Tuesday, June 1, 2010

Setting Up A High-Availability Load Balancer HTTPS(With Failover and Session Support) With HAProxy/Keepalived/Stunnel



I/INTRO

As this document http://conheotiensinh.blogspot.com/2010/05/setting-up-high-availability-load_14.html.I setup load balancer for HTTP in Haproxy.But Haproxy not support SSL(HTTPS) directly So I will intro config haproxy support SSL use stunnel(As haproxy site require need install Stunnel for support SSL(HTTPS...))

II/INSTALL



2/Install Stunnel

you need insert patch of haproxy to Stunnel packet(I build rpm packet with insert patch of haproxy.If you need it for install easy Please contact me with email:quan.hoa@conheotiensinh.co.cc)

3/Config Keepalived as document:


4/config Haproxy in both loadbalance

Edit /etc/haproxy/haproxy.cfg

stats enable
stats auth test:123
listen domain_cluster_https 192.168.236.130:80
mode http
balance roundrobin
cookie SERVERID insert nocache
option forwardfor except 192.168.236.130
option httpchk HEAD /check.txt HTTP/1.0
server server1 192.168.127.131:80 cookie A check
server server2 192.168.127.132:80 cookie B check

5/config Stunnel

Edit /etc/stunnel/stunnel.conf

cert = /etc/stunnel/monit.pem # you need install cert
;key = /etc/stunnel/mail.key

; Some security enhancements for UNIX systems - comment them out on Win32
;chroot = /var/run/stunnel/
setuid = root
setgid = root
; PID is created inside chroot jail
;pid = /stunnel.pid
pid = /etc/stunnel/stunnel.pid
;debug = 3
;output = /etc/stunnel/stunnel.log
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[https]
accept=192.168.236.130:443
connect=192.168.236.130:80


6/Test You can access web mail with URL:

https://192.168.236.130/mail




Check status HAPROXY with URL:https://192.168.236.130/haproxy?stats




Beside You can use another solution for this problem:

Use Pound for Reverse Proxy( SSL )and Haproxy for load balancer

Thanks