{"id":328,"date":"2012-06-18T18:41:46","date_gmt":"2012-06-18T10:41:46","guid":{"rendered":"http:\/\/rmohan.com\/?p=328"},"modified":"2012-09-16T00:16:55","modified_gmt":"2012-09-15T16:16:55","slug":"load-balancer-haproxy-stunnel","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=328","title":{"rendered":"Load balancer HAPROXY STUNNEL"},"content":{"rendered":"

Load balancer HAPROXY STUNNEL<\/strong><\/p>\n

HAProxy Software Load Balancer<\/p>\n

HAProxy is a bit more bare metal as it targets a very specific set of scenarios focused on TCPIP more than HTTP. You can use cookie based injection with HAProxy to do round robin and stick users to a specific server. However, you can not do this if your site is running SSL traffic. HAProxy can not decrypt the SSL traffic. This is more of the authors dead-fast belief that SSL should not be terminated because of CPU load on the load balancer preventing scaling as you would need to scale the load balancers at some point (we\u2019re talking millions of requests, facebook style).<\/p>\n

on all nodes please copy the files on all server \/ nodes<\/p>\n

lb1<\/p>\n

vi \/etc\/hosts<\/p>\n

127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6<\/p>\n

##### Load balancers<\/p>\n

192.168.60.11 lb1.rmohan.com lb1
192.168.60.12 lb2.rmohan.com lb2<\/p>\n

### web servers<\/p>\n

192.168.60.14 web1.rmohan.com web1
192.168.60.15 web2.rmohan.com web2<\/p>\n

### database servers<\/p>\n

192.168.60.17 db1.rmohan.com db1
192.168.60.18 db2.rmohan.com db2<\/p>\n

##############VIPS<\/p>\n

192.168.60.10 load.rmohan.com load
192.168.60.6 db.rmohan.com db<\/p>\n

Now generate ssh keys<\/p>\n

ssh-keygen -t rsa<\/p>\n

ssh-keygen -t dsa<\/p>\n

cd \/root\/.ssh<\/p>\n

cat *.pub > authorized_keys<\/p>\n

ls<\/p>\n

authorized_keys id_das id_dsa.pub id_rsa id_rsa.pub known_hosts<\/p>\n

scp -r .ssh\/ lb2:root\/<\/p>\n

scp -r .ssh\/ web1:root\/<\/p>\n

scp -r .ssh\/ web2:root\/<\/p>\n

scp -r .ssh\/ db1:root\/<\/p>\n

scp -r .ssh\/ db2:root\/<\/p>\n

ssh-keyscan -t rsa lb1 lb2 www1 www2 db1 db2<\/p>\n

ssh-keyscan -t dsa lb1 lb2 www1 www2 db1 db2<\/p>\n

scp -r \/etc\/hosts lb2:\/etc\/
scp -r \/etc\/hosts web1:\/etc\/
scp -r \/etc\/hosts web2:\/etc\/<\/p>\n

Stop unwanted services<\/p>\n

NTP SETUP ON THE SERVER<\/p>\n

LB1<\/p>\n

ntp services<\/p>\n

rpm -qa | grep ntp<\/p>\n

vi \/etc\/ntp.conf<\/p>\n

# restrict default kod nomodify notrap nopeer noquery
#restrict -6 default kod nomodify notrap nopeer noquery<\/p>\n

restrict 127.0.0.1
#restrict -6 ::1<\/p>\n

# server 0.centos.pool.ntp.org
# server 1.centos.pool.ntp.org
# server 2.centos.pool.ntp.org<\/p>\n

server 127.127.1.0 # local clock<\/p>\n

#fudge 127.127.1.0 stratum 10<\/p>\n

\/etc\/init.d\/ntpd start<\/p>\n

chkconfig ntpd on<\/p>\n

watch ntpq -p -n<\/p>\n

ntpdate -u 192.168.1.10<\/p>\n

Note : It NEED SOME TIME TO SYNC<\/p>\n

LB2<\/p>\n

ntp services<\/p>\n

rpm -qa | grep ntp<\/p>\n

vi \/etc\/ntp.conf<\/p>\n

# restrict default kod nomodify notrap nopeer noquery
#restrict -6 default kod nomodify notrap nopeer noquery<\/p>\n

#restrict 127.0.0.1
#restrict -6 ::1<\/p>\n

server 192.168.1.10<\/p>\n

# server 0.centos.pool.ntp.org
# server 1.centos.pool.ntp.org
# server 2.centos.pool.ntp.org<\/p>\n

#server 127.127.1.0 # local clock<\/p>\n

#fudge 127.127.1.0 stratum 10<\/p>\n

\/etc\/init.d\/ntpd start<\/p>\n

chkconfig ntpd on<\/p>\n

watch ntpq -p -n<\/p>\n

ntpdate -u 192.168.1.10<\/p>\n

Note : It NEED SOME TIME TO SYNC<\/p>\n

yum install mod_ssl<\/p>\n

yum install openssl<\/p>\n

yum install stunnel<\/p>\n

wget http:\/\/download.fedora.redhat.com\/pub\/epel\/6\/i386\/epel-release-6-5.noarch.rpm<\/p>\n

yum install haproxy<\/p>\n

wget http:\/\/haproxy.1wt.eu\/download\/1.4\/src\/haproxy-1.4.19.tar.gz<\/p>\n

tar -zxvf haproxy-1.4.19.tar.gz<\/p>\n

yum install gcc<\/p>\n

make TARGET=linux26 ARCH=i386<\/p>\n

make TARGET=linux26 CPU=i686<\/p>\n

make install<\/p>\n

mkdir \/etc\/haproxy<\/p>\n

wget http:\/\/layer1.rack911.com\/haproxy\/haproxy-standard.cfg<\/p>\n

wget http:\/\/layer1.rack911.com\/haproxy\/haproxy.init<\/p>\n

cp haproxy-standard.cfg \/etc\/haproxy.cfg<\/p>\n

cp haproxy.init \/etc\/init.d\/haproxy<\/p>\n

chmod +x \/etc\/init.d\/haproxy<\/p>\n

cp haproxy.init \/etc\/init.d\/haproxy<\/p>\n

\/usr\/local\/sbin\/haproxy location<\/p>\n

cp \/usr\/local\/sbin\/haproxy \/usr\/sbin\/haproxy<\/p>\n

chkconfig –add haproxy<\/p>\n

chkconfig haproxy on<\/p>\n

useradd haproxy<\/p>\n

chown haproxy:haproxy \/etc\/haproxy.cfg<\/p>\n

mkdir haproxy
touch stats<\/p>\n

chown -R haproxy:haproxy \/var\/lib\/haproxy<\/p>\n

# Global settings
global
log 127.0.0.1 local2<\/p>\n

chroot \/var\/lib\/haproxy
pidfile \/var\/run\/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket \/var\/lib\/haproxy\/stats<\/p>\n

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0\/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000<\/p>\n

# round robin balancing between the various backends
listen HTTP-80 192.168.60.11:80
mode http
stats enable
balance roundrobin
cookie SERVERID insert nocache indirect
cookie JSESSIONID prefix
option httpclose
option forwardfor
option dontlognull
option httpchk HEAD \/check.txt HTTP\/1.0
server web1 192.168.60.14:80 weight 1 maxconn 512 check
server web2 192.168.60.15:80 weight 1 maxconn 512 check
option persist
option redispatch<\/p>\n

echo 1 > \/proc\/sys\/net\/ipv4\/conf\/all\/forwarding
echo 1 > \/proc\/sys\/net\/ipv4\/conf\/all\/send_redirects
echo 1 > \/proc\/sys\/net\/ipv4\/conf\/eth0\/send_redirects<\/p>\n

change the log format<\/p>\n

\/etc\/httpd\/conf\/httpd.conf<\/p>\n

#LogFormat “%h %l %u %t \\”%r\\” %>s %b \\”%{Referer}i\\” \\”%{User-Agent}i\\”” combined<\/p>\n

LogFormat “%{X-Forwarded-For}i %h %l %u %t \\”%r\\” %>s %b \\”%{Referer}i\\” \\”%{User-Agent}i\\”” combined<\/p>\n

CustomLog logs\/access_log combined env=!dontlog
SetEnvIf Request_URI “^\/check\\.txt$” dontlog<\/p>\n

LogFormat “%h %l %u %t \\”%r\\” %>s %b” common
LogFormat “%{Referer}i -> %U” referer
LogFormat “%{User-agent}i” agent<\/p>\n

ServerAdmin webmaster@dummy-host.example.com
DocumentRoot \/var\/www\/html
SetEnvIf Request_URI “^\/check\\.txt$” dontlog
CustomLog logs\/access_log combined env=!dontlog
# ServerName dummy-host.example.com
# ErrorLog logs\/dummy-host.example.com-error_log
# CustomLog logs\/dummy-host.example.com-access_log common<\/p>\n

vim \/etc\/sysctl.conf<\/p>\n

net.ipv4.ip_nonlocal_bind = 1<\/p>\n

sysctl -p<\/p>\n

Monitor url<\/strong><\/p>\n

http:\/\/192.168.60.11\/haproxy?stats<\/p>\n

wget ftp:\/\/ftp.nluug.nl\/pub\/networking\/stunnel\/stunnel-4.50.tar.gz<\/p>\n

tar -zxvf stunnel-4.50.tar.gz<\/p>\n

\/usr\/local\/etc\/stunnel<\/p>\n

cd stunnel-4.50<\/p>\n

.\/configure
make
install
make install<\/p>\n

\/usr\/local\/etc\/stunnel<\/p>\n

wget http:\/\/download.fedora.redhat.com\/pub\/epel\/6\/i386\/epel-release-6-5.noarch.rpm<\/p>\n

rpm -ivh epel-release-6-5.noarch.rpm<\/p>\n

yum install stunnel<\/p>\n

cp \/etc\/pki\/tls\/private\/localhost.key ca.key
cp \/etc\/pki\/tls\/certs\/localhost.crt stunnel.pem<\/p>\n

OR<\/p>\n

cd \/etc\/pki\/tls\/certs<\/p>\n

openssl req -x509 -nodes -newkey rsa:1024 -keyout \/etc\/pki\/tls\/certs\/pound.pem -out \/etc\/pki\/tls\/certs\/pound.pem<\/p>\n

chmod 600 \/etc\/pki\/tls\/certs\/pound.pem<\/p>\n

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
cp server.key server.key.org<\/p>\n

openssl rsa -in server.key.org -out server.key<\/p>\n

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt<\/p>\n

[root@lb1 stunnel]# cat stunnel.conf
cert=\/etc\/stunnel\/stunnel.pem
key=\/etc\/stunnel\/ca.key
setuid=root
setgid=root
pid = \/var\/run\/stunnel.pid
output = \/var\/log\/stunnel.log<\/p>\n

socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1<\/p>\n

# HTTPS
[https]
accept=192.168.60.11:443
connect=192.168.60.11:80
TIMEOUTclose = 0<\/p>\n

#cert=\/etc\/stunnel\/stunnel.pem
#key=\/etc\/stunnel\/ca.key
setuid=root
setgid=root
pid = \/var\/run\/stunnel.pid
output = \/var\/log\/stunnel.log<\/p>\n

socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1<\/p>\n

# HTTPS
[https]
cert=\/etc\/stunnel\/server.crt
key=\/etc\/stunnel\/server.key
accept=192.168.60.11:443
connect=192.168.60.11:80<\/p>\n

TIMEOUTclose = 0
~<\/p>\n

#!\/bin\/bash<\/p>\n

# VARIAVEIS
GREP=”\/bin\/grep”
EGREP=”\/bin\/egrep”
PROG=”stunnel”
KILLALL=”\/usr\/bin\/killall”<\/p>\n

# TESTANDO SE EXISTE O ARQUIVO
test -x \/usr\/bin\/stunnel || exit 0
RETVAL=0<\/p>\n

########## START ##########
start() {
if [ ! -f \/var\/lock\/subsys\/stunnel ]; then
\/usr\/bin\/stunnel
RETVAL=$?
if [ $RETVAL = 0 ]; then
touch \/var\/lock\/subsys\/stunnel
echo $”Starting $PROG: OK”
else
exit 1
fi
fi
return $RETVAL
}
stop() {
if [ -e \/var\/lock\/subsys\/stunnel ]; then
$KILLALL \/usr\/bin\/stunnel
RETVAL=$?
if [ $RETVAL = 0 ]; then
rm -rf \/var\/lock\/subsys\/stunnel
echo $”Stop $PROG: OK”
else
exit 1
fi
fi
return $RETVAL
}
restart(){
if [ -e \/var\/lock\/subsys\/stunnel ]; then
$KILLALL \/usr\/bin\/stunnel
RETVAL=$?
if [ $RETVAL = 0 ]; then
rm -rf \/var\/lock\/subsys\/stunnel
echo $”Stop $PROG: OK”
else
exit 1
fi
fi<\/p>\n

if [ ! -f \/var\/lock\/subsys\/stunnel ]; then
\/usr\/bin\/stunnel
RETVAL=$?
if [ $RETVAL = 0 ]; then
touch \/var\/lock\/subsys\/stunnel
echo $”Starting $PROG: OK”
else
exit 1
fi
fi<\/p>\n

return $RETVAL
}
case “$1” in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
*)
echo $”ESCOLHA UM ITEM AO LADO: $0 {start|stop|restart}”
exit 2
esac<\/p>\n

exit $?<\/p>\n","protected":false},"excerpt":{"rendered":"

Load balancer HAPROXY STUNNEL<\/p>\n

HAProxy Software Load Balancer<\/p>\n

HAProxy is a bit more bare metal as it targets a very specific set of scenarios focused on TCPIP more than HTTP. You can use cookie based injection with HAProxy to do round robin and stick users to a specific server. However, you can not do this […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/328"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=328"}],"version-history":[{"count":7,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/328\/revisions"}],"predecessor-version":[{"id":1447,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/328\/revisions\/1447"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=328"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=328"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=328"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}