Prerequisites

Install HAProxy is quite simple

budi@lab:~$ sudo apt update

and

budi@lab:~$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done

To install HAProxy, run below command

budi@lab:~$ sudo apt install haproxy

 

HAProxy setting is simple for this setup, only 1 backend server. No need to consider load balancing mechanism.

Here’s how the general configuration looks like

 

budi@lab:~$ cat /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

You may adjust the setting to meet your needs.

HA Proxy Setup

So, let’s see how HAProxy handle HTTP and HTTPS request

Remember the topology to be achieved : back end / real server will be 10.8.0.2 (raspberry pi)


















frontend http_front
bind *:80
default_backend http_back

backend http_back
server web01 10.8.0.2:80 check

 

For forwarding HTTPS request i have 2 options:

  • SSL terminated at HAProxy

this option is suitable if you purchase SSL server, you configure Certificate settings on HAProxy and have flexibility to have plain

backend HTTP server (no HTTPS).

  • SSL passed to backend server

this option is suitable for my case, i am using SSL Cert signed by Letsencrypt where the Cert is only valid for 3 months and there’s cron job that renew the Certificate.

All process happen in Backend Server. HAProxy just forward port 443 to backend server

Here’s the HTTP forwarding configuration

frontend http_ssl
bind 0.0.0.0:443
mode tcp
timeout client 1m
log global
option tcplog
default_backend bk_http_ssl

backend bk_http_ssl
mode tcp
log global
option tcplog
timeout server 1m
timeout connect 5s
server ssl-01 10.8.0.2:443 check

 

Next question, what is the webserver installed in home network?

It’s nginx, quite new Web Server since i use Apache for more than 10 years.

Will explain more detail on Nginx Installation.

 

HAProxyhome serverNetworkingOpenVPNRaspberry
By HAProxy, Networking, OpenVPN, Raspberry, VPNLeave a Comment on HAProxy Installation

Leave a Reply

Your email address will not be published. Required fields are marked *