Load balancer HAPROXY STUNNEL
HAProxy Software Load Balancer
HAProxy is a bit more bare metal as it targets a very specific set of scenarios focused on TCPIP more than HTTP. You can use cookie based injection with HAProxy to do round robin and stick users to a specific server. However, you can not do this if your site is running SSL traffic. HAProxy can not decrypt the SSL traffic. This is more of the authors dead-fast belief that SSL should not be terminated because of CPU load on the load balancer preventing scaling as you would need to scale the load balancers at some point (we’re talking millions of requests, facebook style).
on all nodes please copy the files on all server / nodes
lb1
vi /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
##### Load balancers
192.168.60.11 lb1.rmohan.com lb1
192.168.60.12 lb2.rmohan.com lb2
### web servers
192.168.60.14 web1.rmohan.com web1
192.168.60.15 web2.rmohan.com web2
### database servers
192.168.60.17 db1.rmohan.com db1
192.168.60.18 db2.rmohan.com db2
##############VIPS
192.168.60.10 load.rmohan.com load
192.168.60.6 db.rmohan.com db
Now generate ssh keys
ssh-keygen -t rsa
ssh-keygen -t dsa
cd /root/.ssh
cat *.pub > authorized_keys
ls
authorized_keys id_das id_dsa.pub id_rsa id_rsa.pub known_hosts
scp -r .ssh/ lb2:root/
scp -r .ssh/ web1:root/
scp -r .ssh/ web2:root/
scp -r .ssh/ db1:root/
scp -r .ssh/ db2:root/
ssh-keyscan -t rsa lb1 lb2 www1 www2 db1 db2
ssh-keyscan -t dsa lb1 lb2 www1 www2 db1 db2
scp -r /etc/hosts lb2:/etc/
scp -r /etc/hosts web1:/etc/
scp -r /etc/hosts web2:/etc/
Stop unwanted services
NTP SETUP ON THE SERVER
LB1
ntp services
rpm -qa | grep ntp
vi /etc/ntp.conf
# restrict default kod nomodify notrap nopeer noquery
#restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
#restrict -6 ::1
# server 0.centos.pool.ntp.org
# server 1.centos.pool.ntp.org
# server 2.centos.pool.ntp.org
server 127.127.1.0 # local clock
#fudge 127.127.1.0 stratum 10
/etc/init.d/ntpd start
chkconfig ntpd on
watch ntpq -p -n
ntpdate -u 192.168.1.10
Note : It NEED SOME TIME TO SYNC
LB2
ntp services
rpm -qa | grep ntp
vi /etc/ntp.conf
# restrict default kod nomodify notrap nopeer noquery
#restrict -6 default kod nomodify notrap nopeer noquery
#restrict 127.0.0.1
#restrict -6 ::1
server 192.168.1.10
# server 0.centos.pool.ntp.org
# server 1.centos.pool.ntp.org
# server 2.centos.pool.ntp.org
#server 127.127.1.0 # local clock
#fudge 127.127.1.0 stratum 10
/etc/init.d/ntpd start
chkconfig ntpd on
watch ntpq -p -n
ntpdate -u 192.168.1.10
Note : It NEED SOME TIME TO SYNC
yum install mod_ssl
yum install openssl
yum install stunnel
wget http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm
yum install haproxy
wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.19.tar.gz
tar -zxvf haproxy-1.4.19.tar.gz
yum install gcc
make TARGET=linux26 ARCH=i386
make TARGET=linux26 CPU=i686
make install
mkdir /etc/haproxy
wget http://layer1.rack911.com/haproxy/haproxy-standard.cfg
wget http://layer1.rack911.com/haproxy/haproxy.init
cp haproxy-standard.cfg /etc/haproxy.cfg
cp haproxy.init /etc/init.d/haproxy
chmod +x /etc/init.d/haproxy
cp haproxy.init /etc/init.d/haproxy
/usr/local/sbin/haproxy location
cp /usr/local/sbin/haproxy /usr/sbin/haproxy
chkconfig –add haproxy
chkconfig haproxy on
useradd haproxy
chown haproxy:haproxy /etc/haproxy.cfg
mkdir haproxy
touch stats
chown -R haproxy:haproxy /var/lib/haproxy
# Global settings
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
# round robin balancing between the various backends
listen HTTP-80 192.168.60.11:80
mode http
stats enable
balance roundrobin
cookie SERVERID insert nocache indirect
cookie JSESSIONID prefix
option httpclose
option forwardfor
option dontlognull
option httpchk HEAD /check.txt HTTP/1.0
server web1 192.168.60.14:80 weight 1 maxconn 512 check
server web2 192.168.60.15:80 weight 1 maxconn 512 check
option persist
option redispatch
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/eth0/send_redirects
change the log format
/etc/httpd/conf/httpd.conf
#LogFormat “%h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” combined
LogFormat “%{X-Forwarded-For}i %h %l %u %t \”%r\” %>s %b \”%{Referer}i\” \”%{User-Agent}i\”” combined
CustomLog logs/access_log combined env=!dontlog
SetEnvIf Request_URI “^/check\.txt$” dontlog
LogFormat “%h %l %u %t \”%r\” %>s %b” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/html
SetEnvIf Request_URI “^/check\.txt$” dontlog
CustomLog logs/access_log combined env=!dontlog
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
vim /etc/sysctl.conf
net.ipv4.ip_nonlocal_bind = 1
sysctl -p
Monitor url
http://192.168.60.11/haproxy?stats
wget ftp://ftp.nluug.nl/pub/networking/stunnel/stunnel-4.50.tar.gz
tar -zxvf stunnel-4.50.tar.gz
/usr/local/etc/stunnel
cd stunnel-4.50
./configure
make
install
make install
/usr/local/etc/stunnel
wget http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm
rpm -ivh epel-release-6-5.noarch.rpm
yum install stunnel
cp /etc/pki/tls/private/localhost.key ca.key
cp /etc/pki/tls/certs/localhost.crt stunnel.pem
OR
cd /etc/pki/tls/certs
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/pound.pem -out /etc/pki/tls/certs/pound.pem
chmod 600 /etc/pki/tls/certs/pound.pem
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
[root@lb1 stunnel]# cat stunnel.conf
cert=/etc/stunnel/stunnel.pem
key=/etc/stunnel/ca.key
setuid=root
setgid=root
pid = /var/run/stunnel.pid
output = /var/log/stunnel.log
socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1
# HTTPS
[https]
accept=192.168.60.11:443
connect=192.168.60.11:80
TIMEOUTclose = 0
#cert=/etc/stunnel/stunnel.pem
#key=/etc/stunnel/ca.key
setuid=root
setgid=root
pid = /var/run/stunnel.pid
output = /var/log/stunnel.log
socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1
# HTTPS
[https]
cert=/etc/stunnel/server.crt
key=/etc/stunnel/server.key
accept=192.168.60.11:443
connect=192.168.60.11:80
TIMEOUTclose = 0
~
#!/bin/bash
# VARIAVEIS
GREP=”/bin/grep”
EGREP=”/bin/egrep”
PROG=”stunnel”
KILLALL=”/usr/bin/killall”
# TESTANDO SE EXISTE O ARQUIVO
test -x /usr/bin/stunnel || exit 0
RETVAL=0
########## START ##########
start() {
if [ ! -f /var/lock/subsys/stunnel ]; then
/usr/bin/stunnel
RETVAL=$?
if [ $RETVAL = 0 ]; then
touch /var/lock/subsys/stunnel
echo $”Starting $PROG: OK”
else
exit 1
fi
fi
return $RETVAL
}
stop() {
if [ -e /var/lock/subsys/stunnel ]; then
$KILLALL /usr/bin/stunnel
RETVAL=$?
if [ $RETVAL = 0 ]; then
rm -rf /var/lock/subsys/stunnel
echo $”Stop $PROG: OK”
else
exit 1
fi
fi
return $RETVAL
}
restart(){
if [ -e /var/lock/subsys/stunnel ]; then
$KILLALL /usr/bin/stunnel
RETVAL=$?
if [ $RETVAL = 0 ]; then
rm -rf /var/lock/subsys/stunnel
echo $”Stop $PROG: OK”
else
exit 1
fi
fi
if [ ! -f /var/lock/subsys/stunnel ]; then
/usr/bin/stunnel
RETVAL=$?
if [ $RETVAL = 0 ]; then
touch /var/lock/subsys/stunnel
echo $”Starting $PROG: OK”
else
exit 1
fi
fi
return $RETVAL
}
case “$1” in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo $”ESCOLHA UM ITEM AO LADO: $0 {start|stop|restart}”
exit 2
esac
exit $?
i am always learning new things with your blog this is very good.http://www.plactual.com