Persistently between one of the three servers and the client

Yogui · March 20, 2019, 2:38pm

I have a problem … like everyone who writes here.

I would like to redirect all ports 80,8000,443,8001,12307,12308,808,2195,1433

persistently between one of the three servers and the client.
without port forwarding

my configuration

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

Default SSL material locations

ca-base /etc/ssl/certs
crt-base /etc/ssl/private

Default ciphers to use on SSL-enabled listening sockets.

For more information, see ciphers(1SSL). This list is from:

https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!D$
ssl-default-bind-options no-sslv3

defaults
log global

mode http

option httplog

option tcplog
timeout client 1h
listen toto-va
bind *:80
bind *:443
bind *:8000
bind *:8001
bind *:2195
bind *:12307
bind *:12308
bind *:1433
bind *:4242

mode tcp
balance source
option httpchk
server toto-VA-Web1 127.0.0.185 check
server toto-VA-Web2 127.0.0.186 check
server toto-VA-Web3 127.0.0.187 check

listen stats # Define a listen section called “stats”
bind :9000 # Listen on localhost:9000
mode http
stats enable # Enable stats page
stats hide-version # Hide HAProxy version
stats realm Haproxy\ Statistics # Title text for popup window
stats uri /haproxy_stats # Stats URI
#stats auth root:pwd # Authentication credentials

void_in · March 23, 2019, 11:15am

If I understand correctly, you want to implement sticky sessions which will always forward request to the same back end server. There are plenty of examples on this forum as well as on other sites.

Yogui · March 24, 2019, 8:31am

that’s it !
But on several listening port.
I did not find working example.

lukastribus · March 25, 2019, 10:37am

Nothing changes with multiple listening ports.

Yogui · March 28, 2019, 2:43pm

Pour la communauté française qui m’a aidé sur tweeter avec cette conf ça fonctionne …

après Nothing changes with listening ports

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend http
mode http
bind :80
default_backend web_servers

frontend rtmp
mode tcp
bind :808
default_backend rtmp

frontend tcp2195
mode tcp
bind :2195
default_backend tcp2195

frontend tcp12307
mode tcp
bind :12307
default_backend tcp12307

frontend tcp12308
mode tcp
bind :12308
default_backend tcp12308

frontend tcp443
mode tcp
bind :443
default_backend tcp443

frontend tcp8000
mode tcp
bind :8000
default_backend tcp8000

frontend tcp8001
mode tcp
bind :8001
default_backend tcp8001

backend web_servers
mode http
option forwardfor
balance source
stick store-request src
stick-table type ip size 200k expire 2m
server web1 172.16.1.205:80 check
server web2 172.16.1.206:80 check
server web3 172.16.1.207:80 check

backend rtmp
mode tcp
stick match src table web_servers
server web1 172.16.1.205:808
server web2 172.16.1.206:808
server web3 172.16.1.207:808

backend tcp2195
mode tcp
stick match src table web_servers
server web1 172.16.1.205:2195
server web2 172.16.1.206:2195
server web3 172.16.1.207:2195

backend tcp12307
mode tcp
stick match src table web_servers
server web1 172.16.1.205:12307
server web2 172.16.1.206:12307
server web3 172.16.1.207:12307

backend tcp12308
mode tcp
stick match src table web_servers
server web1 172.16.1.205:12308
server web2 172.16.1.206:12308
server web3 172.16.1.207:12308

backend tcp443
mode tcp
stick match src table web_servers
server web1 172.16.1.205:443
server web2 172.16.1.206:443
server web3 172.16.1.207:443

backend tcp8000
mode tcp
stick match src table web_servers
server web1 172.16.1.205:8000
server web2 172.16.1.206:8000
server web3 172.16.1.207:8000

backend tcp8001
mode tcp
stick match src table web_servers
server web1 172.16.1.205:8001
server web2 172.16.1.206:8001
server web3 172.16.1.207:8001

listen stats # Define a listen section called “stats”
bind :9000 # Listen on localhost:9000
mode http
stats enable # Enable stats page
stats hide-version # Hide HAProxy version
stats realm Haproxy\ Statistics # Title text for popup window
stats uri /haproxy_stats # Stats URI
#stats auth root:pwd # Authentication credential

Topic		Replies	Views
What's the canonical way to handle port 80 and port 443? Help!	10	6042	August 23, 2018
Binding on both 443 & 8443 used to work, until we implemented Let's Encrypt. Now 443 works but 8443 seems broken Help!	4	2455	March 14, 2019
One IP address, One SSL, for multiple Ports on same instance/server Help!	13	4403	December 5, 2019
TLS Passthrough with new port listening and RPC filtering Help!	7	872	December 12, 2018
HAProxy forwarding HTTPS OK, TCP not OK. Please help! Help!	12	11447	June 6, 2019