How to Set Up HAProxy for Load Balancing on Ubuntu 16.04

HAProxy (High Availability Proxy) is an intelligent software solution that offers load balancing and a high level of uptime performance for TCP- and HTTP-based applications.

It is used by the world's highly trafficked websites, including Twitter, Tumblr, Amazon Web Service, and GoDaddy to spread incoming requests across multiple endpoints.

HAProxy works by distributing concurrent connections to multiple backend servers based on a load balancing algorithm. Written in C, the software has been in use since 2000 and has a solid reputation in regards to memory and CPU usage

In this guide, we will show you how to use HAProxy on your Ubuntu 16.04 Alibaba Cloud Elastic Compute Service (ECS) to prevent unplanned outage caused by software problems, human error, network error, and environmental issues.

Prerequisites

1. A valid Alibaba Cloud account (sign up now for a free trial)
2. 3 ECS instances running Ubuntu 16.04 Operating System
3. A non-root user that can perform sudo privileges on all three instances

We will be using one ECS instance as the frontend and two more as endpoints where the load is going to be distributed. We will use Alibaba Cloud ECS instance private IP addresses for the two endpoints.

We will also require the public IP address for the frontend server for accessing your web application or website. We will still need to connect to all three instances via public IP addresses through SSH to install all required applications.

For the sake of simplicity, we will assume the following IP addresses and hostnames for the instances:

1. haproxy-server : public IP address 198.18.0.1
2. backend-server1 : private IP address 172.16.0.1, public IP address 198.18.0.1
3. backend-server2 : private IP address 172.16.0.2, public IP address 198.18.0.2

Also, you need to create a security group that allows the following ports for the servers:

1. HaProxy-server : Port 80 http and port 32600 for statistics
2. backend-server1 : Port 8080 for http
3. backend-server2 : Port 8080 for http

Step 1: Configuring haproxy-server (Frontend)

SSH to the first ECS instance using its Public IP address. This is where we are going to install HaProxy Server.

Before we do this, we need to update the package information index using the command below:

$ sudo apt-get update

HaProxy is available on the Ubuntu software repository, so we can install it using the package manager by running the command below:

$ sudo apt-get install haproxy

Press Y and hit Enter when you are prompted to confirm the installation.

Step 2: Configuring HaProxy

When HaProxy is installed, a standard configuration file is created at /etc/haproxy/haproxy.cfg. We will need to edit this file to do some changes using a nano editor:

$ sudo nano /etc/haproxy/haproxy.cfg

The file should like this before any edits are done:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM$
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

The global section lists different parameters such as user and the group under which HAproxy runs. The defaults section handles login- and error-related issues. These two sections should work by default.

However, the file does not contain any load balancing information, and we need to create the frontend and backend settings for our servers.

So, towards the end of the file, add the content below:

frontend ourwebsitefrontend
    bind *:80
    mode http
    default_backend ourwebsiteendpoint

The bind parameter tells HaProxy to listen to port 80 for connections. At the end of the text, we have specified ourwebsiteendpoint as the directive where our endpoints are located. We can now go ahead and add the backend configuration details as follows:

backend ourwebsiteendpoint
    balance roundrobin
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server backend-server1 172.16.0.1:8080 check
    server backend-server2 172.16.0.2:8080 check

The roundrobin value specifies the balance algorithm that we want the server to use. The Forwardfor option instructs the load balancer to forward client IP address to the endpoints. Http-request header allows us to forward the port and protocol made by the client.

The option httpchk checks the health of the endpoint before forwarding requests. The last two lines specify the hostname and private IP address of the backend servers. You should obtain the private IP addresses of the backend servers from the Alibaba ECS console.

We will also add stats settings using the below entries:

listen stats
    bind :32600
    stats enable
    stats uri /
    stats hide-version
    stats auth username:password

The bind parameter specifies the port that you want to use when retrieving the stats on your HaProxy server. You should allow access this port under the security group of your ECS instance. At the end of the file, there is an option to enter a username and password for login to the statistics web page. Enter a strong value for the password

At the end, your /etc/haproxy/haproxy.cfg should be as follows:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM$
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend ourwebsitefrontend
        bind *:80
        mode http
        default_backend ourwebsiteendpoint

backend ourwebsiteendpoint
    balance roundrobin
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server backend-server1 172.16.0.1:8080 check
    server backend-server2 172.16.0.2:8080 check

listen stats
    bind :32600
    stats enable
    stats uri /
    stats hide-version
    stats auth username:password

Remember to replace the backend server private IP address with the actual private IP addresses for your Alibaba ECS instances.

Then, restart HaProxy server to reload the changes:

$ sudo service haproxy restart

Step 3: Configuring the First Backend Server (backend-server1)

Next, login to the first backend server and change the hostname to backend-server1 using the command below:

$ sudo nano /etc/hostname

Change the one line to:

backend-server1

Then, edit the hosts file:

$ sudo nano /etc/hosts

Add a second line with the IP address 127.0.1.1 and the name of the new host:

127.0.0.1   localhost
127.0.1.1   backend-server1
 ...     

Press CTRL + X, Y, and Enter to save the file.

Reboot backend-server1:

$ sudo reboot

Wait for a few moments, SSH back to backend-server1, and update the package information list:

$ sudo apt-get update 

Then, install the Apache web server using the command below:

$ sudo apt-get install apache2

Change Apache listening port to port 8080:

$ sudo nano /etc/apache2/ports.conf

Look for the line:

$ Listen 80

And change it to:

$ Listen 8080

Press CTRL + X, Y, and Enter to save the file.

Then, open the default Apache virtual host file and change the port to 8080:

$ sudo nano /etc/apache2/sites-available/000-default.conf

At the beginning of the file, look for the line:

<VirtualHost *:80> 

And change it to:

<VirtualHost *:8080>

Restart Apache:

$ sudo systemctl restart apache2

Next, we need to create a sample website on the root of the website.

We first delete the default index.html that ships with Apache:

$ sudo rm /var/www/html/index.html

We can now create a test web page for our server:

$ sudo nano  /var/www/html/index.html

Copy and paste the content below and save the file :

<html>
  <head>
    <title>Back End Server 1</title>
  </head>
  <body>
    <h1>Success!  The Backend Server 1 is working!</h1>
  </body>
</html>

Step 4: Configuring the Second Backend Server (backend-server2)

We need to configure our second backend server just like we have done for the first server. We start by changing the hostname

$ sudo nano /etc/hostname

Change the one line to:

backend-server2

Then, edit the hosts file:

$ sudo nano /etc/hosts

Add a second line with the IP address 127.0.1.1 and the name of the new host

127.0.0.1   localhost
127.0.1.1   backend-server2
 ...     

Press CTRL + X, Y, and Enter to save the file.

Reboot backend-server2:

$ sudo reboot

Wait for a few moments, SSH back to backend-server2, and update the package information list:

$ sudo apt-get update 

Then, install the Apache web server using the command below:

$ sudo apt-get install apache2

Change Apache listening port to port 8080:

$ sudo nano /etc/apache2/ports.conf

Look for the line:

$ Listen 80

And change it to:

$ Listen 8080

Press CTRL + X, Y, and Enter to save the file.

Then, open the default Apache virtual host file and change the port to 8080.

$ sudo nano /etc/apache2/sites-available/000-default.conf

At the beginning of the file, look for the line:

<VirtualHost *:80> 

And change it to:

<VirtualHost *:8080>

Restart Apache

$ sudo systemctl restart apache2

Next, we need to create a sample website on the root of the website.

First, delete the default index.html that ships with Apache:

$ sudo rm /var/www/html/index.html

We can now create a test web page for our server:

$ sudo nano  /var/www/html/index.html

Copy and paste the content below and save the file

<html>
  <head>
    <title>Back End Server 2</title>
  </head>
  <body>
    <h1>Success!  The Backend Server 2 is working!</h1>
  </body>
</html>

Step 5: Testing the Configuration

We now have the correct environment for High Availability and load balancing on our Alibaba server. We can now visit our HaProxy server to see if the load is going to be distributed to our backend servers in a balanced manner.

On a web browser, type the public IP address of the server where you installed HaProxy:

http://198.18.0.1

You should see the below web page:

Try refreshing the page and see if the load balancer is going to send the request to the second server.

If you see Backend Server 2 is working on the browser, it means the Roundrobin algorithm was able to forward the request to the second server.

Congratulations, you now have a high availability configuration for your website or web application.

Step 6: Reviewing HaProxy Stats

You can visit HaProxy stats page by typing the public IP address of HaProxy server followed by ":32600". That is the port that we specified on the HaProxy configuration file and as indicated above, it must be opened on the security group associated with your ECS instance.

http://198.18.0.1:32600

Log in using the username and password that you specified and you should see the below stats web page:

Conclusion

On this guide, we have taken you through the steps of configuring HAProxy server on your Alibaba Cloud ECS running Ubuntu 16.04. We have set up two web servers and demonstrated that load balancing is working as expected. You can now upload your website or application file and even connect the backend servers to your database to create a fully working load balanced HTTP service for your web application.

To learn more about load balancing on Alibaba Cloud, visit www.alibabacloud.com/product/server-load-balancer