Project

General

Profile

Using HAProxy as a reverse proxy » History » Revision 7

Revision 6 (Checheta Yan, 01/08/2016 04:08 PM) → Revision 7/8 (Checheta Yan, 01/08/2016 04:09 PM)

h1. Using HAproxy as a reverse proxy 

 "HAproxy":http://haproxy.1wt.eu/ has a great feature set when used in conjunction with Wt: 
 * Uses async I/O and thus handles thousands of connections without any problem. Just like Wt! 
 * Supports reverse proxying of WebSocket connections (as per draft-76). 
 * Can be configured to use session affinity without needing cookies. 

 You need a fairly recent of haproxy for the options 'http-server-close' and 'http-pretend-keepalive' to work, which is needed for reliable load-balancing. 

 h2. Basic setup 

 <pre> 
 global 
         log 127.0.0.1 local0 
         log 127.0.0.1 local1 notice 
         maxconn 4096 
         user haproxy 
         group haproxy 
         daemon 

 defaults 
         log       global 
         mode      http 
         option    httplog 
         option    dontlognull 
         option    http-server-close 
         option    http-pretend-keepalive 
         option    forwardfor 
         option    originalto 
         retries 3 
         option redispatch 
         maxconn 2000 
         contimeout        5000 
         clitimeout        50000 
         srvtimeout        50000 

 listen 0.0.0.0:8181 
         server srv1 0.0.0.0:9090 check 
 </pre> 

 h2. Using session affinity 

 All of the built-in mechanisms in HAproxy for session affinity using the @appsession@ option rely on cookies, but cookies are not our preferred method since this does not give an intuitive user experience (e.g. a user cannot open multiple sessions), are not entirely reliable (a user can disable cookies) and a source of security risks (CSRF). 

 Luckily there is a work-around: using Wt's ability to generate session-id's that have a prefix which identifies the back-end, we can have HAproxy match on this prefix in the request URL and send the requests to the correct server. 

 Below is an example configuration for two back-end servers. [[http://svtros.ru|!!!]] <a href="http://svtros.ru">!!!</a> 

 <pre> 
 global 
	 log 127.0.0.1 local0  
	 log 127.0.0.1 local1 notice 
	 maxconn 4096 
	 user haproxy 
	 group haproxy 
	 daemon 

 defaults 
	 log 	 global 
	 mode 	 http 
	 option 	 httplog 
	 option 	 dontlognull 
         option    http-server-close 
         option    http-pretend-keepalive 
         option    forwardfor 
         option    originalto 
	 retries 	 3 
	 option redispatch 
	 maxconn 	 2000 
	 contimeout 	 5000 
	 clitimeout 	 50000 
	 srvtimeout 	 50000 

 frontend wt 
         bind 0.0.0.0:80 
         acl srv1 url_sub wtd=wt1 
         acl srv2 url_sub wtd=wt2 
         acl srv1_up nbsrv(bck1) gt 0 
         acl srv2_up nbsrv(bck2) gt 0 
         use_backend bck1 if srv1_up srv1 
         use_backend bck2 if srv2_up srv2 
         default_backend bck_lb 

 backend bck_lb 
         balance roundrobin 
         server srv1 0.0.0.0:9090 track bck1/srv1 
         server srv2 0.0.0.0:9091 track bck2/srv2 

 backend bck1 
         balance roundrobin 
         server srv1 0.0.0.0:9090 check 

 backend bck2 
         balance roundrobin 
         server srv2 0.0.0.0:9091 check 

 </pre> 

 And start the two Wt httpd servers using: 

 <pre> 
 $ app.wt --session-id-prefix=wt1 --http-port 9090 ... 
 $ app.wt --session-id-prefix=wt2 --http-port 9091 ... 
 </pre> 

 h2. Running multiple apps for multiple domains 

 In case you want different apps to be bound to different domains then I have the following configuration for you. 
 In my case it's a virtual Server for testing and development as well. With Apache to test wordpress and other things.  
 To not immediately show changes on the Main Page I have a second instance running, but see for yourself: 

 I hope the comments are self explanatory even for beginners like I have been =) 

 <pre> 
 global 
     maxconn 4096 
     user       haproxy 
     group      haproxy 
     daemon 

 defaults 
     log       global 
     mode       http 
     option      httplog 
     option      dontlognull 

     option      http-pretend-keepalive 
     option      forwardfor 
     option       originalto 
     option       redispatch 

     retries      3 

     timeout      connect      5000 
     timeout      client      50000 
     timeout server       50000 

 frontend http-in 
     bind *:80 

 # Having a .wt Application-Server for development/testing purposes with access regardless of path 
 #      but subdomain is dev: dev.sample.com / dev.example.com 
 #      While having several domains pointing to the same physical server 
     acl is_dev_URL hdr_beg(host) -i dev. 

 # Main-Page to load when connecting to host: should load sample.com/wt1 
     acl is_wt_Main     hdr_end(host) sample.com 

 # Secondary Page shown when connecting from 2nd URL: example.com/wt2 
         acl is_wt_Second hdr_end(host) example.com 

 # Having apache for other reasons, too: testing wordpress / something 
 #       refers to specific path: html 
         acl apache_path path_beg /html 

 # Following a folder architecture within docroot like: 
 #      docroot/wt1/[styles][images][whatever]  
 #      docroot/wtSecondary/[styles][images]  
 #         ->Just giving an example of having another folder name than deployment path 

     acl wt_path       path_beg /wt1 
     acl wt_path       path_beg /wt2 
     acl wt_resource path_beg /resources 
     acl wt_resource path_beg /wt1 
     acl wt_resource path_beg /wtSecondary 

 # Checking whether Servers are up or down 
     acl wt_srv_up nbsrv(wt_hp) gt 0 
     acl wt_dev_up nbsrv(wt_dev) gt 0 

 # The Redirections: 
 #    Redirect to Location /wt1 if Main-Page,    no other app, Server is up, no apache path, no resource path, and no dev-server 
     redirect location /wt1     if is_wt_Main    !wt_path        wt_srv_up       !apache_path      !wt_resource        !is_dev_URL 

 # Redirect Secondary 
     redirect location /wt2     if is_wt_Second !wt_path wt_srv_up !apache_path !wt_resource !is_dev_URL 

 # Choose the Backend 
     use_backend apache      if apache_path !wt_srv_up  

 # HAProxy 1.5.x + : 
     default_backend wt 

 # HAProxy 1.4.x - : 
 #      use_backend wt_live       if is_wt_Main is_wt_Second wt_path !is_dev_URL wt_srv_up 
 #       use_backend wt_dev      if is_dev_URL wt_dev_up 

 # The Backends 
 backend wt 

 # use-server is only available in HAProxy 1.5.x 
         use-server Wt_Live unless is_dev_URL 
     server Wt_Live    0.0.0.0:9050 track wt_hp/Wt_Live 

     use-server Wt_Dev if is_dev_URL 
     server Wt_Dev     0.0.0.0:9020 track wt_dev/Wt_Dev 

 backend wt_hp 
     balance roundrobin   
     server Wt_Live 0.0.0.0:9050 check 

 backend apache 
     balance roundrobin 
     timeout connect 10s 
     timeout server       30s 
     server apache1 0.0.0.0:8050 check 

 backend wt_dev 
     balance roundrobin 
     server Wt_Dev 0.0.0.0:9020 check 
 </pre> 

 This is also updated to exclude deprecated keywords