I would like to replace nginx/apache with haproxy if possible. Putting it in front of nginx/apache is easy.
Has anybody tried and successfully set up using haproxy?
Yes, we have. And it works perfectly in combination with keepalived (2 nodes) and a three node seafile cluster with nginx as web server. HAProxy terminates the SSL connection, so it’s easy to internally manage nginx without ssl.
As said it is easy to put it in front of nginx/apache.
The question is if it can completely replace those.
Sorry, i misunderstood.
No problem. Do you configure anything specific in your haproxy config?
Would you mind posting what you configured?
Within the context of a web app, certain functionality are much easier to configure in nginx/apache than haproxy, e.g.
- request path / headers based routing: In nginx it’s just a one-liner, but in haproxy you need to make use of haproxy ACL, which is not primarily designed for that
- static files serving, caching (not sure whether haproxy supports them)
- etc.
Even though you can configure haproxy as a reverse proxy, haproxy shines mostly as a load balancer. So I’d like to know why you would like to do that?
Nothing fancy. Was just thinking if this makes sense so one could get rid of nginx at all. Thanks to the explaination in your post it does not make sense to get rid of nginx.
Nginx seems to work better than apache. Does the manual recommend to use nginx?
Hi @DerDanilo:
Because of security concerns, unfortunately I can not publish the config in the original:
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
chroot /var/lib/haproxy
maxconn 4096
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-options no-sslv3 no-tlsv10
ssl-default-bind-ciphers AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH
ssl-default-server-options no-sslv3 no-tlsv10
ssl-default-server-ciphers AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH
tune.ssl.default-dh-param 2048
defaults
log global
mode http # protocol analyzer option
option contstats # Enable continuous traffic statistics updates
option redispatch # Try another server in case of connection failure
option httplog
option dontlognull # Do not log connections with no requests
option dontlog-normal
option forwardfor
option http-server-close
retries 3 # Try to connect up to 3 times in case of failure
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503sorry.http
errorfile 504 /etc/haproxy/errors/504.http
frontend 'FRONT'
bind 'IP LoadBalancer1':443 ssl crt /etc/ssl/private/zzz.pem
bind 'IP LoadBalancer2':443 ssl crt /etc/ssl/private/zzz.pem
bind 'IP LoadBalancer1':80
bind 'IP LoadBalancer2':80
acl secure dst_port eq 443
http-request redirect scheme https if !{ ssl_fc }
# HSTS (15768000 seconds = 6 months)
http-response set-header Strict-Transport-Security max-age=15768000;\ includeSubDomains;\ preload
# Content-Security-Policy as restrictive as currently possible
http-response set-header Content-Security-Policy "default-src 'none'; script-src http://seafile.com/ https://www.seafile.com/ https://*.xxx.com/ blob: 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' blob:; font-src data: 'self'; connect-src 'self'; style-src 'self' 'unsafe-inline'; frame-src https://*.xxx.com; object-src 'none'; frame-ancestors https://*.xxx.com/; base-uri https://*.xxx.com/ 'self'; media-src 'self';"
# X-Content-Type-Options
http-response set-header X-Content-Type-Options nosniff
# X-Xss-Protection (for Chrome, Safari, IE)
http-response set-header X-Xss-Protection 1;\ mode=block
# X-Frame-Options (DENY or SELF)
http-response set-header X-Frame-Options DENY
# Delete Server Header
http-response del-header Server
# Delete Proxy Header
http-request del-header Proxy
# Revealing HTTPS URLs When Navigating Away to HTTP Sites
http-response set-header Referrer-Policy no-referrer-when-downgrade
rspirep ^(set-cookie:.*) \1;\ Secure if secure
default_backend 'BACKEND'
backend 'BACKEND'
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header Host yyy.xxx.com
balance source
hash-type consistent
option forwardfor
cookie SERVERID insert indirect nocache
server 'HOST1' 'IP HOST1':80 check port 11001 cookie 'HOST1'
server 'HOST2' 'IP HOST2':80 check port 11001 cookie 'HOST2'
server 'HOST3' 'IP HOST3':80 check port 11001 cookie 'HOST3'
I’m having troubles error debugging network dropouts in a LAN-DMZ environment, with a plain haproxy-seahub setup, and want to revert back to a haproxy-nginx setup.
Would somebody of you be so kind and point out the relevant extra part for
- nginx knowing and passing on knowledge of being proxy’ed (them X-HEADERZ)
- seahub: possible needs for that setup?
Thanks a lot, it’s been ages of guessing.
Manu
Never mind. That was a 10G tuning problem. Works fine now.