Monday, December 26, 2011

Setting Up A High-Availability Load Balancer With HAProxy/Pfsense 2.0.1




I/Overview




II/Intro

As lastest document.I give you how to config haproxy on Pfsense 2.0.1.Now I will intro to you how to Setting Up A High-Availability Load Balancer With HAProxy/Pfsense 2.0.1

III/Setting

1/Install haproxy on pfsense as http://conheotiensinh.blogspot.com/2011/12/config-haproxy-with-pfsense-version-201.html
2/Configuring CARP firewall failover

2.1/On both machines, add a firewall to allow all traffic on the SYNC interface:

a. Browse to Firewall | Rules.
b. Click the SYNC Interface tab.
c. Click the "plus" button to add a new firewall rule.
d. Set Protocol to any.

e. Save the changes.
f. Apply changes, if necessary.

2.2/On the backup-pfsense machine, we need to enable CARP synchronization and
configure it as a backup only:

a. Browse to Firewall | Virtual IPs .
b. Click the CARP Settings tab.
c. Check Synchronize Enabled.
d. Set Synchronize Interface to SYNC.


e. Save the changes.
f. We have now finished configuring the backup firewall.

2.3/On the primary-pfsense machine, we need to enable CARP synchronization and
configure it to act as the primary firewall:

a. Br owse to Firewall | Virtual IPs .
b. Click the CARP Settings tab.
c. Check Synchronize Enabled.
d. Set Synchronize Interface to SYNC.

e. Check Synchronize rules
f. Check Synchronize nat
g. Check Synchronize Virtual IPs
h. Set Synchronize to IP to the IP address of backup-pfsense
i. Set Remote System Password to the password of backup-pfsense
j Save the changes

2.4/We must now configure a virtual IP address for the WAN interface on the primary-pfsense machine:

a. Browse to Firewall | Virtual IPs .
b. Click the Virtual IPs tab.
c. Click the "plus" button to add a new virtual IP.
d. Set the Type to CARP.
e. Set the Interface to WAN.
f. Set the IP Address to the single WAN address that will be used throughout
your systems, regardless of whether the primary or backup firewall is in
effect.
g. Create a Virtual IP Password.
h. Leave the VHID Group set to 1.
i. Leave the Advertising Frequency at 0.
j. Add a Description


k.Save the changes
l.Apply changes, if necessary

3/config Sync HAProxy configuration

3.1/On the backup-pfsense machine we need check Sync HAProxy configuration to backup CARP members via XMLRPC.

3.2/On the primary-pfsense machine,we need check Sync HAProxy configuration to backup CARP members via XMLRPC and setting for sync config HaProxy

Now we can config haproxy in primary-Pfsense and it auto sync to backup -Pfsense

Thanks and Best Regards

quan.hoa@conheotiensinh.co.cc
Posted by at 2 comments:

Friday, December 23, 2011

Config HAPROXY with PFSENSE version 2.0.1


Merry Christmas and Happy New Year





I/Intro

As the previous Document about Haproxy , I have explained how to configure a command line .Now with version 2.0.1 pfsense support config haproxy lastest version(1.4.8) via web interface( config easier).although it can not configure advanced features of haproxy through the web interface.

II/Install

1/Install pfsense 2.0.1
2/Install haproxy (The package is available to install from System -> Packages)
3/After Install done We configure Haproxy(Services -> Haproxy)click tab Setting and configure as image
4/Config with ip info:192.168.44.150(Haproxy),192.168.44.130(apache),192.168.44.131(nginx)

III/Config Haproxy

1/config Frontend for haproxy




2/Config Backend for haproxy

a/config server A

b/config server B

3/Check status HAPROXY with URL:http://192.168.44.150/haproxy?stats

NOTE: You must add a firewall rule permitting access to frontend!

Thanks and Best Regards

quan.hoa@conheotiensinh.co.cc
Posted by at No comments:

Monday, August 23, 2010

Query Recipient Windows Active Directory directly



I/Intro
As Document http://conheotiensinh.blogspot.com/2010/08/config-iredmail-as-mail-gatewayanti.html.I intro to you how to query recipients use Perl and after discusses with Zhang Huangbin and I promise with him.So today I will intro to you How to query recipient(real-time) Windows Active Directory directly.


II/Config

Step 1:Create /etc/postfix/ldap_user.cf with info:

server_host = 192.168.22.233 ##with 192.168.22.233 As Active Directory
search_base = dc=test, dc=vn
version = 3
query_filter = (&(objectclass=person)(mail=%s))
result_attribute = samaccountname
bind = yes
bind_dn = test\admin # Account use query Recipient.
bind_pw = 123 #pass use query Recipient

Step 2: change config in /etc/postfix/main.cf

relay_recipient_maps = hash:/etc/postfix/relay_recipients
To
relay_recipient_maps = ldap:/etc/postfix/ldap_user.cf

Step 3:restart Postfix

/etc/init.d/postfix restart


Thanks Zhang Huangbin for suggest and Contribute

Please let me know if you have question




Posted by at No comments:

Friday, August 20, 2010

Config Mail Gateway LINUX less than 5 minutes (Anti-spam, Mail Anti-virus,Greylisting).

I/Intro

As previous document I intro to you Iredmail as mail server in linux with full-featured (/Postfix/Dovecot/Amavisd/ClamAV/SpamAssassin/RoundCube/iRedAdmin/
postfixadmin).But With this document I will intro iredmail as mail gateway(because By default iredmail config /Amavisd/ClamAV/SpamAssassin/greylisting for anti spam and mail anti-virus).

II/Install Iredmail

Install iredmail as normal But only choose phpmyadmin(for managed greylisting easier) and Awstats

III/Remove some services not use

Because we setup iredmail as Mail gateway so We not use some services:dovecot,pysieved

IV/Change some config

1/Edit /etc/postfix/main.cf

mydestination =
local_recipient_maps =
local_transport =error:local mail delivery disabled

relay_recipient_maps = hash:/etc/postfix/relay_recipients

relay_domains = test.vn

transport_maps = hash:/etc/postfix/transport

comments all line with mysql_* or ldap_*

2/ edit /etc/postfix/master.cf

comment line

#local unix - n n - - local

3/edit /etc/postfix/transport

test.vn smtp:192.168.22.233 #with 192.168.22.233(IP mail server backend as exchange...)

4/create /etc/postfix/relay_recipients

u1@test.vn OK
u2@test.vn OK
ug@test.vn OK
u3@test.vn OK
u4@test.vn OK

5/hashing Databases

postmap /etc/postfix/transport
postmap /etc/postfix/relay_recipients

V/Populating relay_recipients from Active Directory


Note that this script requires perl and Net::LDAP(you need install perl-ldap by yum). However, this does NOT have to be on your email gateway.

Edit the script so that values below are correct:
$VALID = "/etc/postfix/relay_recipients";
$dc1="dc1.test.vn";
$dc2="dc2.test.vn";
$hqbase="cn=Users,dc=test,dc=vn";
$user="cn=user,cn=Users,dc=test,dc=vn";
$passwd="password";

If You have any problem script perl please send mail to quan.hoa@conheotiensinh.co.cc.I will edit for you

VI/Create Bash shell automatic update relay_recipients from Active directory

create bash shell /opt/ad.sh with info:

cd /etc/postfix ; ./getadsmtp.pl && /usr/sbin/postmap relay_recipients
/usr/sbin/postfix reload

use crontab run as your schedule

Beside you can use iredmail for multi domain(can get relay_recipients from Multi Active directory).

Thanks

quan.hoa@conheotiensinh.co.cc



Posted by at 1 comment:

Friday, August 13, 2010

Config cluster Load balancer layer 7 support SSL with Heatbeat,Nginx and Haproxy

I/INTRO

As Document http://conheotiensinh.blogspot.com/2010/06/setting-up-high-availability-load.html.I config Haproxy load balance HTTPS with stunnel(It very easy for config and deploy).But with stunnel you can't detech IP source access to haproxy and Performance can't same as Nginx.So I will intro to you 1 solution resove this problem with Nginx as SSL Reverse Proxy,Heartbeat as cluster and haproxy load balance.

Nginx [engine x] is a HTTP and reverse proxy server, as well as a mail proxy server written by Igor Sysoev. It has been running for more than five years on many heavily loaded Russian sites including Rambler (RamblerMedia.com). According to Netcraft nginx served or proxied 4.70% busiest sites in April 2010. Here are some of success stories: FastMail.FM, Wordpress.com,sourceforge.net....


II/INSTALL

Step 1:config IP As image


Step 2:install haproxy by rpm packet(if you need install haproxy with last version 1.4.8.Please contact me with email:quan.hoa@conheotiensinh.co.cc,I will give it to you) or you can download Haproxy from http://rpm.pbone.net/


Step 4:Install Nginx by rpm packet(if you need install nginx with last version 0.7.67.Please contact me with email:quan.hoa@conheotiensinh.co.cc,I will give it to you) or you can download Nginx from http://rpm.pbone.net/

III/CONFIG

Step 1:config haproxy on both Server .You config as image



Step 3:config Nginx on both serve as image


Step 4:access haproxy status pages with url https://192.168.129.133/haproxy?stats



Step 5:stop Server 1 and access haproxy status page:


if you have question.Please contact me with email quan.hoa@conheotiensinh.co.cc

Thanks

quan.hoa@conheotiensinh.co.cc
Posted by at 1 comment:

Friday, August 6, 2010

LOADBALANCE WITH MULTI PPPoE INTERFACE IN PFSENSE 2.0


I/Intro

Now pfsense release version 1.2.3 .It only support 1 interface use PPPoE.But with pfsense 2.0(Beta 4)you can use multi interface use PPPoE and Version 2.0 change config load balance outbound.So I will intro to you config multi interface use PPPoE.


II/Install Pfsense as previous Document

III/Config multi interface use PPPoE config as images


Note:you can create PPPoE Server for test this document with pfsense

IV/config load balance with pfsense

As previous version (1.2.3) you can config as http://conheotiensinh.blogspot.com/2009/10/multi-wan-load-balancing-outbound-use.html.But with pfsense version 2.0 load balance outbound change config.

step1:config gateway (system ->routing) config 2 gateway as images with 192.168.127.128 and 192.168.128.129 IP of PPPoe server (it will auto detect when connect via PPPoE)


step 2:config groups(system ->routing) change to Groups tab and create group as image


Step 3:view status of Gateway and Groups when 2 line connect


Step 4:Test disconnect 1 interface and view status
Step 5:create rule as image


Thanks

Conheotiensinh(quan.hoa@conheotiensinh.co.cc)
Posted by at No comments:

Tuesday, June 1, 2010

Setting Up A High-Availability Load Balancer HTTPS(With Failover and Session Support) With HAProxy/Keepalived/Stunnel



I/INTRO

As this document http://conheotiensinh.blogspot.com/2010/05/setting-up-high-availability-load_14.html.I setup load balancer for HTTP in Haproxy.But Haproxy not support SSL(HTTPS) directly So I will intro config haproxy support SSL use stunnel(As haproxy site require need install Stunnel for support SSL(HTTPS...))

II/INSTALL



2/Install Stunnel

you need insert patch of haproxy to Stunnel packet(I build rpm packet with insert patch of haproxy.If you need it for install easy Please contact me with email:quan.hoa@conheotiensinh.co.cc)

3/Config Keepalived as document:


4/config Haproxy in both loadbalance

Edit /etc/haproxy/haproxy.cfg

stats enable
stats auth test:123
listen domain_cluster_https 192.168.236.130:80
mode http
balance roundrobin
cookie SERVERID insert nocache
option forwardfor except 192.168.236.130
option httpchk HEAD /check.txt HTTP/1.0
server server1 192.168.127.131:80 cookie A check
server server2 192.168.127.132:80 cookie B check

5/config Stunnel

Edit /etc/stunnel/stunnel.conf

cert = /etc/stunnel/monit.pem # you need install cert
;key = /etc/stunnel/mail.key

; Some security enhancements for UNIX systems - comment them out on Win32
;chroot = /var/run/stunnel/
setuid = root
setgid = root
; PID is created inside chroot jail
;pid = /stunnel.pid
pid = /etc/stunnel/stunnel.pid
;debug = 3
;output = /etc/stunnel/stunnel.log
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[https]
accept=192.168.236.130:443
connect=192.168.236.130:80


6/Test You can access web mail with URL:

https://192.168.236.130/mail




Check status HAPROXY with URL:https://192.168.236.130/haproxy?stats




Beside You can use another solution for this problem:

Use Pound for Reverse Proxy( SSL )and Haproxy for load balancer

Thanks
Posted by at 1 comment:
Subscribe to: Posts (Atom)