Last active
September 13, 2023 19:04
-
-
Save kishba/569e207c320d8d09f499 to your computer and use it in GitHub Desktop.
Sample HAProxy HTTPS configuration for Moodle and Ellucian Colleague web apps -- anonymized from Mid Michigan Community College
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| log /dev/log local0 | |
| log /dev/log local1 notice | |
| chroot /var/lib/haproxy | |
| user haproxy | |
| group haproxy | |
| daemon | |
| # Default SSL material locations | |
| ca-base /etc/ssl/certs | |
| crt-base /etc/ssl/private | |
| # Default ciphers to use on SSL-enabled listening sockets. | |
| # For more information, see ciphers(1SSL). | |
| ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:aRSA+3DES:!RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL | |
| ssl-default-bind-options no-sslv3 | |
| defaults | |
| log global | |
| mode http | |
| option httplog | |
| option log-separate-errors # Separate error logs from access logs | |
| balance roundrobin | |
| option dontlognull | |
| option redispatch # Redirect the first dropped HTTP request if another server is in the pool | |
| timeout connect 5000 | |
| timeout client 50000 | |
| timeout server 50000 | |
| timeout http-request 10m # Brandon has used this to import Moodle courses with large question banks | |
| timeout client 10m | |
| timeout server 10m | |
| errorfile 400 /etc/haproxy/errors/400.http | |
| errorfile 403 /etc/haproxy/errors/403.http | |
| errorfile 408 /etc/haproxy/errors/408.http | |
| errorfile 500 /etc/haproxy/errors/500.http | |
| errorfile 502 /etc/haproxy/errors/502.http | |
| errorfile 503 /etc/haproxy/errors/503.http | |
| errorfile 504 /etc/haproxy/errors/504.http | |
| frontend load_balancers | |
| ## Binding to both test (192.) and production (67.) IP addresses | |
| #HTTP | |
| bind 192.168.1.90:80 | |
| bind 67.209.249.176:80 | |
| #HTTPS | |
| bind 192.168.1.90:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem | |
| bind 67.209.249.176:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem | |
| ######################## | |
| # Mitigate HTTPoxy | |
| http-request del-header Proxy | |
| # Figure out where to send traffic | |
| # analogous to Apache/Nginx Virtual host directives | |
| ## Moodle ############# | |
| acl dest_moodle_prod hdr(host) -i moodle.midmich.edu | |
| use_backend moodle_prod_nodes if dest_moodle_prod | |
| ######################## | |
| ## Colleague Web API ## | |
| acl dest_webapi hdr(host) -i webapi.midmich.edu | |
| use_backend webapi_nodes if dest_webapi | |
| ######################## | |
| ## Self Service ######## | |
| acl dest_selfservice hdr(host) -i selfservice.midmich.edu | |
| use_backend selfservice_nodes if dest_selfservice | |
| ######################## | |
| ## Payment Gateway ##### | |
| acl dest_payment hdr(host) -i payment.midmich.edu | |
| use_backend payment_nodes if dest_payment | |
| ######################## | |
| ## WebAdvisor ########## | |
| acl dest_webadvisor hdr(host) -i midweb.midmich.edu | |
| use_backend webadvisor_nodes if dest_webadvisor | |
| ######################## | |
| ## Colleague Web UI ## | |
| acl dest_webui hdr(host) -i webui.midmich.edu | |
| acl dest_webui5 hdr(host) -i webui5.midmich.edu | |
| use_backend webui_nodes if dest_webui | |
| use_backend webui5_nodes if dest_webui5 | |
| ######################## | |
| backend moodle_prod_nodes | |
| option forwardfor | |
| option http-server-close | |
| http-request set-header X-Forwarded-Port %[dst_port] | |
| http-request set-header X-Forwarded-Proto https if { ssl_fc } | |
| # Rather than use the front page, use a custom health check URL: https://github.com/brendanheywood/moodle-tool_heartbeat | |
| option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ | |
| # Redirect all traffic to HTTPS | |
| redirect scheme https if !{ ssl_fc } | |
| # Do NOT inject this cookie; however, if it exists, send the user to the appropriate server | |
| cookie MAPPSERVER indirect nocache preserve | |
| server mapp1 192.168.1.71:80 check inter 2000 cookie mapp1 | |
| server mapp2 192.168.1.72:80 check inter 2000 cookie mapp2 | |
| server mapp3 192.168.1.73:80 check inter 2000 cookie mapp3 backup | |
| backend webapi_nodes | |
| option forwardfor | |
| option http-server-close | |
| http-request set-header X-Forwarded-Port %[dst_port] | |
| http-request set-header X-Forwarded-Proto https if { ssl_fc } | |
| option httpchk HEAD /ColleagueApi HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ webapi.midmich.edu | |
| # Redirect all traffic to HTTPS | |
| redirect scheme https if !{ ssl_fc } | |
| server webapi-prod 192.168.1.75:8084 check inter 2000 | |
| backend selfservice_nodes | |
| option forwardfor | |
| option http-server-close | |
| http-request set-header X-Forwarded-Port %[dst_port] | |
| http-request set-header X-Forwarded-Proto https if { ssl_fc } | |
| option httpchk HEAD /Student HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ selfservice.midmich.edu | |
| # Redirect all traffic to HTTPS | |
| redirect scheme https if !{ ssl_fc } | |
| # Redirect / to /Student where Self Service is running via IIS | |
| redirect location /Student code 302 if { path -i / } | |
| # The Self Service modules sometimes issue redirects to itself so we changed IIS to run on 80 so it will be possible for HAProxy to respond to these requests and redirect to 443 | |
| #server selfservice-prod 192.168.1.88:8073 check inter 2000 | |
| server selfservice-prod 192.168.1.88:80 check inter 2000 | |
| backend payment_nodes | |
| option forwardfor | |
| option http-server-close | |
| http-request set-header X-Forwarded-Port %[dst_port] | |
| http-request set-header X-Forwarded-Proto https if { ssl_fc } | |
| option httpchk HEAD /PaymentGateway/css/SiteStyle.css HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ payment.midmich.edu | |
| # Redirect all traffic to HTTPS | |
| redirect scheme https if !{ ssl_fc } | |
| server paygate 67.209.249.173:443 check inter 2000 ssl verify none | |
| backend webadvisor_nodes | |
| option forwardfor | |
| option http-server-close | |
| http-request set-header X-Forwarded-Port %[dst_port] | |
| http-request set-header X-Forwarded-Proto https if { ssl_fc } | |
| option httpchk HEAD /mw/mw HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ midweb.midmich.edu | |
| # Redirect all traffic to HTTPS | |
| redirect scheme https if !{ ssl_fc } | |
| # Redirect / to the web advisor root path | |
| redirect location /mw/mw code 302 if { path -i / } | |
| server 2012mweb 192.168.1.54:443 check inter 2000 ssl verify none | |
| backend webui_nodes | |
| option forwardfor | |
| option http-server-close | |
| http-request set-header X-Forwarded-Port %[dst_port] | |
| http-request set-header X-Forwarded-Proto https if { ssl_fc } | |
| option httpchk HEAD /UIProduction46/index.htm HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ webui.midmich.edu | |
| # Redirect all traffic to HTTPS | |
| redirect scheme https if !{ ssl_fc } | |
| # Redirect / and old 4.4 bookmarks to the new installation | |
| redirect location /UIProduction46/index.htm code 302 if { path -i / } | |
| redirect location /UIProduction46/index.htm code 302 if { path -i /UIProduction } | |
| redirect location /UIProduction46/index.htm code 302 if { path -i /UIProduction/ } | |
| redirect location /UIProduction46/index.htm code 302 if { path -i /UIProduction/index.htm } | |
| redirect location /UIProduction46/launch.htm code 302 if { path -i /UIProduction/launch.htm } | |
| server 2012webui 192.168.1.77:7405 check inter 2000 ssl verify none | |
| backend webui5_nodes | |
| option forwardfor | |
| option http-server-close | |
| http-request set-header X-Forwarded-Port %[dst_port] | |
| http-request set-header X-Forwarded-Proto https if { ssl_fc } | |
| option httpchk HEAD /ui/index.html HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\ webui5.midmich.edu | |
| # Redirect all traffic to HTTPS | |
| redirect scheme https if !{ ssl_fc } | |
| # Redirect / to the WebUI launcher page | |
| redirect location /ui/index.html code 302 if { path -i / } | |
| server ui5prod1 192.168.1.78:7319 check inter 2000 ssl verify none |
@hkeyland Is this when uploading a large file or importing a course? We adjusted our timeout lengths to allow for these cases:
timeout http-request 10m # Brandon has used this to import Moodle courses with large question banks
timeout client 10m
timeout server 10m
However, if you're talking about just browsing Moodle normally, I would suspect that your users are being pushed to different servers and the sessions aren't being stored in a centralized system such as the database. See this for more information:
@kishba, the sessions are stored in moodledata via NFS, so i test store in the database and the problem continues. I'm using Centos 7, what linux uses with this config file ??? version of haproxy ???
Search in other sites similar configurations and all works in mi proxy, but all disconect at 3 o4 minutes. So i help me if yoou share you version of linux and the version of haproxy to replicate this in another server
Thank you
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
Im try to use, works but in 3 or 4 minuts the session in moodle is closed and need to login again every 3 or 4 minuts. Moodle version 2.9. Do you configure another thing on Apache or Moodle to works??