Haproxy v 1.8 config


#1

I’m using round-robin balance type with back-end three web servers
but all incoming connection always forwards to web-01 not balancing with 3 web servers
PS* when closing web-01 all connection going to web-02

here’s my config file i need to balance all traffic with back-end server not only one server

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy

	pidfile /var/run/haproxy.pid
	maxconn 50000
	user haproxy
	group haproxy
	daemon

	stats socket /var/lib/haproxy/stats mode 600 level admin
	stats timeout 30s
	
	ca-base /etc/opt/rh/rh-haproxy18/haproxy/ssl/live/yasso.com
	crt-base /etc/opt/rh/rh-haproxy18/haproxy/ssl/live/yasso.com/
	
	tune.ssl.default-dh-param 4096
   	ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets 
	ssl-default-bind-ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384

defaults
	mode http 
	log	global
	timeout connect 25000ms 
	timeout client 60000ms 
	timeout server 60000ms
	timeout queue 60000ms
	timeout http-request 15000ms
	timeout http-keep-alive 15000ms
	option	httplog
	option	dontlognull
	option redispatch
	option forwardfor 
	option http-server-close
	option httpclose

frontend https-in

	rspadd X-Frame-Options:\ DENY
	bind *:443 ssl crt /etc/opt/rh/rh-haproxy18/haproxy/ssl/live/yasso.com/yasso.com.pem

	stats enable  
	stats realm Haproxy\ Statistics  
	stats uri /haproxy_stats 
	stats refresh 10s
	stats show-node
	stats auth yasso:yasso
	stats admin if TRUE	

	default_backend WEB-APP
	
backend WEB-APP

	balance roundrobin
	option http-keep-alive
	option httpchk HEAD / HTTP/1.1\r\nHost:localhost
	cookie SERVERID insert indirect nocache
	stick-table type integer size 1k expire 3h
	stick on dst_port
	
    	server web-01 192.168.100.78:80 check cookie web-01
    	server web-02 192.168.100.79:80 check cookie web-02
    	server web-03 192.168.100.80:80 check cookie web-03

	timeout tunnel 10h

	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

#2

How do you come to that conclusion exactly? Did you benchmark it with some tools, if yes how (what exact commands) and what is the exact output?

Do you need session persistence? Also why do you stick on dst_port? What is this configuration supposed to achieve?


#4

Can you read the entire post and respond to all the question please?


#5

How do you come to that conclusion exactly? after reading loots of topics and blog and check many posted configuration on internet

Did you benchmark it with some tools, if yes how (what exact commands) i used ApacheJMeter tool
and what is the exact output? i rich 350 concurrent user

Do you need session persistence? yes because i’m consider long time session and revisiting again same client from same address

Also why do you stick on dst_port? i thought and found the sticky session i must add dts_port

What is this configuration supposed to achieve?
this configuration must achieve
load balance web application service i need to rich 2500+ concurrent
no throughput peaks and spikes and connection go smoothly to clients

by the way many thanks for your replay i’m appreciate your kindly help to tune the configuration file :heart_eyes:


#6

So in other words, you don’t actually know whether haproxy load-balances correctly or not, you simply have the problem that you only reach 350 instead of your targeted 2500 concurrent sessions.

Please remove the stick table configuration. It completely wrong and useless, and it may also impact your benchmark negatively. You are using cookies for session persistence, that suffices, stop it there. Also, sticking to the destination port is completely useless and totally wrong.

Keepalive needs to be configured correctly and the timers should be adjusted.

tune.ssl.default-dh-param 4096

Don’t do this. Unless you are completely familiar and know EXACTLY what happens with a DHE handshake in a event-loop based application like haproxy, you do not set this value to 4096.

Also, please configure TLS based on the recommanded settings from Mozilla:
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.8.0&openssl=1.0.2&hsts=no&profile=intermediate

So, here’s a list of things I suggest you do:

  • remove stick tables (both keywords beginning with stick)
  • configure TLS as explained above, based on the Mozilla recommendations (especially the ciphers and the dh-params)
  • in the default section:
    • remove option http-server-close
    • remove option httpclose
    • put option http-keep-alive
    • put option prefer-last-server
  • in the frontend:
    • put maxconn 20000
  • in the backend
    • remove option http-keep-alive (as it is already default)
    • put maxconn 1000 (or more, depending how many concurrent connections each server can handle)
    • remove timeout tunnel 10h, as it has nothing nothing todo with the config at hand, unless you do websockets (and in that case it should be put into the defaults)
  • make sure your benchmark can actually achieve sufficient performance:
    • benchmark one backend server directly, bypassing haproxy: you will need to get at least 1000 concurrent sessions
    • make sure firewalls like the linux conntrack doen’t interfere (on the benchmark client, the haproxy instance, all backend server and every other intermediate node)
    • make sure the benchmark uses keep-alive
    • make sure the benchmark is actually not a bottleneck in itself