HAproxy TLS Load Balancing using CentOS 7, NGINX, and PHP Cookies

Posted on Posted in CentOS, HAProxy

If you made it to this page after watching a YouTube video where someone explained basic HAProxy
HTTP load balancing while highlighting notepad text with terrible music…perhaps you’re in the right spot.
The point of this post is not to dumb down HAproxy to 0,1,n round robin but to provide a sandbox for some of the more
advanced features. In particular I was interested in TLS bridging and termination and how that actually appeared on the backend servers.

By no means would I consider myself an expert with HAproxy or NGINX (or PHP for that matter) and I wouldn’t expect these
templates to be a gold standard for anybody, but they can provide a framework to expand on some HAproxy features without starting from scratch.  Although if I’m lucky they’ll be heavily referenced in some YT videos by 2018.

A few possibilities based on this setup:
1) Use socat to control HAProxy
2) Connect to https://10.0.0.80:4433 and login as admin:admin
3) Witness TLS bridging and termination using HTTP headers via backend PHP
4) Use /terminate.php or /bridge.php to direct traffic through particular HAProxy TLS backends
5) Rename up.html on an individual web server to put it into maintenance mode
6) Examine which HAProxy backend is communicating with your servers via X headers
7) Use PHP to create 2 minute cookie validating session stickiness

Basic Deployment

HA1 = HAProxy Load Balancer (10.0.0.80)
WEB1 = NGINX + PHP (10.0.0.81)
WEB2 = NGINX + PHP (10.0.0.82)

WEBx Base Commands

 

WEBx /etc/nginx/nginx.conf

 

WEBx Contents of /usr/share/nginx/html/index.php|bridge.php|terminate.php

 

HA1 Base Commands

 

HA1 Contents of /etc/haproxy/haproxy.cfg

 

Keepalived Configuration

I deployed a second HAproxy server after the initial post to experiment with Keepalived and a floating IP.  I was expecting some hassles but the only thing I encountered was the check script you find everywhere used killall -0 haproxy, which was not part of my centos minimal install, so I had to swap it out with pidof instead.

With this in place you can now stop haproxy on HA1 and HA2 will add 10.0.0.180 as a virtual address.  You can verify with ip -a or using tail -f /var/log/messages | grep -i keepalived to watch status updates.