====== Learnexa QA server Loadbalancer Setup ======
Before making any changes please make sure that following services are running in specific order if the loadbalancer is going to rescide on same machine as your application server;
==== Make sure that you change the following files first ====
Apache - TCP port - 81 (/opt/apache2/conf/httpd.conf)
## Listen section
Listen 81
## VirtualHost Section
VirtualHost 192.168.2.x:81
## ServerName section
ServerName qa01.learnexa.com:81
Chat - TCP port - 8018 (/home/expdev01/bin/chat_sss.sh - node command)
## Change the following line;
nohup node server.js --port 8018 > /var/log/chat.log &
===== STEP 1: Install load-balancer on the server with SSL support; =====
export STATICLIBSSL=/path/to/openssl/lib/headers
#Compile with the latest version of Openssl 1.0.2d and above;
./config --prefix=$STATICLIBSSL no-shared
make
make install_sw
#Compile Haproxy 1.5.x
./config --prefix=$STATICLIBSSL no-shared
make && make install_sw
cd /src/haproxy
make clean
make TARGET=linux2628 CPU=x86_64 USE_OPENSSL=1 SSL_INC=$STATICLIBSSL/include SSL_LIB=$STATICLIBSSL/lib ADDLIB=-ldl USE_ZLIB=1 USE_PCRE=1
make install
for validation use;
haproxy -vv
==== STEP 2: Add the following files; ====
mkdir -p /opt/haproxy/src
mkdir -p /opt/haproxy/ssl/disable_certs
mkdir -p /opt/haproxy/ssl/certs.d
mkdir -p /opt/haproxy/errors (download 503.http file or create one)
The following configuration file is for HTTP setup;
global
nbproc 1
debug
daemon
maxconn 35000
#user haproxy
#group haproxy
stats socket /var/run/haproxy/haproxy.sock mode 0600 level admin
spread-checks 5
log 127.0.0.1 local1
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option tcp-smart-accept
option tcp-smart-connect
option tcpka
option srvtcpka
option httplog
option dontlognull
retries 3
option redispatch
no option log-health-checks
timeout connect 10000
timeout client 300000
timeout queue 5s
timeout http-request 28s
timeout tunnel 1h
timeout server 8m
frontend sub_site_to_ssl_redirection
mode http
option forwardfor
option http-server-close
bind 192.168.225.214:80
# redirect scheme https if !{ ssl_fc }
# default_backend common_www_backend
# errorfile 503 /opt/haproxy/errors/503.http
# frontend multi_tenant
# bind 192.168.2.222:80
# mode http
option httplog
option httpclose
# option forwardfor
option http-server-close
reqadd X-Forwarded-Proto:\ http
# reqadd X-Multi-tenant:\ true
acl chatreq url_beg /chatlist
################################ ADD REDIRECTION MT ########################################################
############################################################################################################
use_backend chatlistURI if chatreq
default_backend common_www_backend
errorfile 503 /opt/haproxy/errors/503.http
# frontend multi_tenant_secure
# bind 192.168.2.222:443 ssl crt /opt/haproxy/ssl/certs.d/
# mode http
# option httplog
# option httpclose
# option forwardfor
# reqadd X-Forwarded-Proto:\ https
# acl chatreq url_beg /chatlist
# use_backend chatlistURI if chatreq
# default_backend common_www_backend
# errorfile 503 /opt/haproxy/errors/503.http
# frontend sub_site_secured
# bind 192.168.225.214:443 ssl crt /opt/haproxy/ssl/certs.d/exphosted.pem
# mode http
# option httplog
# option httpclose
# option forwardfor
# reqadd X-Forwarded-Proto:\ https
# rspadd Strict-Transport-Security:\ max-age=31536000
# acl chatreq url_beg /chatlist
# use_backend chatlistURI if chatreq
# default_backend common_www_backend
# errorfile 503 /opt/haproxy/errors/503.http
#
backend common_www_backend
mode http
option httplog
option forwardfor
option httpchk HEAD /about HTTP/1.1\r\nHost:\ na3.learnexa.com\r\nUser-Agent:\ HaProxy
stats enable
stats hide-version
stats uri /learnexalb
stats realm Learnexa\ LB
stats auth admin:Expertus2091
balance roundrobin
cookie SERVERID insert indirect nocache
option forwardfor
# server prodapp1 10.229.94.13:80 cookie server1 weight 1 maxconn 1024 check cookie app1
server cbdevapp01 192.168.225.214:81 check port 81 cookie app1 maxconn 31 inter 5000 rise 2 fall 3
# server prodapp2 10.166.152.19:80 check port 80 cookie app2 maxconn 31 inter 5000 rise 2 fall 3
frontend chat-ingress
option tcplog
mode tcp
bind 192.168.225.214:8090
# bind 192.168.225.214:8090 ssl crt /opt/haproxy/ssl/certs.d/exphosted.pem
# bind 192.168.2.222:8090
default_backend prodchatrole
backend prodchatrole
mode tcp
option forceclose
server prodchatrole 192.168.225.214:8018 check port 8018 maxconn 200
backend chatlistURI
mode http
server chatlistURI 192.168.225.214:80 check port 80 maxconn 200
The following configuration file is for HTTPS/SSL setup;
global
nbproc 1
debug
daemon
maxconn 35000
#user haproxy
#group haproxy
stats socket /var/run/haproxy/haproxy.sock mode 0600 level admin
spread-checks 5
log 127.0.0.1 local1
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option tcp-smart-accept
option tcp-smart-connect
option tcpka
option srvtcpka
option httplog
option dontlognull
retries 3
option redispatch
no option log-health-checks
timeout connect 10000
timeout client 300000
timeout queue 5s
timeout http-request 28s
timeout tunnel 1h
timeout server 8m
frontend sub_site_to_ssl_redirection
mode http
option forwardfor
option http-server-close
bind 192.168.225.214:80
redirect scheme https if !{ ssl_fc }
default_backend common_www_backend
errorfile 503 /opt/haproxy/errors/503.http
# frontend multi_tenant
# bind 192.168.2.222:80
# bind 192.168.225.214:80
# mode http
# option httplog
# option httpclose
# option forwardfor
# option http-server-close
# reqadd X-Forwarded-Proto:\ http
# reqadd X-Multi-tenant:\ true
# acl chatreq url_beg /chatlist
################################ ADD REDIRECTION MT ########################################################
############################################################################################################
# use_backend chatlistURI if chatreq
# default_backend common_www_backend
# errorfile 503 /opt/haproxy/errors/503.http
# frontend multi_tenant_secure
# bind 192.168.2.222:443 ssl crt /opt/haproxy/ssl/certs.d/
# bind 192.168.225.214:443 ssl crt /opt/haproxy/ssl/certs.d/
# mode http
# option httplog
# option httpclose
# option forwardfor
# reqadd X-Forwarded-Proto:\ https
# acl chatreq url_beg /chatlist
# use_backend chatlistURI if chatreq
# default_backend common_www_backend
# errorfile 503 /opt/haproxy/errors/503.http
frontend sub_site_secured
bind 192.168.225.214:443 ssl crt /opt/haproxy/ssl/certs.d/
mode http
option httplog
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
# rspadd Strict-Transport-Security:\ max-age=31536000
acl chatreq url_beg /chatlist
use_backend chatlistURI if chatreq
default_backend common_www_backend
errorfile 503 /opt/haproxy/errors/503.http
backend common_www_backend
mode http
option httplog
option forwardfor
option httpchk HEAD /about HTTP/1.1\r\nHost:\ na3.learnexa.com\r\nUser-Agent:\ HaProxy
stats enable
stats hide-version
stats uri /learnexalb
stats realm Learnexa\ LB
stats auth admin:Expertus2091
balance roundrobin
cookie SERVERID insert indirect nocache
option forwardfor
# server prodapp1 10.229.94.13:80 cookie server1 weight 1 maxconn 1024 check cookie app1
server cbdevapp01 192.168.225.214:81 check port 81 cookie app1 maxconn 31 inter 5000 rise 2 fall 3
# server prodapp2 10.166.152.19:80 check port 80 cookie app2 maxconn 31 inter 5000 rise 2 fall 3
frontend chat-ingress
option tcplog
mode tcp
bind 192.168.225.214:8090 ssl crt /opt/haproxy/ssl/certs.d/
# bind 192.168.2.222:8090
default_backend prodchatrole
backend prodchatrole
mode tcp
option forceclose
server prodchatrole 192.168.225.214:8018 check port 8018 maxconn 200
backend chatlistURI
mode http
server chatlistURI 192.168.225.214:80 check port 80 maxconn 200
=== STEP 3: copy the following scripts and place it on app user's home directory; ===
cphaproxy.sh
#!/bin/bash
#################################
BASE=/opt/haproxy
DIS_CERT=$BASE/ssl/disable_certs
APP_USER=expdev01
HAPROXY=localhost
pemfile="$(echo $1|sed 's/.*\///')"
domain="$(echo $1|sed 's/.*\///'|sed 's/.pem//')"
#################################
printhelp()
{
clear
echo -e "\n\e[32;1mUsage : $0 /path/to/.pem enable|disable\e[0m\n" && exit 1
}
if [ $# -gt 2 ] || [ $# -le 1 ]
then
printhelp
fi
if [ -z $1 ] || [ ! -e $1 ]
then
echo -e "\n\e[31;1mFile was not found in the specified directory\e[0m\n" && exit 1
fi
if [[ $2 == "enable" ]] || [[ $2 == "disable" ]]
then
:
else
printhelp
fi
scp $1 $APP_USER@$HAPROXY:/$DIS_CERT >>/dev/null
test $? != 0 && echo -e "\e[31;1mUnable to upload the file, due to network issue\e[0m\n" && exit 1
ssh $APP_USER@$HAPROXY -t "cd ~/bin && sudo ./rlhaproxy.sh $2 $domain" >>/dev/null
rlhaproxy.sh
#/bin/bash
#THIS SCRIPT IS FREE TO USE
#AUTHOR : Syed A. Bahmani
#DESIGNATION : DevOps Engineer
BASE=/opt/haproxy
CERT=$BASE/ssl/certs.d
DIS_CERT=$BASE/ssl/disable_certs
CONF=$BASE/haproxy.cfg
test "$(whoami)" != 'root' && (echo -e "\n\e[31m\e[1mWARNING!!\e[0m Please run $0 as root or use sudo\n") && exit 1|| true
if [ ! -e $CONF ]
then
echo -e "\e[31m\e[1mThe file was not found : $CONF \nPlease configure right path in CONF variable!\e[0m"
exit 1
fi
printhelp()
{
echo -e "\n\e[32m\e[1mUSEAGE : ./$(basename $0) enable|disable \e[0m\n"
echo -e "\n++++++++ HERE IS THE LIST OF DOMAINS ++++++++\n"
grep -i "redirect prefix" $CONF |cut -d' ' -f11
echo -e "\n"
exit 1
}
if [[ $1 == "enable" || $1 == "disable" ]]
then
if [ -z $2 ]
then
printhelp
fi
if [[ $1 == "enable" ]]
then
if [[ ! $(grep -i $2 $CONF) ]]
then
sed -i "51i redirect prefix https://$2 code 301 if { hdr(host) -i $2 }" $CONF
mv -f $DIS_CERT/$2.pem $CERT/
echo -e "\n++++++++ HERE IS THE LIST OF DOMAINS ++++++++\n"
grep -i "redirect prefix" $CONF |cut -d' ' -f11
echo -e "\n"
echo -e "Reloading haproxy configuration\n"
sudo service haproxy reload 2>/dev/null
sleep 2
echo -e "\e[32m\e[1mDone...\e[0m\n"
elif [ "$(openssl x509 -noout -hash -in /opt/haproxy/ssl/certs.d/$2.pem)" != "$(openssl x509 -noout -hash -in /opt/haproxy/ssl/disable_certs/$2.pem)" ]
then
mv -f /opt/haproxy/ssl/disable_certs/$2.pem /opt/haproxy/ssl/certs.d/ 2>/dev/null
else
echo "Domain Already exist"
fi
elif [[ $1 == "disable" ]]
then
if [[ ! $(grep -i $2 $CONF) ]]
then
echo -e "\nDomain mentioned does not exist in the configuration file!\n"
exit 1
else
o=$(grep -ni $2 $CONF |cut -d':' -f1)
mv -f $CERT/$(grep -i "redirect prefix" $CONF |cut -d' ' -f 11).pem $DIS_CERT/ 2>1
sed -i "$o d" $CONF
echo -e "\n++++++++ HERE IS THE LIST OF DOMAINS ++++++++\n"
grep -i "redirect prefix" $CONF |cut -d' ' -f11
echo -e "\n"
echo -e "Reloading haproxy configuration\n"
sudo service haproxy reload 2>/dev/null
sleep 2
echo -e "\e[32m\e[1mDone...\e[0m\n"
fi
fi
else
printhelp
fi