1

We have 2 HTTP Load balancer with HAproxy and heartbeat. There are 4 apache nodes in this cluster. It's doing round robin load balancing. The HTTP cluster working fine. We are having problem with our portal because it uses SSO. We need sticky connection support in our HAproxy. Also we need load balancing for HTTPS traffic. Here's our HAproxy conf file. 

global # to have these messages end up in /var/log/haproxy.log you will # need to: # # 1) configure syslog to accept network log events. This is done # by adding the '-r' option to the SYSLOGD_OPTIONS in # /etc/sysconfig/syslog # # 2) configure local2 events to go to the /var/log/haproxy.log # file. A line like the following can be added to # /etc/sysconfig/syslog # # local2.* /var/log/haproxy.log # log 127.0.0.1 local0 log 127.0.0.1 local1 notice chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 #--------------------------------------------------------------------- # main frontend which proxys to the backends #--------------------------------------------------------------------- frontend main *:5000 acl url_static path_beg -i /static /images /javascript /stylesheets acl url_static path_end -i .jpg .gif .png .css .js use_backend static if url_static default_backend app #--------------------------------------------------------------------- # static backend for serving up images, stylesheets and such #--------------------------------------------------------------------- backend static balance roundrobin server static 127.0.0.1:4331 check #--------------------------------------------------------------------- # round robin balancing between the various backends #--------------------------------------------------------------------- backend app listen ha-http 10.190.1.28:80 mode http stats enable stats auth admin:xxxxxx balance roundrobin cookie JSESSIONID prefix option httpclose option forwardfor option httpchk HEAD /haproxy.txt HTTP/1.0 server apache1 portal-04:80 cookie A check server apache2 im-01:80 cookie B check server apache3 im-02:80 cookie B check server apache4 im-03:80 cookie B check

Please advice. Thanks for your help in advance.

Improve this question

2 Answers 2

Reset to default
1

Your config is already setting a persistent cookie, but I believe you need to define a different cookie per backend server to always send a visitor to the same backend.

Does your SSO have it's own cookie it sets? Or are you happy with sticking with whichever box haproxy choice to send the traffic to? If you do have a cookie which your application sets, there is a configuration option to tell haproxy to load balance based on pre-existing cookies rather than setting one itself. (Check "appsession" option).

Regarding SSL, there is plenty of documentation out there which describes why HAProxy doesn't handle SSL itself. Instead if you want to do SSL + layer 7 (cookies etc) load balancing you have to terminate the HTTPS connection on the load balancer (i.e. have the SSL reside of the LB rather than backend server). I've done this before by running nginx on the same box and it was worked well.

However if you are happy with Layer 4 load balancing (no cookies etc), HAProxy can just route the encrypted traffic without looking side their contents.

Improve this answer
0

If you are using spnego/kerberos for user auth you need to keep the connection alive between both client and backend. That's an SPNEGO protocol "feature" it want's to resolve the challenge over the same connection.

Please remember that keeping connections alive will probably cause connection persistence issues since haproxy only checks the headers of the first http verb.

For ssl, I would also choose Nginx, other option is stunnel with a X-FORWARDED-FOR support

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.