HAProxy is an open source TCP/HTTP load balancer, commonly used to improve the performance of web sites and services by spreading requests across multiple servers. Its name stands for High Availability Proxy. It is written in C and has a reputation for being fast, efficient (in terms of processor and memory usage) and stable.
HAProxy is used by a number of high-profile websites including Stack Overflow, Reddit, Tumblr, and Twitter and is used in the OpsWorks product from Amazon Web Services.
Installation
In Debian 7, HAProxy is unfortunately not present. So you need to activate backports:
You can have several kinds of configuration as HAProxy knows how to check specific things like MySQL, even if it's specialized in HTTP and TCP protocols.
HTTP
Here is a good configuration for HTTP pages with sticky sessions:
global
# log redirection (syslog)log/dev/loglocal0
log/dev/loglocal1notice
# maximum of connexions for haproxymaxconn4096# chroot for security reasonschroot/var/lib/haproxy
# user/group for haproxy processuserhaproxy
grouphaproxy
# act as a daemondaemon
defaults
# use gloval log declarationlogglobal
# default check typemodehttp
# logs which servers requests go to, plus current connections and a whole lot of other stuffoptionhttplog
# only log failed connexions# retry 3 times before setting node as failed# redispatch traffic to other serversoptiondontlognullretries3optionredispatch
# maximum connexion for the backendmaxconn2000# timeoutscontimeout5000clitimeout50000srvtimeout50000# check webservers for health, taking them out of the queue as necessaryoptionhttpchk
# haproxy frontendfrontendhttp-in
bind*:80
# acl for each backendsaclis_deimosfrhdr_end(host)-ideimos.fr
aclis_mavrofrhdr_end(host)-imavro.fr
use_backenddeimosfrifis_deimosfr
use_backendmavrofrifis_mavrofr
default_backenddeimosfr
# backend1backenddeimosfr
# use sticky session to stick clients on the same servercookieSERVERIDinsertindirect
balanceroundrobin
# cookie SERVERID is "www1"serverwww1192.168.0.1:8080cookiewww1check
# cookie SERVERID is "www2"serverwww2192.168.0.2:8080cookiewww2check
# backend2backendmavrofr
cookieSERVERIDinsertindirect
balanceroundrobin
serverwww1192.168.0.1:8080cookiewww1check
serverwww2192.168.0.2:8080cookiewww2check
MySQL/MariaDB
Here is a load balancing version for 2 MySQL nodes:
global
# log redirection (syslog)log/dev/loglocal0
log/dev/loglocal1notice
# maximum of connexions for haproxymaxconn4096# chroot for security reasonschroot/var/lib/haproxy
# user/group for haproxy processuserhaproxy
grouphaproxy
# act as a daemondaemon
defaults
# use gloval log declarationlogglobal
# default check typemodehttp
# only log when closing sessionoptiontcplog
# only log failed connexions# retry 3 times before setting node as failed# redispatch traffic to other serversoptiondontlognullretries3optionredispatch
# maximum connexion for the backendmaxconn1024# timeoutscontimeout5000clitimeout50000srvtimeout50000# enable web check health interface on port 80listenhaproxy0.0.0.0:80
modehttp
statsenable# set credentialsstatsauthuser:password
# loadbalance on slaveslistenmariadb-read-slaves0.0.0.0:3306
# use tcp methodmodetcp
# round robin mechanismbalanceroundrobin
# tcp keepalive (pipelining) on both side (clt/srv)optiontcpka
# perform mariadb connexion with haproxy useroptionmysql-checkuserhaproxy
# set all read only nodes# inter: interval of check in millisecondsserverslave110.0.0.2:3306checkinter1000serverslave210.0.0.3:3306checkinter1000
Offloading SSL
SSL Offloading permits to decrypt SSL and forward traffic to a web server without SSL. This can be very useful used with a caching server like Varnish (you can also do it with Nginx).
To start, create a SSL folder and concatenate all your certificates in one: