blob: 3d3d21d6dd216932095574ed712e5631c104efda [file] [log] [blame]
=====
Usage
=====
The Reliable, High Performance TCP/HTTP Load Balancer.
Sample pillars
==============
Simple admin listener
.. code-block:: yaml
haproxy:
proxy:
enabled: True
listen:
admin_page:
type: admin
binds:
- address: 0.0.0.0
port: 8801
user: fsdfdsfds
password: dsfdsf
Simple stats listener
.. code-block:: yaml
haproxy:
proxy:
enabled: True
listen:
admin_page:
type: stats
binds:
- address: 0.0.0.0
port: 8801
Sample pillar with admin
.. code-block:: yaml
haproxy:
proxy:
enabled: True
maxconn: 1024
timeout:
connect: 5000ms
client: 50000ms
server: 50000ms
listen:
https-in:
binds:
- address: 0.0.0.0
port: 443
servers:
- name: server1
host: 10.0.0.1
port: 8443
- name: server2
host: 10.0.0.2
port: 8443
params: 'maxconn 256'
.. note::
Timeout values are assumed to be defined in 'ms' if no other unit is specifically defined.
Sample pillar with custom logging
.. code-block:: yaml
haproxy:
proxy:
enabled: True
maxconn: 1024
timeout:
connect: 5000ms
client: 50000ms
server: 50000ms
listen:
https-in:
binds:
address: 0.0.0.0
port: 443
servers:
- name: server1
host: 10.0.0.1
port: 8443
- name: server2
host: 10.0.0.2
port: 8443
params: 'maxconn 256'
.. note::
Timeout values are assumed to be defined in 'ms' if no other unit is specifically defined.
.. code-block:: yaml
haproxy:
proxy:
enabled: true
listen:
mysql:
type: mysql
binds:
- address: 10.0.88.70
port: 3306
servers:
- name: node1
host: 10.0.88.13
port: 3306
params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3
- name: node2
host: 10.0.88.14
port: 3306
params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
- name: node3
host: 10.0.88.15
port: 3306
params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
rabbitmq:
type: rabbitmq
binds:
- address: 10.0.88.70
port: 5672
servers:
- name: node1
host: 10.0.88.13
port: 5673
params: check inter 5000 rise 2 fall 3
- name: node2
host: 10.0.88.14
port: 5673
params: check inter 5000 rise 2 fall 3 backup
- name: node3
host: 10.0.88.15
port: 5673
params: check inter 5000 rise 2 fall 3 backup
keystone-1:
type: general-service
binds:
- address: 10.0.106.170
port: 5000
servers:
- name: node1
host: 10.0.88.13
port: 5000
params: check
.. code-block:: yaml
haproxy:
proxy:
enabled: true
listen:
mysql:
type: mysql
binds:
- address: 10.0.88.70
port: 3306
servers:
- name: node1
host: 10.0.88.13
port: 3306
params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3
- name: node2
host: 10.0.88.14
port: 3306
params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
- name: node3
host: 10.0.88.15
port: 3306
params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
rabbitmq:
type: rabbitmq
binds:
- address: 10.0.88.70
port: 5672
servers:
- name: node1
host: 10.0.88.13
port: 5673
params: check inter 5000 rise 2 fall 3
- name: node2
host: 10.0.88.14
port: 5673
params: check inter 5000 rise 2 fall 3 backup
- name: node3
host: 10.0.88.15
port: 5673
params: check inter 5000 rise 2 fall 3 backup
keystone-1:
type: general-service
binds:
- address: 10.0.106.170
port: 5000
servers:
- name: node1
host: 10.0.88.13
port: 5000
params: check
Sample pillar with port range and port offset
This is usefull in listen blocks for definition of multiple servers
that differs only by port number in port range block. This situation
can be result of multiple single-thread servers deployed in multi-core
environment to better utilize the available cores.
For example, five contrail-api workers occupy ports ``9100-9104``.
This can be achieved by using ``port_range_length`` in the pillar,
``port_range_length: 5`` in this case.
For skipping first worker (``worker_id 0``), because it has other
responsibilities and to avoid overloading it by http requests
use the ``port_range_start_offset`` in the pillar,
``port_range_start_offset: 1`` in this case, it will only use ports
9101-9104 (skipping 9100).
- ``port_range_length`` parameter is used to calculate port range end
- ``port_range_start_offset`` will skip first n ports in port range
For backward compatibility, the name of the first server in port range
has no ``pN`` suffix.
The following sample will result in
.. code-block:: text
listen contrail_api
bind 172.16.10.252:8082
balance leastconn
server ntw01p1 172.16.10.95:9101 check inter 2000 rise 2 fall 3
server ntw01p2 172.16.10.95:9102 check inter 2000 rise 2 fall 3
server ntw01p3 172.16.10.95:9103 check inter 2000 rise 2 fall 3
server ntw01p4 172.16.10.95:9104 check inter 2000 rise 2 fall 3
server ntw02 172.16.10.96:9100 check inter 2000 rise 2 fall 3
server ntw02p1 172.16.10.96:9101 check inter 2000 rise 2 fall 3
server ntw02p2 172.16.10.96:9102 check inter 2000 rise 2 fall 3
server ntw02p3 172.16.10.96:9103 check inter 2000 rise 2 fall 3
server ntw02p4 172.16.10.96:9104 check inter 2000 rise 2 fall 3
server ntw03 172.16.10.94:9100 check inter 2000 rise 2 fall 3
server ntw03p1 172.16.10.94:9101 check inter 2000 rise 2 fall 3
server ntw03p2 172.16.10.94:9102 check inter 2000 rise 2 fall 3
server ntw03p3 172.16.10.94:9103 check inter 2000 rise 2 fall 3
server ntw03p4 172.16.10.94:9104 check inter 2000 rise 2 fall 3
.. code-block:: yaml
haproxy:
proxy:
listen:
contrail_api:
type: contrail-api
service_name: contrail
balance: leastconn
binds:
- address: 10.10.10.10
port: 8082
servers:
- name: ntw01
host: 10.10.10.11
port: 9100
port_range_length: 5
port_range_start_offset: 1
params: check inter 2000 rise 2 fall 3
- name: ntw02
host: 10.10.10.12
port: 9100
port_range_length: 5
port_range_start_offset: 0
params: check inter 2000 rise 2 fall 3
- name: ntw03
host: 10.10.10.13
port: 9100
port_range_length: 5
params: check inter 2000 rise 2 fall 3
Custom more complex listener (for Artifactory and subdomains for docker
registries)
.. code-block:: yaml
haproxy:
proxy:
listen:
artifactory:
mode: http
options:
- forwardfor
- forwardfor header X-Real-IP
- httpchk
- httpclose
- httplog
sticks:
- stick on src
- stick-table type ip size 200k expire 2m
acl:
is_docker: "path_reg ^/v[12][/.]*"
http_request:
- action: "set-path /artifactory/api/docker/%[req.hdr(host),lower,field(1,'.')]%[path]"
condition: "if is_docker"
balance: source
binds:
- address: ${_param:cluster_vip_address}
port: 8082
ssl:
enabled: true
# This PEM file needs to contain key, cert, CA and possibly
# intermediate certificates
pem_file: /etc/haproxy/ssl/server.pem
servers:
- name: ${_param:cluster_node01_name}
host: ${_param:cluster_node01_address}
port: 8082
params: check
- name: ${_param:cluster_node02_name}
host: ${_param:cluster_node02_address}
port: 8082
params: backup check
It's also possible to use multiple certificates for one listener (eg. when
it's bind on multiple interfaces):
.. code-block:: yaml
haproxy:
proxy:
listen:
dummy_site:
mode: http
binds:
- address: 127.0.0.1
port: 8080
ssl:
enabled: true
key: |
my super secret key follows
cert: |
certificate
chain: |
CA chain (if any)
- address: 127.0.1.1
port: 8081
ssl:
enabled: true
key: |
my super secret key follows
cert: |
certificate
chain: |
CA chain (if any)
Definition above will result in creation of ``/etc/haproxy/ssl/dummy_site``
directory with files ``1-all.pem`` and ``2-all.pem`` (per binds).
Custom listener with http-check options specified
.. code-block:: yaml
haproxy:
proxy:
enabled: true
forwardfor:
enabled: true
except: 127.0.0.1
header: X-Forwarded-For
if-none: false
listen:
glance_api:
binds:
- address: 192.168.2.11
port: 9292
ssl:
enabled: true
pem_file: /etc/haproxy/ssl/all.pem
http_request:
- action: set-header X-Forwarded-Proto https
mode: http
options:
- httpchk GET /
- httplog
- httpclose
servers:
- host: 127.0.0.1
name: ctl01
params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
port: 9292
Custom listener with tcp-check options specified (for Redis cluster with Sentinel)
.. code-block:: yaml
haproxy:
proxy:
listen:
redis_cluster:
service_name: redis
health-check:
tcp:
enabled: True
options:
- send PING\r\n
- expect string +PONG
- send info\ replication\r\n
- expect string role:master
- send QUIT\r\n
- expect string +OK
binds:
- address: ${_param:cluster_address}
port: 6379
servers:
- name: ${_param:cluster_node01_name}
host: ${_param:cluster_node01_address}
port: 6379
params: check inter 1s
- name: ${_param:cluster_node02_name}
host: ${_param:cluster_node02_address}
port: 6379
params: check inter 1s
- name: ${_param:cluster_node03_name}
host: ${_param:cluster_node03_address}
port: 6379
params: check inter 1s
Frontend for routing between exists listeners via URL with SSL an redirects.
You can use one backend for several URLs.
.. code-block:: yaml
haproxy:
proxy:
listen:
service_proxy:
mode: http
balance: source
format: end
binds:
- address: ${_param:haproxy_bind_address}
port: 80
ssl: ${_param:haproxy_frontend_ssl}
ssl_port: 443
redirects:
- code: 301
location: domain.com/images
conditions:
- type: hdr_dom(host)
condition: images.domain.com
acls:
- name: gerrit
conditions:
- type: hdr_dom(host)
condition: gerrit.domain.com
- name: jenkins
conditions:
- type: hdr_dom(host)
condition: jenkins.domain.com
- name: docker
backend: artifactroy
conditions:
- type: hdr_dom(host)
condition: docker.domain.com
Enable customisable ``forwardfor`` option in ``defaults`` section.
.. code-block:: yaml
haproxy:
proxy:
enabled: true
forwardfor:
enabled: true
except:
header:
if-none: false
.. code-block:: yaml
haproxy:
proxy:
enabled: true
forwardfor:
enabled: true
except: 127.0.0.1
header: X-Real-IP
if-none: false
Sample pillar with multiprocess multicore configuration
.. code-block:: yaml
haproxy:
proxy:
enabled: True
nbproc: 4
cpu_map:
1: 0
2: 1
3: 2
4: 3
stats_bind_process: "1 2"
maxconn: 1024
timeout:
connect: 5000ms
client: 50000ms
server: 50000ms
listen:
https-in:
bind_process: "1 2 3 4"
binds:
- address: 0.0.0.0
port: 443
servers:
- name: server1
host: 10.0.0.1
port: 8443
- name: server2
host: 10.0.0.2
port: 8443
params: 'maxconn 256'
.. note::
Timeout values are assumed to be defined in 'ms' if no other unit is specifically defined.
Implement rate limiting, to prevent excessive requests
This feature only works if using 'format: end'
.. code-block:: yaml
haproxy:
proxy:
...
listen:
nova_metadata_api:
...
format: end
options:
- httpchk
- httpclose
- httplog
rate_limit:
duration: 900s
enabled: true
requests: 125
track: content
servers:
...
type: http
Implement haproxy configuration without specifying certain type or with type='None'.
This approach allows to set all major haproxy parameters manually.
Sample pillar:
.. code-block:: yaml
haproxy:
proxy:
listen:
manila_api:
type: None
mode: tcp
balance: roundrobin
timeout:
check: 10s
client: 20s
http_request:
- action: "add-header X-Forwarded-Proto https"
condition: "if { ssl_fc }"
options: ${_param:haproxy_https_check_options}
capture:
- cookie ASPSESSION len 32
- request header Host len 15
compression:
- algo gzip
- type text/html text/plain
declare_capture: request len 50
email_alert:
- myhostname myserver
- from server@localhost
- level warning
errorfile:
file_500:
code: 500
file: /tmp/error_500.log
file_404:
code: 400
file: /tmp/error_400.log
max_keep_alive_queue: 100
maxconn: 10000
reqadd:
- X-Proto:\ SSL if is-ssl
reqirep:
- ^Host:\ www.mydomain.com Host:\ www
modify_headers:
- reqallow ^Host:\ www\.
- reqdel ^Host:\ .*\.local
- reqdeny ^Host:\ .*\.local
- reqiallow ^Host:\ www\.
- reqidel ^Host:\ .*\.local
- reqideny ^Host:\ .*\.local
- reqipass ^Host:\ .*\.local
- reqpass ^Host:\ .*\.local
- reqitarpit ^Host:\ .*\.local
- reqtarpit ^Host:\ .*\.local
retries: 10
stats:
- enable
- auth admin1:AdMiN123
rate_limit_sessions: 1000
.. note::
Timeout values are assumed to be defined in 'ms' if no other unit is specifically defined.
Implement rate limiting, to prevent excessive requests
using 'format: listen'
.. code-block:: yaml
haproxy:
proxy:
...
listen:
nova_metadata_api:
...
rate_limit:
duration: 3s
enabled: true
requests: 60
track: connection
servers:
...
Implement rate limiting, to prevent excessive requests
using 'format: listen' and acls/request/backend stick list
.. code-block:: yaml
haproxy:
proxy:
listen:
nova_metadata_api:
options:
- httplog
rate_limit:
enabled: true
type: string
len: 36
size: 10m
duration: 60s
acls:
101:
enabled: true
value: acl too_many_requests_3 sc0_gpc0_rate() gt 3
102:
enabled: true
value: acl mark_seen sc0_inc_gpc0 gt 0
110:
enabled: true
value: acl x_instance_id hdr(x-instance-id) -i 4777e8e0-16e8-46ce-a3fe-0a1ad9b3ebdc
111:
enabled: true
value: acl x_instance_id hdr(x-instance-id) -i ca2395dd-f73f-4d43-8fe7-f7078a0920af
201:
enabled: true
value: acl too_many_requests_6 sc0_gpc0_rate() gt 6
202:
enabled: true
value: acl mark_seen sc0_inc_gpc0 gt 0
210:
enabled: true
value: acl x_tenant_id hdr(x-tenant-id) -i 2b76cc56a437404bb8cb6cb20dbb0ea4
tcp_request:
001:
enabled: true
value: tcp-request inspect-delay 5s
101:
enabled: true
value: tcp-request content track-sc0 hdr(x-instance-id) if ! too_many_requests_3
201:
enabled: true
value: tcp-request content track-sc0 hdr(x-tenant-id) if ! too_many_requests_6
use_backend:
101:
enabled: true
value: use_backend nova_metadata_api-rate_limit if mark_seen too_many_requests_3 x_instance_id
201:
enabled: true
value: use_backend nova_metadata_api-rate_limit if mark_seen too_many_requests_6 x_tenant_id
Pillar demostrating all global variables which are parametrized
All values may be defined as a single element or a list of elements with the same keyword
Keyword is added automatically and should not be included in the value
.. code-block:: yaml
haproxy:
proxy:
global:
chroot: /var/lib/haproxy
daemon: true
gid: ''
group: haproxy
cpu-map:
- '0 1'
- '1 2'
log:
- '/dev/log local0'
- '/dev/log local1 notice'
log-send-hostname: ''
nbproc: 5
pidfile: '/var/run/haproxy.pid'
uid: ''
ulimit-n: ''
user: 'haproxy'
stats:
- 'socket /var/run/new.sock mode 660 level admin'
- 'timeout 30s'
- 'bind-process 1 2'
node: ''
description: ''
maxconn: 25000
maxpipes: ''
noepoll: ''
nokqueue: ''
nopoll: ''
nosepoll: ''
nosplice: ''
spread-checks: 4
tune_bufsize: 32768
tune_chksize: ''
tune_maxaccept: ''
tune_maxpollevents: ''
tune_maxrewrite: 1024
tune_rcvbuf_client: ''
tune_rcvbuf_server: ''
tune_sndbuf_client: ''
tune_sndbuf_server: ''
It is possible to setup basic Auth through Haproxy:
.. code-block:: yaml
haproxy:
proxy:
userlist:
sample_userlist:
name: sample_users
groups:
- name: 'g1'
users:
- name: user1
password: r00tme
groups: [ 'g1' ]
You can add users and passwords following three different ways:
#. Put to model insecure password and Haproxy will shadow
it in config file:
.. code-block:: yaml
users:
- name: user1
password: r00tme
#. Put to model insecure password and Haproxy will put it as
insecured in config file:
.. code-block:: yaml
users:
- name: user2
password: r00tme
insecure_password: True
#. Put to model shadowed password and Haproxy will put it in
config file:
.. code-block:: yaml
users:
- name: user3
password: '$6$wf0xxoXj$VqoqozsTPpeKZtw6c7gl2CYyEXfOccdif1ZmJwDT1AMKYp/.JUTZcDiZthai3xN9CzDQex9ZUOf3nFMbCm/Oe.'
shadow_password: False
To enable Auth rules you need to add following data for your
backend/frontend/listen setup, for example for ``listen``:
.. code-block:: yaml
haproxy:
proxy:
listen:
sample_api:
acl:
auth_reg: "http_auth(sample_users)"
http_request:
- action: auth
condition: 'if !auth_reg'
Read more
=========
* https://github.com/jesusaurus/hpcs-salt-state/tree/master/haproxy
* http://www.nineproductions.com/saltstack-ossec-state-using-reactor/
* https://gist.github.com/tomeduarte/6340205 - example on how to use peer
from within a config file (using jinja)
* http://youtu.be/jJJ8cfDjcTc?t=8m58s - from 9:00 on, a good overview
of peer vs mine
* https://github.com/russki/cluster-agents