In this guide, we will show you how to use HAProxy on your Ubuntu 16.04 server running on Alibaba Cloud to prevent unplanned outages.

By Francis Ndungu, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

HAProxy (High Availability Proxy) is an intelligent software solution that offers load balancing and high level of uptime performance for TCP and HTTP based applications.

It is used by world's highly trafficked websites including; Twitter, Tumblr, Amazon Web Service and GoDaddy to spread incoming requests across multiple endpoints.

HAProxy works by distributing concurrent connections to multiple backend servers based on a load balancing algorithm. Written in C programming language, the software has been in use since 2000 and has a good reputation in regards to memory and CPU usage

In this guide, we will show you how to use HAProxy on your Ubuntu 16.04 Alibaba Cloud Elastic Compute Service (ECS) to prevent unplanned outage caused by software problems, human error, network error and environmental issues.

Prerequisites

A valid Alibaba Cloud account (sign up now for a free trial) 3 ECS instances running Ubuntu 16.04 Operating System A non-root user that can perform sudo privileges on all 3 instances

We will be using one ECS instance as the frontend and two more as endpoints where the load is going to be distributed. We will use Alibaba Cloud ECS instance private IP addresses for the two endpoints.

We will also require the public IP address for the frontend server for accessing your web application or website. We will still need to connect to all 3 instances via public IP addresses through SSH to install all required applications.

For the sake of simplicity, we will assume the following IP addresses and hostnames for the instances:



haproxy-server : public IP address 198.18.0.1 backend-server1 : private IP address 172.16.0.1, public IP address 198.18.0.1 backend-server2 : private IP address 172.16.0.2, public IP address 198.18.0.2

Also, you need to create a security group that allows the following ports for the servers:



HaProxy-server : Port 80 http and port 32600 for statistics backend-server1 : Port 8080 for http backend-server2 : Port 8080 for http

Step 1: Configuring haproxy-server (Frontend)

SSH to the first ECS instance using its Public IP address. This is where we are going to install HaProxy Server.

Before we do this, we need to update the package information index using the command below:

$ sudo apt-get update

HaProxy is available on the Ubuntu software repository, so we can install it using the package manager by running the command below:

$ sudo apt-get install haproxy

Press Y and hit Enter when you are prompted to confirm the installation.

Step 2: Configuring HaProxy

When HaProxy is installed, a standard configuration file is created at /etc/haproxy/haproxy.cfg . We will need to edit this file to do some changes using a nano editor:

$ sudo nano /etc/haproxy/haproxy.cfg

The file should like this before any edits are done:

global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM$ ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http

The global section lists different parameter such as user and the group under which HAproxy runs. The defaults section handles login and error related issues. These two sections should work by default.

However, the file does not contain any load balancing information and we need to create the frontend and backend settings for our servers.

So towards the end of the file, add the content below:

frontend ourwebsitefrontend bind *:80 mode http default_backend ourwebsiteendpoint

The bind parameter tells HaProxy to listen to port 80 for connections. At the end of the text, we have specified ourwebsiteendpoint as the directive where our endpoints are located. We can now go ahead and add the backend configuration details as follows:

backend ourwebsiteendpoint balance roundrobin option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } option httpchk HEAD / HTTP/1.1\r

Host:localhost server backend-server1 172.16.0.1:8080 check server backend-server2 172.16.0.2:8080 check

Roundrobin specifies the balance algorithm that we want the server to use. Forwardfor option instructs the load balancer to forward client IP address to the endpoints. Http-request header allows us to forward the port and protocol made by the client.

Option httpchk checks the health of the endpoint before forwarding requests. The last two lines specify the hostname and private IP address of the backend servers. You should obtain the private IP addresses of the backend servers from the Alibaba ECS console.

We will also add stats settings using the below entries:

listen stats bind :32600 stats enable stats uri / stats hide-version stats auth username:password

The bind parameter specifies the port that you want to use when retrieving the stats on your HaProxy server. You should allow access this port under the security group of your ECS instance. At the end of the file, there is an option to enter a username and password for login to the statistics web page. Enter a strong value for the password

At the end, your /etc/haproxy/haproxy.cfg should be as follows:

global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM$ ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend ourwebsitefrontend bind *:80 mode http default_backend ourwebsiteendpoint backend ourwebsiteendpoint balance roundrobin option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } option httpchk HEAD / HTTP/1.1\r

Host:localhost server backend-server1 172.16.0.1:8080 check server backend-server2 172.16.0.2:8080 check listen stats bind :32600 stats enable stats uri / stats hide-version stats auth username:password

Remember to replace the backend server private IP address with the actual private IP addresses for your Alibaba ECS instances.

Then, restart HaProxy server to reload the changes:

$ sudo service haproxy restart

Step 3: Configuring the First Backend Server (backend-server1)

Next, login to the first backend server and change the hostname to backend-server1 using the command below:

$ sudo nano /etc/hostname

Change the one line to:

backend-server1

Then, edit the hosts file:

$ sudo nano /etc/hosts

Add a second line with the IP address 127.0.1.1 and the name of the new host:

127.0.0.1 localhost 127.0.1.1 backend-server1 ...

Press CTRL + X , Y and Enter to save the file.

Reboot backend-server1

$ sudo reboot

Wait for a few moments, SSH back to backend-server1 and update the package information list:

$ sudo apt-get update

Then, install Apache web server using the command below:

$ sudo apt-get install apache2

Change Apache listening port to port 8080:

$ sudo nano /etc/apache2/ports.conf

Look for the line

$ Listen 80

And change it to:

$ Listen 8080

Press CTRL + X , Y and Enter to save the file.

Then open the default Apache virtual host file and change the port to 8080:

$ sudo nano /etc/apache2/sites-available/000-default.conf

At the beginning of the file, look for the line:

<VirtualHost *:80>

And change it to

<VirtualHost *:8080>

Restart Apache:

$ sudo systemctl restart apache2

Next we need to create a sample website on the root of the website.

We first delete the default index.html that ships with Apache:

$ sudo rm /var/www/html/index.html

We can now create a test web page for our server:

$ sudo nano /var/www/html/index.html

Copy paste the content below and save the file :

<html> <head> <title>Back End Server 1</title> </head> <body> <h1>Success! The Backend Server 1 is working!</h1> </body> </html>

Step 4: Configuring the Second Backend Server (backend-server2)

We need to configure our second backend server just like we have done for the first server. We start by changing the hostname

$ sudo nano /etc/hostname

Change the one line to:

backend-server2

Then, edit the hosts file:

$ sudo nano /etc/hosts

Add a second line with the IP address 127.0.1.1 and the name of the new host

127.0.0.1 localhost 127.0.1.1 backend-server2 ...

Press CTRL + X, Y and Enter to save the file.

Reboot backend-server2:

$ sudo reboot

Wait for a few moments, SSH back to backend-server2 and update the package information list

$ sudo apt-get update

Then, install Apache web server using the command below:

$ sudo apt-get install apache2

Change Apache listening port to port 8080:

$ sudo nano /etc/apache2/ports.conf

Look for the line:

$ Listen 80

And change it to:

$ Listen 8080

Press CTRL + X, Y and Enter to save the file.

Then, open the default Apache virtual host file and change the port to 8080.

$ sudo nano /etc/apache2/sites-available/000-default.conf

At the beginning of the file, look for the line:

<VirtualHost *:80>

And change it to:

<VirtualHost *:8080>

Restart Apache

$ sudo systemctl restart apache2

Next we need to create a sample website on the root of the website.

First, delete the default index.html that ships with Apache:

$ sudo rm /var/www/html/index.html

We can now create a test web page for our server

$ sudo nano /var/www/html/index.html

Copy paste the content below and save the file

<html> <head> <title>Back End Server 2</title> </head> <body> <h1>Success! The Backend Server 2 is working!</h1> </body> </html>

Step 5: Testing the Configuration

We now have the correct environment for High Availability and load balancing on our Alibaba server. We can now visit our HaProxy server to see if the load is going to be distributed to our backend servers in a balanced manner.

On a web browser, type the public IP address of the server where you installed HaProxy:

http://198.18.0.1

You should see the below web page:

Try refreshing the page and see if the load balancer is going to send the request to the second server

If you see Backend Server 2 is working on the browser, it means the Roundrobin algorithm was able to forward the request to the second server.

Congratulations, you now have a high availability configuration for your website or web application.

Step 6: Reviewing HaProxy Stats

You can visit HaProxy stats page by typing the public IP address of HaProxy server followed by ":32600". That is the port that we specified on the HaProxy configuration file and as indicated above, it must be opened on the security group associated with your ECS instance.

http://198.18.0.1:32600

Log in using the username and password that you specified and you should see the below stats web page:

Conclusion

On this guide, we have taken you through the steps of configuring HAProxy server on your Alibaba Cloud ECS running Ubuntu 16.04. We have setup two web servers and demonstrated that load balancing is working as expected. You can now upload your website or application file and even connect the backend servers to your database to create a fully working load balanced HTTP service for your web application.

To learn more about load balancing on Alibaba Cloud, visit www.alibabacloud.com/product/server-load-balancer