server apache1 192.168.1.1:443 check port 80--
Test config file:
haproxy -c -V -f /etc/haproxy/haproxy.cfgDoc
https://cbonte.github.io/haproxy-dconv/