Post

Ubuntu에 haproxy 설치 및 설정

목차


HAProxy 설명

  • L4 (TCP) 및 L7 (HTTP) 기반의 로드밸런싱 및 프록시를 제공하는 오픈소스 소프트웨어
  • C 언어로 개발, 스위치에서 제공하는 L4, L7 기능을 지원
  • reverse proxy의 형태로 동작, Keepalived를 사용하여 HA(high availability) 구성 진행

설치

apt로 설치

1
2
apt-get update
apt-get install -y haproxy

컴파일하여 설치

HAProxy를 직접 컴파일하여 실행하여도 된다.
https://www.haproxy.org/#down

haproxy config 설정

/etc/haproxy/haproxy.cfg 파일을 수정하여 설정을 진행한다.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# https://cbonte.github.io/haproxy-dconv/2.2/configuration.html
global
    # maxconn 100000
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    daemon

    user  haproxy
    group haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 60s
    # nbproc 2
    # nbthread 4

    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets

defaults
    log global
    mode    http
    option  httplog
    # mode tcp
    # option  tcplog
    option  dontlognull
    errorfile 500 /var/log/haproxy/error/500.http

    timeout connect 60s
    timeout client  600s
    timeout server  600s


# frontend - http
frontend webserver_front_http
    mode http
    bind 192.168.0.2:80
    # https redirect
    # http-request redirect scheme https unless { ssl_fc }
    # http-request redirect scheme https if http
    default_backend webserver_backend_http

# frontend - https / http2
frontend webserver_front_https
    mode tcp
    option  tcplog
    # bind 192.168.0.2:4433 ssl crt /path/to/certificate.pem alpn h2
    bind 192.168.0.2:443 ssl crt /path/to/certificate.pem alpn h2,http/1.1
	# use_backend webserver_backend_http2 if { ssl_fc_alpn -i h2 }
    default_backend webserver_backend_https


# backend - http
backend webserver_backend_http
    mode http
    server server1 192.168.0.3:80

# backend - https (1.1)
backend webserver_backend_https
    mode tcp
    # balance roundrobin
    server server1 192.168.0.3:443 check

# backend - https (2)
backend webserver_backend_http2
    mode tcp
    # balance roundrobin
    server server1 192.168.0.3:443 alpn h2
    # server server2 192.168.0.4:443 alpn h2

설정 파일의 문법이 잘못되었는지 확인하려면 다음 명령을 실행한다.

1
haproxy -f /etc/haproxy/haproxy.cfg

haproxy 실행

1
2
service haproxy start
# systemctl start haproxy
This post is licensed under CC BY 4.0 by the author.