HAProxy community

Loadbalancing and failover - is HAproxy suit?


#1

Hi good people, could someone answer me the question. I plan the infrastructure and I need advice.

I have two internet providers. One internet goes throught router A with static WAN IP, and other internet goes to the secont internet provider router B with also static WAN IP.
Both routers will be connected to the single WEB server (ports 80, 433). Domain lets say domain.com will be setup on that server.

  1. What I need to achieve is loadbalancing and failover of domain.com on the WEB server on ports 80, 443 using both internets. So I think to setup HAproxy on highly available server which will point to these to routers. Both internet connections will be used at the same time and if one connection goes down, HAproxy will leave only one stable connection. HAproxy will do checks every single second and if both connections are good and in case of error leave only one.

  2. Other solution I think is to have only one primary internet on router A, and if it fails then HAproxy switch suddenly to the other internet on router B. It this case internet on router B will be like in stand by mode all the time exept the error of primary internet. The problem in this solution, that I can’t use the power of both internets all the time as it was written in solution 1. above.

Is this possible to achieve and run both solutions 1 and 2 very stable? Does somenone have practice of such kind of setups and run it smoothly for years? Is realy HAproxy is suit my needs or should I look for the alternative software?


#2

If you run haproxy in a remote-datacenter, sure (you will have to think about how the webserver can use both internet connections, but it is possible).

If you think about running haproxy behind the same two internet connections, then no, because the problem (failover and loadbalancing between the 2 internet connectivities) comes prior to haproxy, so haproxy is not in control of this.


#3

Yes, I plan to run this in remote-datacenter. Could you drop some links to the HAproxy documentation the exact part what I’m talking about?

Webserver will have two nics. One nic will have primary internet IP address and second ethernet adapter should route to the primary NIC, if the trouble would be with primary IP addrees. But I also need to find out how to do it.


#4

I suggest you start with the “starter guide”:
https://cbonte.github.io/haproxy-dconv/1.8/intro.html

and read about specifics in the configuration guide:
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html

You can find an example configuration here:

Haproxy will failover from one to the other. On the server side you need to make sure that the traffic to NIC1 always leaves at NIC1 (to provider 1) and the traffic that is on NIC2 always goes to provider 2. Otherwise you have a “failover” both on haproxy and on your servers and this will cause issues when haproxy and your servers disagree.

You can use the ip command to configure source based IP routing, it should probably be something like:

ip route add default via <NIC1-gateway> src <NIC1-IP>
ip route add default via <NIC2-gateway> src <NIC2-IP>

#5

Thanks, very informative info.
But let’s say I will do such redirection from the HAproxy to the webserver where website is hosted. Does every function of website will work if the compare this method vs the primary hosting without redirecion of proxy. I mean maybe some kind of functions which has variuos websites and their CMS could not work because of proxy?


#6

There are 2 common problems with reverse-proxying that often arise:

  • lack of source IP transparency: the solution is to use the proxy protocol or a custom HTTP header like X-Forwarded-For to send this information to the backend server. Consider that your backend server needs to support this and be configured properly
  • when terminating HTTPS: lack of the information that the customer connected with HTTPS, causing infinite redirects, use X-Forwarded-Proto and configure your backend properly

When you understand those, and configure everything appropriately, your applications should work just fine.


#7

Oh my… I clarify situation. I need to host HAproxy on datacenter and do redirection through 2 ISP providers into a single webserver AND from that server I want also to redirect through HAproxy into local web server. And my task is two host about 3000 domains in that way.

  1. X-Forwarder-For or -Proto must be changed in the code of the website. And if we talk about modern CMS and modules, it could be that a single website CMS will have the dozen places to write this sentence into the PHP. Am I right?

  2. My chain looks like USER BROWSER—>DC HAproxy—> My HAproxy—>local IP web server. Does HTTP method through “double” proxy protocol or X-Forwarder work in this way?
    And if talk only about HTTPS, X-Forwarder will do the job good also?

  3. HTTPS will be the biggest problem. Because as I understood if I can’t touch the code of the website and write X-Forwarder-Proto, I can’t get it work. And if one of my clients will request SSL feature, I can’t satisfy the need in my infrastructure.


#8

Redirection is the wrong word. You would like to reverse-proxy/load-balance from Haproxy to that webserver by using the 2 ISPs.

I don’t know what that’s supposed to mean.

No. You do need to configure the webserver appropriately, but you don’t have to change application code. If you don’t change the webserver configuration, then yes, you’d have to touch the application code.

Yes, if appropriately configured. Not sure if you 2 ISP links are between the 2 haproxy instances or between the latter haproxy and the web server.

You have to figure out what the end result should look like. Like, where do you want to terminate SSL actually? In the datacenter or on your end? SSL encryption between the 2 haproxy instances? For traffic that originally was HTTPS or HTTP also?

Those are the question you need to figure out.

You don’t have the change the code.