Articles‎ > ‎

Load balanced high availability web server cluster

Features
This setup provides following
  1. Load Balancing using HAproxy
  2. High Availability using Heartbeat
  3. SSL support for website using stunnel
IP addresses used
Float IP on eth1 : 192.168.25.1

lb1.example.com Public IP on eth0 : 192.168.10.1
lb2.example.com Public IP on eth0 : 192.168.10.2

lb1.example.com Private IP on eth2 : 10.10.10.1
lb2.example.com Private IP on eth2 : 10.10.10.2 

webserver1.example.com Public IP : 192.168.1.51
webserver2.example.com Public IP : 192.168.1.52

Diagram



HAProxy setup
HAProxy provides load balancing and proxying for TCP and HTTP-based applications. It is recommended for web sites running under high loads.

HApoxy setup involves following.

mkdir -pv /usr/local/src/haproxy;
cd /usr/local/src/haproxy;
wget http://haproxy.1wt.eu/download/1.2/src/haproxy-1.2.17.tar.gz;
tar -xzvf haproxy-1.2.17.tar.gz ;
cd haproxy-1.2.17;
make;
cp -pv haproxy /usr/sbin/haproxy;
chmod 755 /usr/sbin/haproxy;


Create /etc/init.d/haproxy with following contents.


vi /etc/init.d/haproxy;


====================================================================
#!/bin/sh
#
# chkconfig: - 85 15
# description: HA-Proxy is a TCP/HTTP reverse proxy for high availability environments.
# processname: haproxy
# config: /etc/haproxy.cfg
# pidfile: /var/run/haproxy.pid

# Source function library.
if [ -f /etc/init.d/functions ]; then
. /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
. /etc/rc.d/init.d/functions
else
exit 0
fi

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -f /etc/haproxy.cfg ] || exit 1

RETVAL=0

start() {
/usr/sbin/haproxy -c -q -f /etc/haproxy.cfg
if [ $? -ne 0 ]; then
echo "Errors found in HA proxy configuration"
return 1
fi

echo -n "Starting HAproxy Service"
daemon /usr/sbin/haproxy -D -f /etc/haproxy.cfg -p /var/run/haproxy.pid
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/haproxy
return $RETVAL
}

stop() {
echo -n "Shutting down HAproxy Service"
killproc haproxy -USR1
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/haproxy
[ $RETVAL -eq 0 ] && rm -f /var/run/haproxy.pid
return $RETVAL
}

restart() {
/usr/sbin/haproxy -c -q -f /etc/haproxy.cfg
if [ $? -ne 0 ]; then
echo "Errors found in HA proxy configuration"
return 1
fi
stop
start
}

checkconf() {
/usr/sbin/haproxy -c -q -V -f /etc/haproxy.cfg
}

showstatus() {
status haproxy
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
showstatus)
showstatus
;;
checkconf)
checkconf
;;
*)
echo quot;Usage: haproxy {start|stop|restart|showstatus|checkconf}"
RETVAL=1
esac

exit $RETVAL

====================================================================

chmod 755 /etc/init.d/haproxy;

Now, create /etc/haproxy.cfg with following contents.

vi /etc/haproxy.cfg;

=====================================================================
################################################################

global
daemon
maxconn 20000
log 127.0.0.1 local0
defaults
log global

option dontlognull
option httplog clf
option redispatch
option abortonclose
option http-server-close
option http-pretend-keepalive

retries 3

timeout client 7000
timeout server 60000
timeout connect 5000

################################################################

listen example.com_http :80

mode http

balance roundrobin

acl blocked src 192.168.75.1
block if blocked

cookie exampleserver insert nocache indirect

option httpchk GET /check_http.txt HTTP/1.0
option forwardfor except 192.168.25.1

reqadd X-Forwarded-Proto: http

server webserver1.example.com 192.168.1.51:80 cookie webserver1 weight 7 check inter 5000 #maxconn 2000
server webserver2.example.com 192.168.1.52:80 cookie webserver2 weight 10 check inter 5000 #maxconn 2000

################################################################

listen example.com_https 192.168.25.1:81
mode http

balance roundrobin

acl blocked src 192.168.75.1
block if blocked

cookie exampleserver insert nocache indirect

option httpchk GET /check_https.txt HTTP/1.0
option forwardfor except 192.168.25.1

reqadd X-Forwarded-Proto: https
reqadd SSL-TERMINATION: ON

server webserver1.example.com 192.168.1.51:81 cookie webserver1 weight 7 maxconn 2000 check port 80 inter 5000
server webserver2.example.com 192.168.1.52:81 cookie webserver2 weight 10 maxconn 2000 check port 80 inter 5000

################################################################

listen lb_stats 192.168.25.1:8443
mode http

stats uri /lbstatus
stats auth admin:PA55w0rD

stats refresh 5s

################################################################
=====================================================================

Heartbeat Setup
Heartbeat provides high availability. Heartbeat setup involves following.

1. Install heartbeat using yum

=======================
yum install heartbeart
======================

2. Create the file "/etc/ha.d/authkeys" in lb1.example.com and lb2.example.com with following contents.

=========================
auth 2
2 sha1 R@nD0mK3Y
=========================

Here, "R@nD0mK3Y" is a random key & we need to replace it with a unique word containing alpha-numeric & special characters for each setup.

3. Set 600 permision for the file "/etc/ha.d/authkeys"

==============================
chmod -v 600 /etc/ha.d/authkeys
==============================

4. Create "/etc/ha.d/ha.cf" with following contents

================================================
logfile /var/log/ha.log
logfacility local0
keepalive 2
deadtime 30
initdead 120
bcast eth1
udpport 694
auto_failback on
node lb1.example.com lb2.example.com
===============================================

5. Edit the haresources file on both LBs and add the following line:

================================================
lb1.example.com IPaddr::192.168.25.1/24/eth1
===============================================

6. Edit "/etc/hosts" file on both LBs and add following.

========================
10.10.10.1 lb1.example.com
10.10.10.2 lb2.example.com
========================

7. Configure heartbeat to start on boot.

==================
chkconfig heartbeat on
==================

8. Start both load balancers

============================
service heartbeat start
============================

It can take around 45 seconds for the system to come online and for float IP to come online.

Stunnel setup

1 Install "openssl-devel"

===========================
yum install openssl-devel
===========================

2. Download stunnel

==========================
cd /usr/local/src
wget ftp://ftp.stunnel.org/stunnel/stunnel-4.35.tar.gz
==========================

3. Extract stunnel

============================
tar -xzvf stunnel-4.35.tar.gz
============================

4. Install stunnel

=========================
cd stunnel-4.35
./configure
make
make install
==========================

Please note that stunnel installation will ask to create a ssl certificaate & private key.We need to use default details here. We may replace this certificate & key later.

5. Configure stunnel

Create "/etc/stunnel/stunnel.conf"  with following contents.

=================================================
sslVersion = all
options = NO_SSLv2
fips = no
setuid = root
setgid = stunnel
pid = /var/run/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
output = /var/log/stunnel.log

[example.com]
cert = /etc/stunnel/certs/example.com.crt
key = /etc/stunnel/certs/example.com.key
accept = 443
connect = 192.168.25.1:81
TIMEOUTclose = 0
=================================================

6. Create certificate & key.

Save cert & key as /etc/stunnel/certs/example.com.crt & /etc/stunnel/certs/example.com.key

7. Create startup script

==============
cp -pv tools/stunnel.init.in /etc/init.d/stunnel
chmod 755 /etc/init.d/stunnel;
==============

8. Configure stunnel to start on boot.

=================
chkconfig stunnel on
=================

9. Start stunnel 

==================
/etc/init.d/stunnel start
===================

Comments