Introduction
HAProxy is free, open source software that provides a highly available load balancer and proxy server for TCP and HTTP-based applications. It is particularly suitable for high-traffic websites and powers a good number of the most visited ones in the world. Configuring HAProxy on CentOS/RHEL (Red Hat Enterprise Linux) can enhance your network infrastructure by improving its performance and reliability.
This guide will walk you through the steps needed to install and configure HAProxy on CentOS/RHEL 9/8.
Prerequisites
- A CentOS/RHEL 9/8 server
- A non-root user with sudo privileges
Step 1: Update your system
Before installing any packages, it is a good idea to update your system's package index. This ensures that you have the latest updates and security patches.
sudo dnf update
Step 2: Install HAProxy
HAProxy is available in the default CentOS/RHEL repositories. Install it using the following command:
sudo dnf install haproxy
Step 3: Configure HAProxy
After installation, the next step is to configure HAProxy according to your needs. The main configuration file for HAProxy is /etc/haproxy/haproxy.cfg
. You will need to modify this file with your configuration. Use a text editor like nano or vim to edit the file:
sudo nano /etc/haproxy/haproxy.cfg
Basic configuration
Below is a basic configuration example that sets up HAProxy as a load balancer for two web servers:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Update to use only TLS 1.3 and TLS 1.2
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
bind *:80
# Enable TLS 1.3 and TLS 1.2 on HTTPS connections
bind *:443 ssl crt /etc/haproxy/certs/example.com.pem alpn h2,http/1.1
redirect scheme https if!{ ssl_fc }
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i.jpg.gif.png.css.js
use_backend static if url_static
default_backend app
backend static
balance roundrobin
server static1 192.168.1.101:80 check
server static2 192.168.1.102:80 check
backend app
balance roundrobin
cookie SERVERID insert indirect nocache
server app1 192.168.1.103:80 check cookie app1
server app2 192.168.1.104:80 check cookie app2
listen stats
bind *:8080
stats enable
stats uri /haproxy?stats
stats hide-version
stats auth admin:admin
This configuration tells HAProxy to listen on port 80 for incoming HTTP traffic (http_front frontend) and load balance between two backend servers (http_back backend) using the round-robin algorithm.
The stats uri /haproxy?stats line enables the statistics page at the URL /haproxy?stats
, where you can view useful statistics about the HAProxy server.
Save and exit
Once you've configured HAProxy to your liking, save the file and exit the text editor.
Step 4: Enable and launch HAProxy
With HAProxy configured, the next step is to enable it to start on boot and then start the service immediately:
sudo systemctl enable haproxy
sudo systemctl start haproxy
To ensure HAProxy is running, you can check its status with:
sudo systemctl status haproxy
Step 5: Change your firewall settings
If you have a firewall enabled, you will need to allow traffic through the port that HAProxy is listening on. For example, to allow traffic on port 80, you can use:
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload
Conclusion
You have successfully installed and configured HAProxy on your CentOS/RHEL 9/8 server. HAProxy is now configured to distribute incoming network traffic to backend servers, increasing the reliability and performance of your application. Don't forget to check HAProxy's statistics page regularly to monitor its performance and make any necessary adjustments.