HAProxy on CentOS 7

# Install HAProxy 1.8 using SCL repo
yum install centos-release-scl
yum install rh-haproxy18-haproxy rh-haproxy18-haproxy-syspaths
 
# Run HAProxy if it’s not already started by CRON
systemctl enable rh-haproxy18-haproxy
systemctl restart rh-haproxy18-haproxy
systemctl status rh-haproxy18-haproxy
 
# Set firewall
#firewall-cmd –zone=public –permanent  –add-port=9000/tcp
firewall-cmd –zone=public –add-service=http –permanent
firewall-cmd –zone=public –add-service=https –permanent
firewall-cmd –reload
 
#  This step is a must to resolve error: “cannot bind UNIX socket [/run/haproxy/admin.sock]
crontab -e
@reboot mkdir /run/haproxy && systemctl start rh-haproxy18-haproxy
 
# This step is to resolve 503 service unavailable errors in selinux enforce systems
setsebool -P haproxy_connect_any 1
 
# Edit config file
cp  /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg  /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg.bak
vim /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg
 
################################## Sample Config ######################
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
 
        # Default SSL material locations
#        ca-base “/etc/certs/dragoncoin.com”
#       crt-base “/etc/certs/dragoncoin.com”
 
        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL).
        ssl-default-bind-ciphers – change this to remove weak ciphers: kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
 
defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
#        timeout connect 5000
#        timeout client  50000
#        timeout server  50000
#        errorfile 400 /etc/haproxy/errors/400.http
#       errorfile 403 /etc/haproxy/errors/403.http
  #      errorfile 408 /etc/haproxy/errors/408.http
   #     errorfile 500 /etc/haproxy/errors/500.http
    #    errorfile 502 /etc/haproxy/errors/502.http
    #    errorfile 503 /etc/haproxy/errors/503.http
    #    errorfile 504 /etc/haproxy/errors/504.http
        option forwardfor       except 127.0.0.1/8
        option http-server-close
        timeout client 1d
        timeout server 1d
        option redispatch
        retries 30
        timeout http-request 300s
        timeout queue 1m
        timeout connect 10s
        timeout http-keep-alive 10s
        timeout check 10s
        maxconn 10000
 
listen stats
        bind *:999999
#       balance
        mode http
        stats enable
        maxconn 10
        timeout client 10s
        timeout server 10s
        timeout connect 10s
        timeout queue 10s
        stats auth kimconnect:’PASSWORD’
        stats hide-version
        stats refresh 30s
        stats show-node
        stats realm Haproxy \ Statistics
        stats uri /
        stats admin if TRUE
 
frontend http_in
        bind *:80
        mode http
        redirect scheme https code 301 if !{ ssl_fc }
 
frontend https_in
        bind *:443 ssl crt /etc/certs/dragoncoin.com/dragoncoin.com.pem
        reqadd X-Forwarded-Proto:\ https
#       acl letsencrypt-acl path_beg /.well-known/acme-challenge/
#       use_backend letsencrypt-backend if letsencrypt-acl
 
        # Define Sites:
        acl host_docker hdr(host) -i docker.dragoncoin.com
        use_backend docker if host_docker
 
        acl host_dragoncoin hdr(host) -i dragoncoin.com
        use_backend dragoncoin if host_dragoncoin
 
        # special URI to define blogs
        acl blog_in_url path_beg /blog/
        acl dragoncoin_com path_dom dragoncoin.com
        use_backend dragoncoin_blog if dragoncoin_com blog_in_url
#       acl host_dragoncoin hdr(host) -i dragoncoin.com
#       use_backend dragoncoin_blog if host_dragoncoin
 
#       acl host_project hdr(host) -i project.dragoncoin.com
#       use_backend project if host_project
 
        acl host_shell hdr(host) -i shell.dragoncoin.com
        use_backend shell if host_shell
 
#       acl host_proxy hdr(host) -h proxy.dragoncoin.com
#       use_backend proxy if host_proxy
 
userlist shell-users
        user kim insecure-password ‘PASSWORD’
 
backend shell
        acl devops-auth http_auth(shell-users)
        http-request auth realm devops if !devops-auth
#       http-request realm auth kim:’PASSWORD’
        mode http
        option forwardfor
        option http-keep-alive
        server web01 127.0.0.1:8080
 
#backend project
#       mode http
#       option forwardfor
#       option http-keep-alive
#       stats enable
#       server web01 127.0.0.1:3000
 
backend docker
        mode http
        stats enable
        option forwardfor
        option http-keep-alive
        server web01 127.0.0.1:9000
 
backend dragoncoin
        mode http
        option forwardfor
        option http-keep-alive
        stats enable
        server dragoncoin.com 127.0.0.1:8082
 
backend dragoncoin_blog
        mode http
        option forwardfor
        option http-keep-alive
        server blog 127.0.0.1:8081
####################################################################
 
 
 

 
Troubleshooting
 
# Check backend connections using SSL
openssl s_client -connect 127.0.0.1:3000

 
WEB02 HAProxy Config
vim /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg
#### Add these at the end ####
frontend http_in
        bind *:80
        mode http
        redirect scheme https code 301 if !{ ssl_fc }
 
 
frontend https_in
        bind *:443 ssl crt /etc/certs/dragoncoin.com/dragoncoin.com.pem
        reqadd X-Forwarded-Proto:\ https
 
        # ShellInABox
        acl host_shell hdr(host) -i shell.dragoncoin.com
        use_backend shell if host_shell
 
        # Portainer
        acl host_docker hdr(host) -i docker.dragoncoin.com
        use_backend docker if host_docker
 
        # Project
        acl host_project hdr(host) -i project.dragoncoin.com
        use_backend project if host_project
 
#———————————————————————
# simple passwords to protect certain backends
#———————————————————————
 
userlist shell-users
        user kimconnect insecure-password ‘PASSWORD’
 
#———————————————————————
# backends
#———————————————————————
backend shell
        acl devops-auth http_auth(shell-users)
        http-request auth realm devops if !devops-auth
        mode http
        option forwardfor
        option http-keep-alive
        server static web01 127.0.0.1:8080 check
 
backend project
        mode http
        option forwardfor
        option http-keep-alive
        server web01 127.0.0.1:3000
 
backend docker
        mode http
        stats enable
        option forwardfor
        option http-keep-alive
        server web01 127.0.0.1:9000
 

Leave a Reply

Your email address will not be published. Required fields are marked *