Using HAProxy as a reverse proxy » History » Version 1
Koen Deforche, 11/24/2010 04:24 PM
| 1 | 1 | Koen Deforche | h1. Using HAproxy as a reverse proxy |
|---|---|---|---|
| 2 | |||
| 3 | HAproxy has a great feature set when used in conjunction with Wt: |
||
| 4 | * Uses async I/O and thus handles thousands of connections without any problem. Just like Wt! |
||
| 5 | * Supports reverse proxying of WebSocket connections (as per draft-76). |
||
| 6 | * Can be configured to use session affinity without needing cookies. |
||
| 7 | |||
| 8 | h2. Basic setup |
||
| 9 | |||
| 10 | <pre> |
||
| 11 | global |
||
| 12 | log 127.0.0.1 local0 |
||
| 13 | log 127.0.0.1 local1 notice |
||
| 14 | maxconn 4096 |
||
| 15 | user haproxy |
||
| 16 | group haproxy |
||
| 17 | daemon |
||
| 18 | |||
| 19 | defaults |
||
| 20 | log global |
||
| 21 | mode http |
||
| 22 | option httplog |
||
| 23 | option dontlognull |
||
| 24 | retries 3 |
||
| 25 | option redispatch |
||
| 26 | maxconn 2000 |
||
| 27 | contimeout 5000 |
||
| 28 | clitimeout 50000 |
||
| 29 | srvtimeout 50000 |
||
| 30 | |||
| 31 | listen 0.0.0.0:8181 |
||
| 32 | server srv1 0.0.0.0:9090 check |
||
| 33 | </pre> |
||
| 34 | |||
| 35 | h2. Using session affinity |
||
| 36 | |||
| 37 | All of the built-in mechanisms in HAProxy for session affinity using the @appsession@ option rely on cookies, but cookies are not our preferred method since this does not give an intuitive user experience (e.g. a user cannot open multiple sessions), are not entirely reliable (a user can disable cookies) and a source of security risks (CSRF). |
||
| 38 | |||
| 39 | Luckily there is a work-around: using Wt's ability to generate session-id's that have a prefix which identifies the back-end, we can have HAproxy match on this prefix in the request URL and send the requests to the correct server. |
||
| 40 | |||
| 41 | Below is an example configuration for two back-end servers. |
||
| 42 | |||
| 43 | <pre> |
||
| 44 | global |
||
| 45 | log 127.0.0.1 local0 |
||
| 46 | log 127.0.0.1 local1 notice |
||
| 47 | maxconn 4096 |
||
| 48 | user haproxy |
||
| 49 | group haproxy |
||
| 50 | daemon |
||
| 51 | |||
| 52 | defaults |
||
| 53 | log global |
||
| 54 | mode http |
||
| 55 | option httplog |
||
| 56 | option dontlognull |
||
| 57 | retries 3 |
||
| 58 | option redispatch |
||
| 59 | maxconn 2000 |
||
| 60 | contimeout 5000 |
||
| 61 | clitimeout 50000 |
||
| 62 | srvtimeout 50000 |
||
| 63 | |||
| 64 | frontend wt |
||
| 65 | bind 0.0.0.0:80 |
||
| 66 | acl srv1 url_sub wtd=wt1 |
||
| 67 | acl srv2 url_sub wtd=wt2 |
||
| 68 | acl srv1_up nbsrv(bck1) gt 0 |
||
| 69 | acl srv2_up nbsrv(bck2) gt 0 |
||
| 70 | use_backend bck1 if srv1_up srv1 |
||
| 71 | use_backend bck2 if srv2_up srv2 |
||
| 72 | default_backend bck_lb |
||
| 73 | |||
| 74 | backend bck_lb |
||
| 75 | balance roundrobin |
||
| 76 | server srv1 0.0.0.0:9090 track bck1/srv1 |
||
| 77 | server srv2 0.0.0.0:9091 track bck2/srv2 |
||
| 78 | |||
| 79 | backend bck1 |
||
| 80 | balance roundrobin |
||
| 81 | server srv1 0.0.0.0:9090 check |
||
| 82 | |||
| 83 | backend bck2 |
||
| 84 | balance roundrobin |
||
| 85 | server srv2 0.0.0.0:9091 check |
||
| 86 | |||
| 87 | </pre> |
||
| 88 | |||
| 89 | And start the two Wt httpd servers using: |
||
| 90 | |||
| 91 | <pre> |
||
| 92 | $ app.wt --session-id-prefix=wt1 --http-port 9090 ... |
||
| 93 | $ app.wt --session-id-prefix=wt2 --http-port 9091 ... |
||
| 94 | </pre> |