blob: 109947fc36e92b4568072647fe627bcde34597b8 [file] [log] [blame]
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +03001=====
2Usage
3=====
Filip Pytloun48d38302015-10-06 16:28:31 +02004
Ildar Svetlov77636142017-09-28 16:42:16 +04005The Reliable, High Performance TCP/HTTP Load Balancer.
Filip Pytloun48d38302015-10-06 16:28:31 +02006
Jiri Konecny371c6de2016-03-02 11:32:46 +01007Sample pillars
8==============
9
10Simple admin listener
11
12.. code-block:: yaml
13
14 haproxy:
15 proxy:
16 enabled: True
17 listen:
18 admin_page:
19 type: admin
20 binds:
21 - address: 0.0.0.0
22 port: 8801
23 user: fsdfdsfds
24 password: dsfdsf
25
Jiri Konecny371c6de2016-03-02 11:32:46 +010026Simple stats listener
27
28.. code-block:: yaml
29
30 haproxy:
31 proxy:
32 enabled: True
33 listen:
34 admin_page:
35 type: stats
36 binds:
37 - address: 0.0.0.0
38 port: 8801
39
40
41
42Sample pillar with admin
Filip Pytloun48d38302015-10-06 16:28:31 +020043
44.. code-block:: yaml
45
46 haproxy:
47 proxy:
48 enabled: True
49 mode: http/tcp
Jiri Konecny371c6de2016-03-02 11:32:46 +010050 logging: syslog
Filip Pytloun98f7a4f2016-09-19 14:07:24 +020051 maxconn: 1024
52 timeout:
53 connect: 5000
54 client: 50000
55 server: 50000
Brian McQueen306a5ca2017-12-09 17:30:32 -080056 listen:
57 https-in:
58 binds:
59 - address: 0.0.0.0
60 port: 443
61 servers:
62 - name: server1
63 host: 10.0.0.1
64 port: 8443
65 - name: server2
66 host: 10.0.0.2
67 port: 8443
68 params: 'maxconn 256'
Filip Pytloun48d38302015-10-06 16:28:31 +020069
Jiri Konecny371c6de2016-03-02 11:32:46 +010070
Filip Pytloun48d38302015-10-06 16:28:31 +020071Sample pillar with custom logging
Filip Pytloun48d38302015-10-06 16:28:31 +020072
73.. code-block:: yaml
74
75 haproxy:
76 proxy:
77 enabled: True
78 mode: http/tcp
79 logging: syslog
Filip Pytloun98f7a4f2016-09-19 14:07:24 +020080 maxconn: 1024
81 timeout:
82 connect: 5000
83 client: 50000
84 server: 50000
Brian McQueen306a5ca2017-12-09 17:30:32 -080085 listen:
86 https-in:
87 binds:
88 address: 0.0.0.0
89 port: 443
90 servers:
91 - name: server1
92 host: 10.0.0.1
93 port: 8443
94 - name: server2
95 host: 10.0.0.2
96 port: 8443
97 params: 'maxconn 256'
Filip Pytloun48d38302015-10-06 16:28:31 +020098
99.. code-block:: yaml
100
101 haproxy:
102 proxy:
103 enabled: true
104 mode: tcp
105 logging: syslog
106 max_connections: 1024
Brian McQueen306a5ca2017-12-09 17:30:32 -0800107 listen:
108 mysql:
109 type: mysql
110 binds:
111 - address: 10.0.88.70
112 port: 3306
113 servers:
114 - name: node1
115 host: 10.0.88.13
116 port: 3306
117 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3
118 - name: node2
119 host: 10.0.88.14
120 port: 3306
121 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
122 - name: node3
123 host: 10.0.88.15
124 port: 3306
125 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
126 rabbitmq:
127 type: rabbitmq
128 binds:
129 - address: 10.0.88.70
130 port: 5672
131 servers:
132 - name: node1
133 host: 10.0.88.13
134 port: 5673
135 params: check inter 5000 rise 2 fall 3
136 - name: node2
137 host: 10.0.88.14
138 port: 5673
139 params: check inter 5000 rise 2 fall 3 backup
140 - name: node3
141 host: 10.0.88.15
142 port: 5673
143 params: check inter 5000 rise 2 fall 3 backup
144 keystone-1:
145 type: general-service
146 binds:
147 - address: 10.0.106.170
148 port: 5000
149 servers:
150 - name: node1
151 host: 10.0.88.13
152 port: 5000
153 params: check
Filip Pytloun48d38302015-10-06 16:28:31 +0200154
155.. code-block:: yaml
156
157 haproxy:
158 proxy:
159 enabled: true
160 mode: tcp
161 logging: syslog
162 max_connections: 1024
Brian McQueen306a5ca2017-12-09 17:30:32 -0800163 listen:
164 mysql:
165 type: mysql
166 binds:
167 - address: 10.0.88.70
168 port: 3306
169 servers:
170 - name: node1
171 host: 10.0.88.13
172 port: 3306
173 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3
174 - name: node2
175 host: 10.0.88.14
176 port: 3306
177 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
178 - name: node3
179 host: 10.0.88.15
180 port: 3306
181 params: check inter 15s fastinter 2s downinter 1s rise 5 fall 3 backup
182 rabbitmq:
183 type: rabbitmq
184 binds:
185 - address: 10.0.88.70
186 port: 5672
187 servers:
188 - name: node1
189 host: 10.0.88.13
190 port: 5673
191 params: check inter 5000 rise 2 fall 3
192 - name: node2
193 host: 10.0.88.14
194 port: 5673
195 params: check inter 5000 rise 2 fall 3 backup
196 - name: node3
197 host: 10.0.88.15
198 port: 5673
199 params: check inter 5000 rise 2 fall 3 backup
200 keystone-1:
201 type: general-service
202 binds:
203 - address: 10.0.106.170
204 port: 5000
205 servers:
206 - name: node1
207 host: 10.0.88.13
208 port: 5000
209 params: check
Filip Pytloun48d38302015-10-06 16:28:31 +0200210
Petr Jedinýc1461642018-04-17 17:21:28 +0200211Sample pillar with port range and port offset
212
213This is usefull in listen blocks for definition of multiple servers
214that differs only by port number in port range block. This situation
215can be result of multiple single-thread servers deployed in multi-core
216environment to better utilize the available cores.
217
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300218For example, five contrail-api workers occupy ports ``9100-9104``.
Petr Jedinýc1461642018-04-17 17:21:28 +0200219This can be achieved by using ``port_range_length`` in the pillar,
220``port_range_length: 5`` in this case.
221For skipping first worker (``worker_id 0``), because it has other
222responsibilities and to avoid overloading it by http requests
223use the ``port_range_start_offset`` in the pillar,
224``port_range_start_offset: 1`` in this case, it will only use ports
2259101-9104 (skipping 9100).
226
227- ``port_range_length`` parameter is used to calculate port range end
228- ``port_range_start_offset`` will skip first n ports in port range
229
230For backward compatibility, the name of the first server in port range
231has no ``pN`` suffix.
232
233The following sample will result in
234
235.. code-block:: text
236
237 listen contrail_api
238 bind 172.16.10.252:8082
239 option nolinger
240 balance leastconn
241 server ntw01p1 172.16.10.95:9101 check inter 2000 rise 2 fall 3
242 server ntw01p2 172.16.10.95:9102 check inter 2000 rise 2 fall 3
243 server ntw01p3 172.16.10.95:9103 check inter 2000 rise 2 fall 3
244 server ntw01p4 172.16.10.95:9104 check inter 2000 rise 2 fall 3
245 server ntw02 172.16.10.96:9100 check inter 2000 rise 2 fall 3
246 server ntw02p1 172.16.10.96:9101 check inter 2000 rise 2 fall 3
247 server ntw02p2 172.16.10.96:9102 check inter 2000 rise 2 fall 3
248 server ntw02p3 172.16.10.96:9103 check inter 2000 rise 2 fall 3
249 server ntw02p4 172.16.10.96:9104 check inter 2000 rise 2 fall 3
250 server ntw03 172.16.10.94:9100 check inter 2000 rise 2 fall 3
251 server ntw03p1 172.16.10.94:9101 check inter 2000 rise 2 fall 3
252 server ntw03p2 172.16.10.94:9102 check inter 2000 rise 2 fall 3
253 server ntw03p3 172.16.10.94:9103 check inter 2000 rise 2 fall 3
254 server ntw03p4 172.16.10.94:9104 check inter 2000 rise 2 fall 3
255
256.. code-block:: yaml
257
258 haproxy:
259 proxy:
260 listen:
261 contrail_api:
262 type: contrail-api
263 service_name: contrail
264 balance: leastconn
265 binds:
266 - address: 10.10.10.10
267 port: 8082
268 servers:
269 - name: ntw01
270 host: 10.10.10.11
271 port: 9100
272 port_range_length: 5
273 port_range_start_offset: 1
274 params: check inter 2000 rise 2 fall 3
275 - name: ntw02
276 host: 10.10.10.12
277 port: 9100
278 port_range_length: 5
279 port_range_start_offset: 0
280 params: check inter 2000 rise 2 fall 3
281 - name: ntw03
282 host: 10.10.10.13
283 port: 9100
284 port_range_length: 5
285 params: check inter 2000 rise 2 fall 3
286
287
Filip Pytloune1a6f062016-08-26 15:13:38 +0200288Custom more complex listener (for Artifactory and subdomains for docker
289registries)
290
291.. code-block:: yaml
292
293 haproxy:
294 proxy:
295 listen:
296 artifactory:
297 mode: http
298 options:
299 - forwardfor
300 - forwardfor header X-Real-IP
301 - httpchk
302 - httpclose
303 - httplog
Jakub Pavlikc9f84c42016-12-10 16:16:08 +0100304 sticks:
305 - stick on src
306 - stick-table type ip size 200k expire 2m
Filip Pytloune1a6f062016-08-26 15:13:38 +0200307 acl:
308 is_docker: "path_reg ^/v[12][/.]*"
309 http_request:
310 - action: "set-path /artifactory/api/docker/%[req.hdr(host),lower,field(1,'.')]%[path]"
311 condition: "if is_docker"
312 balance: source
313 binds:
314 - address: ${_param:cluster_vip_address}
315 port: 8082
Filip Pytloun4201b382016-09-09 12:21:18 +0200316 ssl:
317 enabled: true
318 # This PEM file needs to contain key, cert, CA and possibly
319 # intermediate certificates
320 pem_file: /etc/haproxy/ssl/server.pem
Filip Pytloune1a6f062016-08-26 15:13:38 +0200321 servers:
322 - name: ${_param:cluster_node01_name}
323 host: ${_param:cluster_node01_address}
324 port: 8082
325 params: check
326 - name: ${_param:cluster_node02_name}
327 host: ${_param:cluster_node02_address}
328 port: 8082
329 params: backup check
330
Filip Pytlound95069e2017-03-10 16:12:03 +0100331It's also possible to use multiple certificates for one listener (eg. when
332it's bind on multiple interfaces):
333
334.. code-block:: yaml
335
336 haproxy:
337 proxy:
338 listen:
339 dummy_site:
340 mode: http
341 binds:
342 - address: 127.0.0.1
343 port: 8080
344 ssl:
345 enabled: true
346 key: |
347 my super secret key follows
348 cert: |
349 certificate
350 chain: |
351 CA chain (if any)
352 - address: 127.0.1.1
353 port: 8081
354 ssl:
355 enabled: true
356 key: |
357 my super secret key follows
358 cert: |
359 certificate
360 chain: |
361 CA chain (if any)
362
363Definition above will result in creation of ``/etc/haproxy/ssl/dummy_site``
364directory with files ``1-all.pem`` and ``2-all.pem`` (per binds).
365
Dzmitry Stremkouski9510dcf2018-10-25 17:48:20 +0200366Custom listener with http-check options specified
367
368.. code-block:: yaml
369
370 haproxy:
371 proxy:
372 enabled: true
373 forwardfor:
374 enabled: true
375 except: 127.0.0.1
376 header: X-Forwarded-For
377 if-none: false
378 listen:
379 glance_api:
380 binds:
381 - address: 192.168.2.11
382 port: 9292
383 ssl:
384 enabled: true
385 pem_file: /etc/haproxy/ssl/all.pem
386 http_request:
387 - action: set-header X-Forwarded-Proto https
388 mode: http
389 options:
390 - httpchk GET /
391 - httplog
392 - httpclose
393 servers:
394 - host: 127.0.0.1
395 name: ctl01
396 params: check inter 10s fastinter 2s downinter 3s rise 3 fall 3
397 port: 9292
398
Adam Tengler4cf961b2017-01-26 16:05:21 +0000399Custom listener with tcp-check options specified (for Redis cluster with Sentinel)
400
401.. code-block:: yaml
402
403 haproxy:
404 proxy:
405 listen:
406 redis_cluster:
407 service_name: redis
Guillaume Thouvenin3adff8c2017-02-21 14:29:07 +0100408 health-check:
Adam Tengler4cf961b2017-01-26 16:05:21 +0000409 tcp:
410 enabled: True
411 options:
412 - send PING\r\n
413 - expect string +PONG
414 - send info\ replication\r\n
415 - expect string role:master
416 - send QUIT\r\n
417 - expect string +OK
418 binds:
419 - address: ${_param:cluster_address}
420 port: 6379
421 servers:
422 - name: ${_param:cluster_node01_name}
423 host: ${_param:cluster_node01_address}
424 port: 6379
425 params: check inter 1s
426 - name: ${_param:cluster_node02_name}
427 host: ${_param:cluster_node02_address}
428 port: 6379
429 params: check inter 1s
430 - name: ${_param:cluster_node03_name}
431 host: ${_param:cluster_node03_address}
432 port: 6379
433 params: check inter 1s
434
Sergey Otpuschennikov3e831332017-08-01 13:31:03 +0400435Frontend for routing between exists listeners via URL with SSL an redirects.
436You can use one backend for several URLs.
437
438.. code-block:: yaml
439
440 haproxy:
441 proxy:
442 listen:
443 service_proxy:
444 mode: http
445 balance: source
446 format: end
447 binds:
448 - address: ${_param:haproxy_bind_address}
449 port: 80
450 ssl: ${_param:haproxy_frontend_ssl}
451 ssl_port: 443
452 redirects:
453 - code: 301
454 location: domain.com/images
455 conditions:
456 - type: hdr_dom(host)
457 condition: images.domain.com
458 acls:
459 - name: gerrit
460 conditions:
461 - type: hdr_dom(host)
462 condition: gerrit.domain.com
463 - name: jenkins
464 conditions:
465 - type: hdr_dom(host)
466 condition: jenkins.domain.com
467 - name: docker
468 backend: artifactroy
469 conditions:
470 - type: hdr_dom(host)
471 condition: docker.domain.com
472
Ildar Svetlov77636142017-09-28 16:42:16 +0400473Enable customisable ``forwardfor`` option in ``defaults`` section.
474
475.. code-block:: yaml
476
477 haproxy:
478 proxy:
479 enabled: true
480 mode: tcp
481 logging: syslog
482 max_connections: 1024
483 forwardfor:
484 enabled: true
485 except:
486 header:
487 if-none: false
488
489.. code-block:: yaml
490
491 haproxy:
492 proxy:
493 enabled: true
494 mode: tcp
495 logging: syslog
496 max_connections: 1024
497 forwardfor:
498 enabled: true
499 except: 127.0.0.1
500 header: X-Real-IP
501 if-none: false
502
stelucz01752fe2018-01-26 12:39:23 +0100503Sample pillar with multiprocess multicore configuration
504
505.. code-block:: yaml
506
507 haproxy:
508 proxy:
509 enabled: True
510 nbproc: 4
511 cpu_map:
512 1: 0
513 2: 1
514 3: 2
515 4: 3
516 stats_bind_process: "1 2"
517 mode: http/tcp
518 logging: syslog
519 maxconn: 1024
520 timeout:
521 connect: 5000
522 client: 50000
523 server: 50000
524 listen:
525 https-in:
526 bind_process: "1 2 3 4"
527 binds:
528 - address: 0.0.0.0
529 port: 443
530 servers:
531 - name: server1
532 host: 10.0.0.1
533 port: 8443
534 - name: server2
535 host: 10.0.0.2
536 port: 8443
537 params: 'maxconn 256'
538
Michel Nederlof14da7092018-03-12 22:46:36 +0100539Implement rate limiting, to prevent excessive requests
540This feature only works if using 'format: end'
541
542.. code-block:: yaml
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300543
Michel Nederlof14da7092018-03-12 22:46:36 +0100544 haproxy:
545 proxy:
546 ...
547 listen:
548 nova_metadata_api:
549 ...
550 format: end
551 options:
552 - httpchk
553 - httpclose
554 - httplog
555 rate_limit:
556 duration: 900s
557 enabled: true
558 requests: 125
559 track: content
560 servers:
561 ...
562 type: http
563
Oleksii Grudevb53828d2018-11-07 12:14:40 +0200564Implement haproxy configuration without specifying certain type or with type='None'.
565This approach allows to set all major haproxy parameters manually.
566Sample pillar:
567
568.. code-block:: yaml
569
570 haproxy:
571 proxy:
572 listen:
573 manila_api:
574 type: None
575 mode: tcp
576 balance: roundrobin
577 timeout:
578 check: 10
579 client: 20
580 http_request:
581 - action: "add-header X-Forwarded-Proto https"
582 condition: "if { ssl_fc }"
583 options: ${_param:haproxy_https_check_options}
584 capture:
585 - cookie ASPSESSION len 32
586 - request header Host len 15
587 compression:
588 - algo gzip
589 - type text/html text/plain
590 declare_capture: request len 50
591 email_alert:
592 - myhostname myserver
593 - from server@localhost
594 - level warning
595 errorfile:
596 file_500:
597 code: 500
598 file: /tmp/error_500.log
599 file_404:
600 code: 400
601 file: /tmp/error_400.log
602 max_keep_alive_queue: 100
603 maxconn: 10000
604 reqadd:
605 - X-Proto:\ SSL if is-ssl
606 reqirep:
607 - ^Host:\ www.mydomain.com Host:\ www
608 modify_headers:
609 - reqallow ^Host:\ www\.
610 - reqdel ^Host:\ .*\.local
611 - reqdeny ^Host:\ .*\.local
612 - reqiallow ^Host:\ www\.
613 - reqidel ^Host:\ .*\.local
614 - reqideny ^Host:\ .*\.local
615 - reqipass ^Host:\ .*\.local
616 - reqpass ^Host:\ .*\.local
617 - reqitarpit ^Host:\ .*\.local
618 - reqtarpit ^Host:\ .*\.local
619 retries: 10
620 stats:
621 - enable
622 - auth admin1:AdMiN123
623 rate_limit_sessions: 1000
624
Oleksandr Bryndzii57aa7b42018-12-11 11:48:23 +0000625Implement rate limiting, to prevent excessive requests
626using 'format: listen'
627
628.. code-block:: yaml
629
630 haproxy:
631 proxy:
632 ...
633 listen:
634 nova_metadata_api:
635 ...
636 rate_limit:
637 duration: 3s
638 enabled: true
639 requests: 60
640 track: connection
641 servers:
642 ...
643
644
Filip Pytloun48d38302015-10-06 16:28:31 +0200645Read more
646=========
647
648* https://github.com/jesusaurus/hpcs-salt-state/tree/master/haproxy
OlgaGusarenko0a99f8a2018-07-30 18:07:08 +0300649* http://www.nineproductions.com/saltstack-ossec-state-using-reactor/
650* https://gist.github.com/tomeduarte/6340205 - example on how to use peer
651 from within a config file (using jinja)
652* http://youtu.be/jJJ8cfDjcTc?t=8m58s - from 9:00 on, a good overview
653 of peer vs mine
Filip Pytloun48d38302015-10-06 16:28:31 +0200654* https://github.com/russki/cluster-agents