Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Prerequisite Concepts -
- Hosts file in Linux :
- Web Server : Apache & Nginx, IIS
:: Steps to deploy a package in Linux:
1. Install it --> # yum install httpd
2. Configure it --> checking the config file
3. Start the service.
:: Installing Apache in CentOS 7 ::
The Apache web server is one of the most popular and powerful web servers in the world, due to its ease of administration and flexibility.
# yum -y install httpd
# systemctl start httpd
# systemctl enable httpd
-Config file: /etc/httpd/httpd.conf
-Common config parameters-
Listen 80
DocumentRoot "/var/www/html"
DirectoryIndex index.html index.php home.html
-Installing SSL Module:
# yum install mod_ssl
- Putting HTML content for Webpage in Apache:
Location of document root - /var/www/html/
Inside it put the file 'index.html'
- Content of index.html at server 1
<!DOCTYPE html>
body {
background-color: #93B874;
h1 {
background-color: orange;
- Content of index.html at server 2
<!DOCTYPE html>
body {
background-color: #93B874;
h1 {
background-color: yellow;
-Check Port if apache is 'listening' or not:
#netstat -tulpn
- Hardware LB -- Cisco LB, CITRIX, BIG5
- Software LB -- HaProxy, Redhat_Heartbeat (IPV) - defunct, Nginx(Reverse Proxy)
:: Algorithm's
Balance Algorithm
This is the algorithm that is used by HAProxy to select the server when doing the load balancing. The following modes are available:
. Roundrobin
This is the most simple balance algorithm. For each new connection, it will be handled by the next backend server. If the last backend server in the list is reached, it will start again from the top of backend list.
. Leastconn
The new connection will be handled by the backend server with least amount of connections. This is useful when the time and load of the requests vary a lot.
. Source
This is for sticky sessions, the client IP will be hashed to determine the backend server that received the last request from this IP. So an IP A will always be handled by backend1, and IP B will always be handled by backend2 to not interrupt sessions
# yum -y install haproxy
# cd /etc/haproxy/
# mv haproxy.cfg haproxy.cfg.orig
# vi haproxy.cfg
Paste the configuration below:
# Global settings
log local2 #Log configuration
chroot /var/lib/haproxy
pidfile /var/run/
maxconn 4000
user haproxy #Haproxy running under user and group "haproxy"
group haproxy
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#HAProxy Monitoring Config
listen haproxy3-monitoring *:8080 #Haproxy Monitoring run on port 8080
mode http
option forwardfor
option httpclose
stats enable
stats show-legends
stats refresh 5s
stats uri /stats #URL for HAProxy monitoring
stats realm Haproxy\ Statistics
stats auth admin:intellipaat #User and Password for monitoring dashboard
stats admin if TRUE
default_backend app-main #This is optionally for monitoring backend
# FrontEnd Configuration
frontend main
bind *:80
option http-server-close
option forwardfor
default_backend app-main
# BackEnd roundrobin as balance algorithm
backend app-main
balance roundrobin #Balance algorithm
option httpchk HEAD / HTTP/1.1\r\nHost:\ localhost #Check health
server server1 check #server1
server server2 check #server2
systemctl start haproxy
systemctl enable haproxy
Concepts Covered:::
_Haproxy non standard port forward
-HAProxy Multi Port Config:
Disable SELinux or Add SELinux context-
setsebool -P haproxy_connect_any=1
Then change port for frontend in haproxy.cfg
-HAProxy SSL Setup Configs- (443/https)
To install SSL Module in Apache:
yum install mod_ssl
Check SSL config file for listening ports and certificates:
vi /etc/httpd/conf.d/ssl.conf
Please follow below steps:
a-You have to run the following commands in any one of the webservers:
cat /etc/pki/tls/certs/localhost.crt > /etc/pki/tls/certs/localhost.pem
cat /etc/pki/tls/private/localhost.key >> /etc/pki/tls/certs/localhost.pem
b- The above commands will create a "localhost.pem" certificate file. Copy that file to /etc/pki/tls/certs/ location in the haproxy server. (You can keep it in any other path as well, but I have used that path for this lab)
c- Now below is the haproxy config section for https, I have tested it works fine:
frontend https_frontend
bind *:443 ssl crt /etc/pki/tls/certs/localhost.pem
mode http
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend web_server
backend web_server
mode http
balance roundrobin
cookie SERVERID insert indirect nocache
server server1 check cookie server1
server server2 check cookie server2
d- After adding the above in haproxy.cfg you can restart the haproxy service. This config is working because we are using the SSL certificate in haproxy server instead of apache server and port forwarding backend to 80 port but frontend remains as 443. So that resolves the problem of "SSL received a record that exceeded the maximum permissible length."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment