| ===== |
| Usage |
| ===== |
| |
| The Reliable, High Performance TCP/HTTP Load Balancer. |
| |
| Sample pillars |
| ============== |
| |
| Simple admin listener |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| enabled: True |
| listen: |
| admin_page: |
| type: admin |
| binds: |
| - address: 0.0.0.0 |
| port: 8801 |
| user: fsdfdsfds |
| password: dsfdsf |
| |
| Simple stats listener |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| enabled: True |
| listen: |
| admin_page: |
| type: stats |
| binds: |
| - address: 0.0.0.0 |
| port: 8801 |
| |
| |
| |
| Sample pillar with admin |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| enabled: True |
| mode: http/tcp |
| logging: syslog |
| maxconn: 1024 |
| timeout: |
| connect: 5000 |
| client: 50000 |
| server: 50000 |
| listen: |
| https-in: |
| binds: |
| - address: 0.0.0.0 |
| port: 443 |
| servers: |
| - name: server1 |
| host: 10.0.0.1 |
| port: 8443 |
| - name: server2 |
| host: 10.0.0.2 |
| port: 8443 |
| params: 'maxconn 256' |
| |
| |
| Sample pillar with custom logging |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| enabled: True |
| mode: http/tcp |
| logging: syslog |
| maxconn: 1024 |
| timeout: |
| connect: 5000 |
| client: 50000 |
| server: 50000 |
| listen: |
| https-in: |
| binds: |
| address: 0.0.0.0 |
| port: 443 |
| servers: |
| - name: server1 |
| host: 10.0.0.1 |
| port: 8443 |
| - name: server2 |
| host: 10.0.0.2 |
| port: 8443 |
| params: 'maxconn 256' |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| enabled: true |
| mode: tcp |
| logging: syslog |
| max_connections: 1024 |
| listen: |
| mysql: |
| type: mysql |
| binds: |
| - address: 10.0.88.70 |
| port: 3306 |
| servers: |
| - name: node1 |
| host: 10.0.88.13 |
| port: 3306 |
| params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 |
| - name: node2 |
| host: 10.0.88.14 |
| port: 3306 |
| params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup |
| - name: node3 |
| host: 10.0.88.15 |
| port: 3306 |
| params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup |
| rabbitmq: |
| type: rabbitmq |
| binds: |
| - address: 10.0.88.70 |
| port: 5672 |
| servers: |
| - name: node1 |
| host: 10.0.88.13 |
| port: 5673 |
| params: check inter 5000 rise 2 fall 3 |
| - name: node2 |
| host: 10.0.88.14 |
| port: 5673 |
| params: check inter 5000 rise 2 fall 3 backup |
| - name: node3 |
| host: 10.0.88.15 |
| port: 5673 |
| params: check inter 5000 rise 2 fall 3 backup |
| keystone-1: |
| type: general-service |
| binds: |
| - address: 10.0.106.170 |
| port: 5000 |
| servers: |
| - name: node1 |
| host: 10.0.88.13 |
| port: 5000 |
| params: check |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| enabled: true |
| mode: tcp |
| logging: syslog |
| max_connections: 1024 |
| listen: |
| mysql: |
| type: mysql |
| binds: |
| - address: 10.0.88.70 |
| port: 3306 |
| servers: |
| - name: node1 |
| host: 10.0.88.13 |
| port: 3306 |
| params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 |
| - name: node2 |
| host: 10.0.88.14 |
| port: 3306 |
| params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup |
| - name: node3 |
| host: 10.0.88.15 |
| port: 3306 |
| params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup |
| rabbitmq: |
| type: rabbitmq |
| binds: |
| - address: 10.0.88.70 |
| port: 5672 |
| servers: |
| - name: node1 |
| host: 10.0.88.13 |
| port: 5673 |
| params: check inter 5000 rise 2 fall 3 |
| - name: node2 |
| host: 10.0.88.14 |
| port: 5673 |
| params: check inter 5000 rise 2 fall 3 backup |
| - name: node3 |
| host: 10.0.88.15 |
| port: 5673 |
| params: check inter 5000 rise 2 fall 3 backup |
| keystone-1: |
| type: general-service |
| binds: |
| - address: 10.0.106.170 |
| port: 5000 |
| servers: |
| - name: node1 |
| host: 10.0.88.13 |
| port: 5000 |
| params: check |
| |
| Sample pillar with port range and port offset |
| |
| This is usefull in listen blocks for definition of multiple servers |
| that differs only by port number in port range block. This situation |
| can be result of multiple single-thread servers deployed in multi-core |
| environment to better utilize the available cores. |
| |
| For example, five contrail-api workers occupy ports ``9100-9104``. |
| This can be achieved by using ``port_range_length`` in the pillar, |
| ``port_range_length: 5`` in this case. |
| For skipping first worker (``worker_id 0``), because it has other |
| responsibilities and to avoid overloading it by http requests |
| use the ``port_range_start_offset`` in the pillar, |
| ``port_range_start_offset: 1`` in this case, it will only use ports |
| 9101-9104 (skipping 9100). |
| |
| - ``port_range_length`` parameter is used to calculate port range end |
| - ``port_range_start_offset`` will skip first n ports in port range |
| |
| For backward compatibility, the name of the first server in port range |
| has no ``pN`` suffix. |
| |
| The following sample will result in |
| |
| .. code-block:: text |
| |
| listen contrail_api |
| bind 172.16.10.252:8082 |
| option nolinger |
| balance leastconn |
| server ntw01p1 172.16.10.95:9101 check inter 2000 rise 2 fall 3 |
| server ntw01p2 172.16.10.95:9102 check inter 2000 rise 2 fall 3 |
| server ntw01p3 172.16.10.95:9103 check inter 2000 rise 2 fall 3 |
| server ntw01p4 172.16.10.95:9104 check inter 2000 rise 2 fall 3 |
| server ntw02 172.16.10.96:9100 check inter 2000 rise 2 fall 3 |
| server ntw02p1 172.16.10.96:9101 check inter 2000 rise 2 fall 3 |
| server ntw02p2 172.16.10.96:9102 check inter 2000 rise 2 fall 3 |
| server ntw02p3 172.16.10.96:9103 check inter 2000 rise 2 fall 3 |
| server ntw02p4 172.16.10.96:9104 check inter 2000 rise 2 fall 3 |
| server ntw03 172.16.10.94:9100 check inter 2000 rise 2 fall 3 |
| server ntw03p1 172.16.10.94:9101 check inter 2000 rise 2 fall 3 |
| server ntw03p2 172.16.10.94:9102 check inter 2000 rise 2 fall 3 |
| server ntw03p3 172.16.10.94:9103 check inter 2000 rise 2 fall 3 |
| server ntw03p4 172.16.10.94:9104 check inter 2000 rise 2 fall 3 |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| listen: |
| contrail_api: |
| type: contrail-api |
| service_name: contrail |
| balance: leastconn |
| binds: |
| - address: 10.10.10.10 |
| port: 8082 |
| servers: |
| - name: ntw01 |
| host: 10.10.10.11 |
| port: 9100 |
| port_range_length: 5 |
| port_range_start_offset: 1 |
| params: check inter 2000 rise 2 fall 3 |
| - name: ntw02 |
| host: 10.10.10.12 |
| port: 9100 |
| port_range_length: 5 |
| port_range_start_offset: 0 |
| params: check inter 2000 rise 2 fall 3 |
| - name: ntw03 |
| host: 10.10.10.13 |
| port: 9100 |
| port_range_length: 5 |
| params: check inter 2000 rise 2 fall 3 |
| |
| |
| Custom more complex listener (for Artifactory and subdomains for docker |
| registries) |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| listen: |
| artifactory: |
| mode: http |
| options: |
| - forwardfor |
| - forwardfor header X-Real-IP |
| - httpchk |
| - httpclose |
| - httplog |
| sticks: |
| - stick on src |
| - stick-table type ip size 200k expire 2m |
| acl: |
| is_docker: "path_reg ^/v[12][/.]*" |
| http_request: |
| - action: "set-path /artifactory/api/docker/%[req.hdr(host),lower,field(1,'.')]%[path]" |
| condition: "if is_docker" |
| balance: source |
| binds: |
| - address: ${_param:cluster_vip_address} |
| port: 8082 |
| ssl: |
| enabled: true |
| # This PEM file needs to contain key, cert, CA and possibly |
| # intermediate certificates |
| pem_file: /etc/haproxy/ssl/server.pem |
| servers: |
| - name: ${_param:cluster_node01_name} |
| host: ${_param:cluster_node01_address} |
| port: 8082 |
| params: check |
| - name: ${_param:cluster_node02_name} |
| host: ${_param:cluster_node02_address} |
| port: 8082 |
| params: backup check |
| |
| It's also possible to use multiple certificates for one listener (eg. when |
| it's bind on multiple interfaces): |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| listen: |
| dummy_site: |
| mode: http |
| binds: |
| - address: 127.0.0.1 |
| port: 8080 |
| ssl: |
| enabled: true |
| key: | |
| my super secret key follows |
| cert: | |
| certificate |
| chain: | |
| CA chain (if any) |
| - address: 127.0.1.1 |
| port: 8081 |
| ssl: |
| enabled: true |
| key: | |
| my super secret key follows |
| cert: | |
| certificate |
| chain: | |
| CA chain (if any) |
| |
| Definition above will result in creation of ``/etc/haproxy/ssl/dummy_site`` |
| directory with files ``1-all.pem`` and ``2-all.pem`` (per binds). |
| |
| Custom listener with http-check options specified |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| enabled: true |
| forwardfor: |
| enabled: true |
| except: 127.0.0.1 |
| header: X-Forwarded-For |
| if-none: false |
| listen: |
| glance_api: |
| binds: |
| - address: 192.168.2.11 |
| port: 9292 |
| ssl: |
| enabled: true |
| pem_file: /etc/haproxy/ssl/all.pem |
| http_request: |
| - action: set-header X-Forwarded-Proto https |
| mode: http |
| options: |
| - httpchk GET / |
| - httplog |
| - httpclose |
| servers: |
| - host: 127.0.0.1 |
| name: ctl01 |
| params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3 |
| port: 9292 |
| |
| Custom listener with tcp-check options specified (for Redis cluster with Sentinel) |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| listen: |
| redis_cluster: |
| service_name: redis |
| health-check: |
| tcp: |
| enabled: True |
| options: |
| - send PING\r\n |
| - expect string +PONG |
| - send info\ replication\r\n |
| - expect string role:master |
| - send QUIT\r\n |
| - expect string +OK |
| binds: |
| - address: ${_param:cluster_address} |
| port: 6379 |
| servers: |
| - name: ${_param:cluster_node01_name} |
| host: ${_param:cluster_node01_address} |
| port: 6379 |
| params: check inter 1s |
| - name: ${_param:cluster_node02_name} |
| host: ${_param:cluster_node02_address} |
| port: 6379 |
| params: check inter 1s |
| - name: ${_param:cluster_node03_name} |
| host: ${_param:cluster_node03_address} |
| port: 6379 |
| params: check inter 1s |
| |
| Frontend for routing between exists listeners via URL with SSL an redirects. |
| You can use one backend for several URLs. |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| listen: |
| service_proxy: |
| mode: http |
| balance: source |
| format: end |
| binds: |
| - address: ${_param:haproxy_bind_address} |
| port: 80 |
| ssl: ${_param:haproxy_frontend_ssl} |
| ssl_port: 443 |
| redirects: |
| - code: 301 |
| location: domain.com/images |
| conditions: |
| - type: hdr_dom(host) |
| condition: images.domain.com |
| acls: |
| - name: gerrit |
| conditions: |
| - type: hdr_dom(host) |
| condition: gerrit.domain.com |
| - name: jenkins |
| conditions: |
| - type: hdr_dom(host) |
| condition: jenkins.domain.com |
| - name: docker |
| backend: artifactroy |
| conditions: |
| - type: hdr_dom(host) |
| condition: docker.domain.com |
| |
| Enable customisable ``forwardfor`` option in ``defaults`` section. |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| enabled: true |
| mode: tcp |
| logging: syslog |
| max_connections: 1024 |
| forwardfor: |
| enabled: true |
| except: |
| header: |
| if-none: false |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| enabled: true |
| mode: tcp |
| logging: syslog |
| max_connections: 1024 |
| forwardfor: |
| enabled: true |
| except: 127.0.0.1 |
| header: X-Real-IP |
| if-none: false |
| |
| Sample pillar with multiprocess multicore configuration |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| enabled: True |
| nbproc: 4 |
| cpu_map: |
| 1: 0 |
| 2: 1 |
| 3: 2 |
| 4: 3 |
| stats_bind_process: "1 2" |
| mode: http/tcp |
| logging: syslog |
| maxconn: 1024 |
| timeout: |
| connect: 5000 |
| client: 50000 |
| server: 50000 |
| listen: |
| https-in: |
| bind_process: "1 2 3 4" |
| binds: |
| - address: 0.0.0.0 |
| port: 443 |
| servers: |
| - name: server1 |
| host: 10.0.0.1 |
| port: 8443 |
| - name: server2 |
| host: 10.0.0.2 |
| port: 8443 |
| params: 'maxconn 256' |
| |
| Implement rate limiting, to prevent excessive requests |
| This feature only works if using 'format: end' |
| |
| .. code-block:: yaml |
| |
| haproxy: |
| proxy: |
| ... |
| listen: |
| nova_metadata_api: |
| ... |
| format: end |
| options: |
| - httpchk |
| - httpclose |
| - httplog |
| rate_limit: |
| duration: 900s |
| enabled: true |
| requests: 125 |
| track: content |
| servers: |
| ... |
| type: http |
| |
| Read more |
| ========= |
| |
| * https://github.com/jesusaurus/hpcs-salt-state/tree/master/haproxy |
| * http://www.nineproductions.com/saltstack-ossec-state-using-reactor/ |
| * https://gist.github.com/tomeduarte/6340205 - example on how to use peer |
| from within a config file (using jinja) |
| * http://youtu.be/jJJ8cfDjcTc?t=8m58s - from 9:00 on, a good overview |
| of peer vs mine |
| * https://github.com/russki/cluster-agents |
| |
| Documentation and Bugs |
| ====================== |
| |
| * http://salt-formulas.readthedocs.io/ |
| Learn how to install and update salt-formulas |
| |
| * https://github.com/salt-formulas/salt-formula-haproxy/issues |
| In the unfortunate event that bugs are discovered, report the issue to the |
| appropriate issue tracker. Use the Github issue tracker for a specific salt |
| formula |
| |
| * https://launchpad.net/salt-formulas |
| For feature requests, bug reports, or blueprints affecting the entire |
| ecosystem, use the Launchpad salt-formulas project |
| |
| * https://launchpad.net/~salt-formulas-users |
| Join the salt-formulas-users team and subscribe to mailing list if required |
| |
| * https://github.com/salt-formulas/salt-formula-haproxy |
| Develop the salt-formulas projects in the master branch and then submit pull |
| requests against a specific formula |
| |
| * #salt-formulas @ irc.freenode.net |
| Use this IRC channel in case of any questions or feedback which is always |
| welcome |
| |