Using HA Proxy to loadbalance between HTTPS endpoints

in #linux5 years ago

For providing a high availability for a service which isn’t high available by design often results in a few hours of headaches before you can solve it. I had the same issue. The situation was a cloud service which is not high available, but can be set up at different server locations. The question is how do I make the users switch when the outage is happening? The application I was facing was a SAP Cloud Platform HTML 5 application which does not offer high availability at this point. Because these applications can proxy data I needed to get them high available. A loadbalancer is a great way to distribute users between these endpoints. I have been using haproxy here in this case and later used an azure front door service for convenience, cause why not, right?

Prepare the endpoints

First of all you need two or more endpoints for your application. I had two endpoints which were both located in the EU, so that they can be reached without huge latency or package loss. Distributing the endpoints across regions is very important to provide a higher availability, because one region can fail due to many reason, while it is very unlikely that two regions fail at the same time.

Configure Server

First of all we need to spin up a linux machine which will be our haproxy host. After that we need to install it:

sudo apt install haproxy

After that we can edit the configuration file:

sudo vim /etc/haproxy/haproxy.conf

Now is the point where the real magic is happening and we need to append the following to the end of the file:

frontend haproxynode
    bind *:80
    mode http
    option http-buffer-request
    timeout http-request 10s
    default_backend backendnodes

backend backendnodes
    balance roundrobin
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    option httpchk HEAD / HTTP/1.1\r
    http-send-name-header Host
    server application-subaccount.dispatcher.hana.ondemand.com application-subaccount.dispatcher.hana.ondemand.com:443 ssl verify none
    server application2-subaccount.dispatcher.eu3.hana.ondemand.com application2-subaccount.dispatcher.eu3.hana.ondemand.com:443 ssl verify none

Now we can restart the service and take a look on the logs to see if our users are distributed correctly:

sudo systemctl restart haproxy
sudo less +G /var/log/haproxy.log

You can change the rules to your needs to provide a location based balancing, if needed.