HAProxy¶
Installing and configuring HAProxy on CentOS 7¶
1. Install dependencies¶
2. Download source code¶
Download the sources of HAproxy stable version
3. Build HAproxy¶
Go to the unpacked directory with sources and run make
сd haproxy-*
make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_CRYPT_H=1 USE_LIBCRYPT=1
make install
4. Create a user named haproxy¶
5. Create a directory named /var/lib/haproxy/¶
6. Create a .pem file from certificates imported to the WCS server¶
cat test.flashphoner.com.crt ca.pem sub.class2.server.ca.pem test.flashphoner.com.key | tee test.flashphoner.com.pem
Where (suppose the certificates are from StartSSL):
- test.flashphoner.com.crt - certificate file
- test.flashphoner.com.key - private key file
- ca.pem - root certificate
- sub.class2.server.ca.pem - intermediate certificate
7. Create the configuration file¶
Create the file /etc/haproxy/haproxy.cfg with the following content:
/etc/haproxy/haproxy.cfg
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option tcplog
option http-server-close
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 5s
timeout check 10s
maxconn 3000
http-reuse always
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend secure
bind SET_YOUR_IP:443 ssl crt /path/to/your/certificate/cert.pem
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr(Sec-WebSocket-Key) -m found
use_backend ws_app if is_websocket
use_backend web_app if { req.proto_http }
default_backend static
backend static
server static 127.0.0.1:8888
# websocket
backend ws_app
server app1 127.0.0.1:8080
# web content
backend web_app
server app1 127.0.0.1:8888 ssl verify none
In the line
replace:
- SET_YOUR_IP with the public IP of the WCS server
- /path/to/your/certificate/cert.pem - to the .pem file created from certificates imported to the WCS server
8. Create the init file¶
Create the init file /etc/init.d/haproxy with the following contents:
/etc/init.d/haproxy
#!/bin/bash
#
# chkconfig: - 85 15
# description: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited \
# for high availability environments.
# processname: haproxy
# config: /etc/haproxy/haproxy.cfg
# pidfile: /var/run/haproxy.pid
# Script Author: Simon Matter <simon.matter@invoca.ch>
# Version: 2004060600
# Source function library.
if [ -f /etc/init.d/functions ]; then
. /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
. /etc/rc.d/init.d/functions
else
exit 0
fi
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
# This is our service name
BASENAME=`basename $0`
if [ -L $0 ]; then
BASENAME=`find $0 -name $BASENAME -printf %l`
BASENAME=`basename $BASENAME`
fi
BIN=/usr/local/sbin/$BASENAME
CFG=/etc/$BASENAME/$BASENAME.cfg
[ -f $CFG ] || exit 1
PIDFILE=/var/run/$BASENAME.pid
LOCKFILE=/var/lock/subsys/$BASENAME
RETVAL=0
start() {
quiet_check
if [ $? -ne 0 ]; then
echo "Errors found in configuration file, check it with '$BASENAME check'."
return 1
fi
echo -n "Starting $BASENAME: "
daemon $BIN -D -f $CFG -p $PIDFILE
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $LOCKFILE
return $RETVAL
}
stop() {
echo -n "Shutting down $BASENAME: "
killproc $BASENAME -USR1
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $LOCKFILE
[ $RETVAL -eq 0 ] && rm -f $PIDFILE
return $RETVAL
}
restart() {
quiet_check
if [ $? -ne 0 ]; then
echo "Errors found in configuration file, check it with '$BASENAME check'."
return 1
fi
stop
start
}
reload() {
if ! [ -s $PIDFILE ]; then
return 0
fi
quiet_check
if [ $? -ne 0 ]; then
echo "Errors found in configuration file, check it with '$BASENAME check'."
return 1
fi
$BIN -D -f $CFG -p $PIDFILE -sf $(cat $PIDFILE)
}
check() {
$BIN -c -q -V -f $CFG
}
quiet_check() {
$BIN -c -q -f $CFG
}
rhstatus() {
status $BASENAME
}
condrestart() {
[ -e $LOCKFILE ] && restart || :
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload)
reload
;;
condrestart)
condrestart
;;
status)
rhstatus
;;
check)
check
;;
*)
echo $"Usage: $BASENAME {start|stop|restart|reload|condrestart|status|check}"
exit 1
esac
exit $?
9. Add haproxy to autostart¶
10. Start haproxy¶
Verifying HAProxy¶
-
Make sure haproxy listens to the port 443
Example of the command execution result: If the port is occupied by another service, terminate the corresponding process and restart haproxy:
-
Make sure the certificates used to create the .pem file specified in
haproxy.cfgare imported to the WCS server
You can read more about certificates for the WCS server here: Websocket SSL -
Open the WCS server control panel via HTTPS
-
Verify operation of the demo example with the port 443
Open Two Way streaming demo example, change the wss port to 443 and start publishing the stream