Good Afternoon. I am trying to make Apache drill high availability using Haproxy. I struck with so many doubts.Could you please let me know whether Drill supports High availability using Haproxy.
using HAproxy
frontend apache-drill-ui
description "Apache Drill UI"
bind *:8047
default_backend apache-drill-ui
frontend apache-drill-sql
description "Apache Drill SQL"
bind *:31010
mode tcp
option tcplog
default_backend apache-drill-sql
backend apache-drill-ui
description "Apache Drill UI"
balance roundrobin
option httpchk GET /status
http-check expect string Running
acl internal_networks src 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1
http-request deny if ! internal_networks
server ICCCAPANA204 100.65.xx.xx:8047 check
server ICCCAPANA205 100.65.xx.xx:8047 check
# server docker docker:8047 check
server 100.65.xxx.xx 100.65.xxx.xx:8047 check
backend apache-drill-sql
description "Apache Drill SQL"
balance roundrobin
mode tcp
option tcplog
acl internal_networks src 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1
tcp-request content reject if ! internal_networks
option httpchk GET /status
http-check expect string Running
server ICCCAPANA204 100.65.xxx.xx:31010 check port 8047
server ICCCAPANA205 100.65.xxx.xx:31010 check port 8047
# server docker docker:31010 check port 8047
server 100.65.212.28 100.65.xxx.xx:31010 check port 8047
Related
I am trying to setup haproxy as a load balancer for Hashicorp Vault using ACLs. Basically, I what I am trying to do is satisfy
the following conditions. First, go to the server that is initialized, unsealed, and active (status code 200). If that server
does not exist, go to unsealed and standby server (status code 429). Lastly, check if servers are sealed.
I currently have the following configuration. Any advice would be greatly appreciated.
#---------------------------------------------------------------------
Hashicorp Vault Frontend
#---------------------------------------------------------------------
frontend vault_frontend
bind xxx.xxx.xxx.xxx:443
mode tcp
# ACLs
acl active_node_absent nbsrv(vault_active_node) lt 1
use_backend vault_standby_node if active_node_absent
# Options
option tcplog
default_backend vault_active_node
##############
#---------------------------------------------------------------------
Hashicorp Vault Backend
#---------------------------------------------------------------------
backend vault_active_node
mode tcp
balance roundrobin
# Options
option httpchk HEAD /v1/sys/health
http-check expect status 200
# Servers
server vault01.xxx.xxx.xxx vault01.xxx.xxx.xxx:8200 check check-ssl verify none
server vault02.xxx.xxx.xxx vault02.xxx.xxx.xxx:8200 check check-ssl verify none
backend vault_standby_node
mode tcp
balance roundrobin
# Options
option httpchk HEAD /v1/sys/health
http-check expect status 429
# Servers
server vault01.xxx.xxx.xxx vault01.xxx.xxx.xxx:8200 check check-ssl verify none
server vault02.xxx.xxx.xxx vault02.xxx.xxx.xxx:8200 check check-ssl verify none
backend vault_standby_node
mode tcp
balance roundrobin
# Options
option httpchk HEAD /v1/sys/health
http-check expect status 429
# Servers
server vault01.xxx.xxx.xxx vault01.xxx.xxx.xxx:8200 check check-ssl verify none
server vault02.xxx.xxx.xxx vault02.xxx.xxx.xxx:8200 check check-ssl verify none
backend vault_sealed_nodes
mode tcp
# Options
option httpchk HEAD /v1/sys/health
http-check expect status 503
# Servers
server vault01.xxx.xxx.xxx vault01.xxx.xxx.xxx:8200 check check-ssl verify none
server vault02.xxx.xxx.xxx vault02.xxx.xxx.xxx:8200 check check-ssl verify none
We have a simple HA Proxy (13.5) and an IIS Server behind it. The IIS Server itself requires parallel services on the same box, all of which require Windows Authentication. But, it appears that while on "server" and trying to route traffic to the HA Proxy, back to the same server doesn't pass authentication.
frontend VipTst-M-TCPMode
bind 10.5.30.128:80 name http
bind 10.5.30.128:443 name https
timeout client 180s
option tcplog
mode tcp
log global
default_backend M-TcpMode
####### TCP MODE
backend M-TcpMode
balance roundrobin
mode tcp
log global
timeout server 180s
timeout connect 3s
default-server inter 3s rise 2 fall 3
server ServerA 10.20.30.104 maxconn 1000 weight 10 check port 443 inter 5000
So, from ServerA->HAProxy->ServerA/someservice doesn't seem to work. Ironically, if I go from my desktop like this: Desktop-HAproxy->ServerA/someservice it works fine.
And if I just go ServerA/someservice the page also renders.
In ServerA-HAProxy->ServerA, I'm prompted for credentials.
So what did I miss?
Thanks,
Nick
I'm trying to make http (layer 7) checks to monitor backend state in HAProxy load balancer. I have 3 backends configured, each having it's own name. Current configuration looks like this:
backend apiservers
balance leastconn
mode http
option httpchk GET /healthz HTTP/1.0\r\nAuthorization:\ Bearer\ SOME_TOKEN_HERE
http-check disable-on-404
http-check expect rstring ^ok
server core1 core1.cloud:443 ssl check
server core2 core2.cloud:443 ssl check
server core3 core3.cloud:443 ssl check
The problem is I can't switch to HTTP/1.1 because I wasn't able to find a way to pass a real Host header with httpchk requests. Using some random dummy Host string may cause problems in the feature, so I need to pass the corresponding backend hostname to the Host header. Options like http-request add-header Host %[src] and http-send-name-header Host in the backend section seem not affect httpchk mechanism.
Any ideas?
Updated thanks to borellini.
Per the haproxy docs you can configure the header in the httpchk line. The example from the docs is:
# check HTTP and HTTPs services on a server.
# first open port 80 thanks to server line port directive, then
# tcp-check opens port 443, ciphered and run a request on it:
option httpchk
http-check connect
http-check send meth GET uri / ver HTTP/1.1 hdr host haproxy.1wt.eu
http-check expect status 200-399
http-check connect port 443 ssl sni haproxy.1wt.eu
http-check send meth GET uri / ver HTTP/1.1 hdr host haproxy.1wt.eu
http-check expect status 200-399
server www 10.0.0.1 check port 80
You should then be able to replace the host value with your variable and have it sent.
I use HAproxy for the first time. This is my HAproxy conf. file and everything works right without FTP connection.
Also, Installed pure-ftp on other guest servers, do I have to make a change in guest machines?
I can not access the servers via FTP.
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
#debug
#quiet
stats socket /var/lib/haproxy/stats
defaults
log global
mode http
option httplog
option dontlognull
retries 3
redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
listen stats
bind *:8080
mode http
option forwardfor
option httpclose
stats enable
stats show-legends
stats refresh 5s
stats uri /stats
stats realm Haproxy\ Statistics
stats auth hello:world
stats admin if TRUE
frontend MAIN
bind *:21
bind *:80
bind *:143
bind *:443
bind *:993
mode http
acl server1_URL hdr_dom(host) -i domain1.com
acl server2_URL hdr_dom(host) -i domain2.com
use_backend server1 if server1_URL
use_backend server2 if server2_URL
backend server1
mode http
server web-first 192.168.1.2:80
backend server2
mode http
server web-first 192.168.1.3:80
I tried this: it did not work
listen FTP :21,:10000-10250
mode tcp
server ftp01 192.168.1.2 check port 21
server ftp01 192.168.1.3 check port 21
What should I do for it?
Thank you.
You'll need to set the ForcePassiveIP setting in the pure-ftpd configuration file. It should be set to the ip of the frontend proxy. Also, make sure the PassivePortRange setting matches what you have in your HAproxy configuration.
The FTP protocol is not straightforward to proxy as it makes multiple connections, though doing it at the tcp layer ought to be okay.
Im pretty new to load balancing and using HAProxy.
After doing a lot of reading and setting up my own development environment, I am unable to work out the following:
I have a bank of web servers which traffic is being balanced across, how do I soft stop these servers whilst i fail over to a new bank?
My test congif looks like this:
frontend front-end-test
maxconn 2000
bind 192.168.0.10:8666
use_backend back-end-test-a
backend back-end-test-a
mode http
balance roundrobin
option forwardfor
server machine1 10.1.1.92:44410 weight 1 maxconn 2000 check
server machine2 10.1.1.92:44420 weight 1 maxconn 2000 check
backend back-end-test-b
mode http
balance roundrobin
server machine3 10.1.1.92:44430 weight 1 maxconn 2000 check
server machine4 10.1.1.92:44440 weight 1 maxconn 2000 check
To change banks the config would be updated and the hot restart used:
frontend front-end-test
maxconn 2000
bind 192.168.0.10:8666
use_backend back-end-test-a
To
frontend front-end-test
maxconn 2000
bind 192.168.0.10:8666
use_backend back-end-test-b
So to recap, I need to update the config so my backend farm changes but any requests for the original servers still need to be served by them.
Is this possible?
Adam
Normally, if I want to change backends, I would switch it right away (as in change to use_backend back-end-test-b) and do a graceful reload by delaying SYN packets (new incoming connections) before restarting the haproxy service. Ex:
iptables -I INPUT -p tcp --dport 8666 --syn -j DROP
sleep 1
service haproxy restart
iptables -D INPUT -p tcp --dport 8666 --syn -j DROP
The delay should allow running requests to finish before that service restarts and applies the new config.
This may not work for long running transactions though.