haproxy question about check

From: eni-urgence <eni-urgence#scan-eco.com>
Date: Fri, 21 May 2010 15:15:54 +0200

Hello all.

I discover haproxy few weeks ago and I want to thanks willy for his very good product.
I'm planing to integrate haproxy to our dmz. I want to use haproxy for loadbalancing heavy secure php/ajax applications with cookie persitence: a collaborate scheduler and a image consult extranet.

stunnel service will handle https connections and forward decrypted requests to haproxy on port 88. Then haproxy will forward connections to web server on port 10088, 100089 (and so...) on a mass virtual host configuration of apache (see below).
In /var/www/vhost-SSL/ on web server, there is some symbolic links to the php sources. Some domains are not linked to same path because they don't provide the same application. So i don't want to have to delete/rename the "running.ok" file on every path when I want to shutdown the webserver.
I want to use the httpcheck on port 10081 and the file "running.ok" . But I want a soft stop of service. I want haproxy to stop forwarding new connection if he don't find the "running.ok" file but continue to forward connection if cookie is initialised. so i will configure a backup server with same cookies (like said in Haproxy documentation).  

So now my questions :

• is it possible to check only the header like this /HEAD / HTTP/1.0
  /for backup server ?
  
• Like said in the article of willy (http://1wt.eu/articles/2006_lb/),it is good to load balance the encryption/decryption flow too. So a haproxy instance in tcp mode (layer 4), seems to be a good solution. But our applications have to know the client IP for security reasons. I read that a recompiled kernel with tproxy support will forward connections keeping the real client IP. Is that true ?
  • I want to manage a multi site configuration keeping the session persistence. How can I manage to do so?

haproxy configuration : (it 's a test configuration file. I think some variable are not good valued)

/defaults

        log     global
        mode    http
        option  httplog
        retries 3
        option redispatch
        maxconn 2000
        contimeout      5000
        clitimeout      50000
        srvtimeout      50000
        stats enable
        option forwardfor
        balance roundrobin
        option httpchk HEAD /running.ok HTTP/1.0
        option http-server-close/

/
/

/listen private-admin_stats 192.168.1.60:8088

        mode http
        stats uri    /admin?stats
        stats realm     Global\ statistics
        stats auth  stats:stats84/



/frontend public-http-app

        bind 192.168.1.62:88
        reqadd   sce_proxy:\ lbl0101
        reqadd   sceproxy_secure:\ https
        capture request header Location len 80
        capture response header Location len 80
        capture response header Server len 20
        default_backend webfarm-http-app/



/backend webfarm-http-app

        cookie SERVERID prefix nocache
        server lbl0101-app1 192.168.1.62:10088 check port 100081 inter 
2000 rise 2 fall 5 weight 8 cookie lbl0101-app
        server lbl0101-app1-bck 192.168.1.62:10088 check  inter 2000 
rise 2 fall 5 cookie lbl0101-app backup
        server lbl0101-app2 192.168.1.62:10089 check //port 100081 


//inter 2000 rise 2 fall 5 cookie lbl0101-app2

        server lbl0101-app2-bck 192.168.1.62:10089 check inter 2000 rise 

2 fall 5 cookie lbl0101-app2 backup/

NameVirtualHost apache configuration :

/NameVirtualHost 192.168.1.62:10081

<VirtualHost 192.168.1.62:10081>

        UseCanonicalName Off
        ServerName *
        VirtualDocumentRoot /var/www/vhosts-SSL/%0
        VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/
        DirectoryIndex index.html index.htm index.shtml index.php
        HostNameLookups off
        #CustomLog logs/ssl_access_log vcommon
        #CustomLog /var/log/httpd/access_log cawstats

</VirtualHost>/

/NameVirtualHost 192.168.1.62:10088

<VirtualHost 192.168.1.62:10088>

        UseCanonicalName Off
        ServerName *
        VirtualDocumentRoot /var/www/vhosts-SSL/%0
        VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/
        DirectoryIndex index.html index.htm index.shtml index.php
        HostNameLookups off
        #CustomLog logs/ssl_access_log vcommon
        #CustomLog /var/log/httpd/access_log cawstats

</VirtualHost>/

/NameVirtualHost 192.168.1.62:10089

<VirtualHost 192.168.1.62:10089>

        UseCanonicalName Off
        ServerName *
        VirtualDocumentRoot /var/www/vhosts-SSL/%0
        VirtualScriptAlias /var/www/vhosts/%0/cgi-bin/
        DirectoryIndex index.html index.htm index.shtml index.php
        HostNameLookups off
        #CustomLog logs/ssl_access_log vcommon
        #CustomLog /var/log/httpd/access_log cawstats

</VirtualHost>/

Some example of the link in /var/www/vhosts-SSL :

/192.168.1.62 -> /var/www/check (=> is where the file "running.ok" will be)
secure.myfirstdomain.com -> /var/www/html/myfirstdomain.com

secure1.myfirstdomain.com -> /var/www/html/myfirstdomain.com
secure.myseconddomain.com -> /var/www/html/myfseconddomain.com
secure.myfthirddomain.com -> /var/www/html/myfirstdomain.com/

Some other configuration in httpd.conf :

/LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
SetEnvIf Request_URI "^/running\.ok$" dontlog CustomLog /var/log/httpd/access.log combined env=!dontlog/

NB : sorry for my very bad english.

NICOLE Emerik
Newbie french user of haproxy
eni-urgence#scan-eco.com
www.scan-eco.com
www.quickmed.fr Received on 2010/05/21 15:15