HaProxy config instead of nginx/apache

DerDanilo · February 15, 2018, 8:04am

I would like to replace nginx/apache with haproxy if possible. Putting it in front of nginx/apache is easy.
Has anybody tried and successfully set up using haproxy?

kleiner-onliner · February 15, 2018, 9:00am

Yes, we have. And it works perfectly in combination with keepalived (2 nodes) and a three node seafile cluster with nginx as web server. HAProxy terminates the SSL connection, so it’s easy to internally manage nginx without ssl.

DerDanilo · February 15, 2018, 12:30pm

As said it is easy to put it in front of nginx/apache.

The question is if it can completely replace those.

kleiner-onliner · February 15, 2018, 3:51pm

Sorry, i misunderstood.

DerDanilo · February 15, 2018, 7:08pm

No problem. Do you configure anything specific in your haproxy config?
Would you mind posting what you configured?

lins05 · February 16, 2018, 1:07pm

Within the context of a web app, certain functionality are much easier to configure in nginx/apache than haproxy, e.g.

request path / headers based routing: In nginx it’s just a one-liner, but in haproxy you need to make use of haproxy ACL, which is not primarily designed for that
static files serving, caching (not sure whether haproxy supports them)
etc.

Even though you can configure haproxy as a reverse proxy, haproxy shines mostly as a load balancer. So I’d like to know why you would like to do that?

DerDanilo · February 20, 2018, 9:50am

Nothing fancy. Was just thinking if this makes sense so one could get rid of nginx at all. Thanks to the explaination in your post it does not make sense to get rid of nginx.

Nginx seems to work better than apache. Does the manual recommend to use nginx?

kleiner-onliner · February 26, 2018, 11:24am

Hi @DerDanilo:
Because of security concerns, unfortunately I can not publish the config in the original:

global
	log 127.0.0.1	local0
	log 127.0.0.1	local1 notice
	chroot /var/lib/haproxy
	maxconn 4096
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

	ssl-default-bind-options no-sslv3 no-tlsv10
	ssl-default-bind-ciphers AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH
	ssl-default-server-options no-sslv3 no-tlsv10
	ssl-default-server-ciphers AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH

	tune.ssl.default-dh-param 2048

defaults
	log	global
	mode	http # protocol analyzer option
	option  contstats # Enable continuous traffic statistics updates
	option  redispatch # Try another server in case of connection failure
	option	httplog
	option	dontlognull # Do not log connections with no requests
	option	dontlog-normal
	option  forwardfor
	option  http-server-close
	retries 3 # Try to connect up to 3 times in case of failure
	maxconn 2000
	timeout connect 5000
	timeout client  50000
	timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503sorry.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend 'FRONT'
    bind 'IP LoadBalancer1':443 ssl crt /etc/ssl/private/zzz.pem
    bind 'IP LoadBalancer2':443 ssl crt /etc/ssl/private/zzz.pem
    bind 'IP LoadBalancer1':80
    bind 'IP LoadBalancer2':80
    acl secure dst_port eq 443
    http-request redirect scheme https if !{ ssl_fc }

    # HSTS (15768000 seconds = 6 months)
    http-response set-header Strict-Transport-Security max-age=15768000;\ includeSubDomains;\ preload
    # Content-Security-Policy as restrictive as currently possible
    http-response set-header Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.xxx.com/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' blob:; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.xxx.com; object-src 'none'; frame-ancestors https://*.xxx.com/; base-uri https://*.xxx.com/ 'self'; media-src 'self';"
    # X-Content-Type-Options
    http-response set-header X-Content-Type-Options nosniff
    # X-Xss-Protection (for Chrome, Safari, IE)
    http-response set-header X-Xss-Protection 1;\ mode=block
    # X-Frame-Options (DENY or SELF)
    http-response set-header X-Frame-Options DENY
    # Delete Server Header
    http-response del-header Server
    # Delete Proxy Header
    http-request del-header Proxy
    # Revealing HTTPS URLs When Navigating Away to HTTP Sites
    http-response set-header Referrer-Policy no-referrer-when-downgrade

    rspirep ^(set-cookie:.*) \1;\ Secure if secure
    default_backend 'BACKEND'

backend 'BACKEND'
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header Host yyy.xxx.com
    balance source
    hash-type consistent
    option forwardfor
    cookie SERVERID insert indirect nocache
    server 'HOST1' 'IP HOST1':80 check port 11001 cookie 'HOST1'
    server 'HOST2' 'IP HOST2':80 check port 11001 cookie 'HOST2'
    server 'HOST3' 'IP HOST3':80 check port 11001 cookie 'HOST3'

maweber · November 10, 2019, 10:52pm

I’m having troubles error debugging network dropouts in a LAN-DMZ environment, with a plain haproxy-seahub setup, and want to revert back to a haproxy-nginx setup.

Would somebody of you be so kind and point out the relevant extra part for

nginx knowing and passing on knowledge of being proxy’ed (them X-HEADERZ)
seahub: possible needs for that setup?

Thanks a lot, it’s been ages of guessing.
Manu

maweber · December 5, 2019, 4:23pm

Never mind. That was a 10G tuning problem. Works fine now.