Configuration of HaProxy as a reverse proxy

by

HaProxy is a remarkable tool that notably allows for load balancing or reverse proxying. It’s this latter functionality we will be focusing on.

The goal is to make two different web servers accessible from the same IP address and port via two subdomains.

Diagram depicting a set of Apache servers and HaProxy

Prerequisites:

Two web servers, here Apache

A functional Linux server, on which we will set up HaProxy

A rule on your router redirecting port 80 from the WAN to the HaProxy server (unless local)

The DNS configuration at your registrar or from your local DNS server, for your two sites

The server addresses for this lab are:

  • 10.10.10.1 -> a.mysite.com
  • 10.10.10.2 -> b.mysite.com
  • 10.10.10.20 -> haproxy

Connect to your HaProxy server to install the software.

apt-get install haproxy

Usually, a haproxy user is created. If this is not the case, you can create it yourself.

Edit the HaProxy configuration file.

The sections that really interest us are the frontend and the two backends.

This is an HTTP configuration, but it’s entirely possible to use HTTPS from the WAN to the HaProxy and then HTTP from the HaProxy to the Apache servers.

I’m providing a link to an HTTPS configuration file here -> HTTPS-HaProxy

nano /etc/haproxy/haproxy.cfg

global
maxconn 2048
user haproxy
group haproxy
daemon
log /dev/log    local0
log /dev/log    local1 notice
chroot /var/lib/haproxy

defaults
log     global
mode http
option  httplog
option  dontlognull
option forwardfor
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

#The name of my frontend (whatever you want)
frontend http_fe
#Everything coming on port 80 of our haproxy
bind *:80
#acl_a will match a.mysite.com
acl acl_a hdr(host) a.mysite.com
#And acl_b will match b.mysite.com
acl acl_b hdr(host) b.mysite.com
#if acl a is called then use backend a
use_backend backend_a if acl_a
#if acl b is called then use backend b
use_backend backend_b if acl_b

#Declaration of backend a
backend backend_a
#Use of cookies to maintain the connection 
cookie cookie_mysite.com insert nocache
#Adding our first web server + options for verification and the cookie
server a.mysite.com 10.10.10.1:80 check cookie stcookie01 

#Declaration of backend b
backend backend_b
#Use of cookies to maintain the connection 
cookie cookie_mysite.com insert nocache
#Adding our second web server + options for verification and the cookie
server b.mysite.com 10.10.10.2:80 check cookie stcookie02

It is entirely possible to run HaProxy without the ACLs and with only one backend, but personally, I’ve had a lot of issues with it, so I don’t recommend it.

Once the file is completed, restart the haproxy service.

systemctl restart haproxy.service

Head over to your favorite web browser,

and in two different tabs type a.mysite.com and b.mysite.com.

Browser screenshot of address siteA
Browser screenshot of address siteB

If you want to do a local test, don’t forget to modify the hosts file of your operating system.

C:\Windows\System32\drivers\etc\hosts on Windows
/etc/hosts on Linux

10.10.10.20	a.mysite.com
10.10.10.20	b.mysite.com

Leave a Comment