Post

Ubuntu에 haproxy 설치 및 설정

Posted
By iblea 4 min read

목차

HAProxy 설명

  • L4 (TCP) 및 L7 (HTTP) 기반의 로드밸런싱 및 프록시를 제공하는 오픈소스 소프트웨어
  • C 언어로 개발, 스위치에서 제공하는 L4, L7 기능을 지원
  • reverse proxy의 형태로 동작, Keepalived를 사용하여 HA(high availability) 구성 진행

설치

apt로 설치 

1
2

apt-get update
apt-get install -y haproxy

컴파일하여 설치

HAProxy를 직접 컴파일하여 실행하여도 된다.
https://www.haproxy.org/#down

haproxy config 설정

ssl 세팅을 진행하기 위해서는 인증서를 조합하여 파일을 만들어야 한다.

1
2
3
4

cat "<인증서경로>" "<키경로>" > output.pem
# 예시 (letsencrypt)
# cat fullchain1.pem privkey1.pem > output.pem

/etc/haproxy/haproxy.cfg 파일을 수정하여 설정을 진행한다.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

# https://cbonte.github.io/haproxy-dconv/2.2/configuration.html
global
    # maxconn 100000
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    daemon

    user  haproxy
    group haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 60s
    # nbproc 2
    # nbthread 4

    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets

defaults
    log global
    mode    http
    option  httplog
    # mode tcp
    # option  tcplog
    option  dontlognull
    errorfile 500 /var/log/haproxy/error/500.http

    timeout connect 60s
    timeout client  600s
    timeout server  600s


# http
frontend webserver_front_http
    mode http
    bind 192.168.0.12:8088
    bind 192.168.0.13:8088
    # https redirect
    default_backend webserver_backend_http

# mode tcp - http2
frontend webserver_front_tcp_http2
    mode tcp
    option  tcplog
    bind 192.168.0.12:4433 ssl crt /path/to/cert.pem alpn h2
    bind 192.168.0.13:4433 ssl crt /path/to/cert.com.pem alpn h2
    use_backend webserver_backend_http2 if { ssl_fc_alpn -i h2 }
    default_backend webserver_backend_http2

# mode http - http2
frontend webserver_front_http_http2
    mode http
    bind 192.168.0.12:4434 ssl crt /path/to/cert.pem alpn h2
    bind 192.168.0.13:4434 ssl crt /path/to/cert.pem alpn h2

    use_backend webserver_backend_http2_http if { ssl_fc_alpn -i h2 }
    default_backend webserver_backend_http2_http

    # use_backend webserver_backend_h2c if { ssl_fc_alpn -i h2 }
    # default_backend webserver_backend_h2c

# mode http - http2/http1.1
frontend webserver_front_http_http2_https
    mode http
    bind 192.168.0.12:4435 ssl crt /path/to/cert.pem alpn h2,http/1.1
    bind 192.168.0.13:4435 ssl crt /path/to/cert.pem alpn h2,http/1.1

    # http2 지원할 때에만 연결
    use_backend webserver_backend_http2_http if { ssl_fc_alpn -i h2 }
    # 디폴트는 http/1.1
    default_backend webserver_backend_http_https

# mode http - h2c
frontend webserver_front_http_h2c
    mode http
    bind 192.168.0.12:4436 ssl crt /path/to/cert.pem alpn h2
    bind 192.168.0.13:4436 ssl crt /path/to/cert.pem alpn h2

    use_backend webserver_backend_h2c if { ssl_fc_alpn -i h2 }
    default_backend webserver_backend_h2c

# frontend webserver_h2c
#     mode http
#     option  http-use-htx
#     bind 192.168.0.12:4434 proto h2
#     default_backend webserver_backend_http_h2c



backend webserver_backend_http
    mode http
    server server1 192.168.0.23:80


backend webserver_backend_tcp_https
    mode tcp
    # balance roundrobin
    server server1 192.168.0.23:443 check


backend webserver_backend_http_https
    mode http
    # balance roundrobin
    server server1 192.168.0.23:443 ssl verify none


backend webserver_backend_http2
    mode tcp
    # mode http
    balance roundrobin
    server server1 192.168.0.23:443 ssl verify none alpn h2


backend webserver_backend_http2_http
    mode http
    # mode http
    # balance roundrobin
    server server1 192.168.0.23:443 ssl verify none alpn h2


backend webserver_backend_h2c
    mode http
    # option http-use-htx
    server server1 192.168.0.23:8082 alpn h2


backend webserver_backend_http_h2c
    mode http
    option http-use-htx
    server server1 192.168.0.23:8082 alpn h2c

설정 파일의 문법이 잘못되었는지 확인하려면 다음 명령을 실행한다.

1

haproxy -f /etc/haproxy/haproxy.cfg -c

haproxy 실행

1
2

service haproxy start
# systemctl start haproxy
linux
linux ubuntu haproxy reverse proxy
This post is licensed under CC BY 4.0 by the author.