Load Balancer - jordy33/turbogears_tutorial GitHub Wiki
HAproxy Ubuntu 16.04 install
sudo apt-get update
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
sudo certbot certonly --standalone -d dudewhereismy.mx -d www.dudewhereismy.mx -d sun.dudewhereismy.mx -d pluto.dudewhereismy.mx -d venus.dudewhereismy.mx -d mercury.dudewhereismy.mx -d earth.dudewhereismy.mx
sudo mkdir -p /etc/haproxy/certs
DOMAIN='dudewhereismy.mx' sudo -E bash -c 'cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem'
sudo chmod -R go-rwx /etc/haproxy/certs
sudo apt-get install haproxy
sudo vim /etc/haproxy/haproxy.cfg
Insert the following code:
global
log 127.0.0.1 syslog
maxconn 1000
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 4096
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
defaults
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
option contstats
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
###########################################
#
# HAProxy Stats page
#
###########################################
listen stats
bind *:9090
mode http
maxconn 10
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth admin:GPSc0ntr0l1
###########################################
#
# Front end for all
#
###########################################
frontend ALL
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/dudewhereismy.mx.pem
mode http
# Add CORS headers when Origin header is present
capture request header origin len 128
http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
rspadd Access-Control-Allow-Headers:\ Origin,\ X-Requested-With,\ Content-Type,\ Accept if { capture.req.hdr(0) -m found }
# Define path for lets encrypt
acl is_letsencrypt path_beg -i /.well-known/acme-challenge/
use_backend letsencrypt if is_letsencrypt
# Define hosts
acl host_sun hdr(host) -i sun.dudewhereismy.mx
acl host_earth hdr(host) -i earth.dudewhereismy.mx
acl host_pluto hdr(host) -i pluto.dudewhereismy.mx
acl host_mercury hdr(host) -i mercury.dudewhereismy.mx
acl host_venus hdr(host) -i venus.dudewhereismy.mx
acl is_options method OPTIONS
use_backend venus_cors_headers if METH_OPTIONS host_venus
use_backend earth_cors_headers if METH_OPTIONS host_earth
# Direct hosts to backend
use_backend sun if host_sun
use_backend earth if host_earth
use_backend pluto if host_pluto
use_backend mercury if host_mercury
use_backend venus if host_venus
# Redirect port 80 to 443
# But do not redirect letsencrypt since it checks port 80 and not 443
redirect scheme https code 301 if !{ ssl_fc } !is_letsencrypt
###########################################
#
# Back end letsencrypt
#
###########################################
backend letsencrypt
server letsencrypt 127.0.0.1:54321
###########################################
#
# Back end for foo
#
###########################################
backend sun
rspadd Access-Control-Allow-Origin:\ *
rspadd Access-Control-Max-Age:\ 31536000
balance roundrobin
option httpchk GET /check
http-check expect rstring ^UP$
default-server inter 10s fall 3 rise 2
server sun1 127.0.0.1:8080 check
backend earth
rspadd Access-Control-Max-Age:\ 31536000
rspadd Access-Control-Allow-Credentials:\ true
rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT
rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization
balance roundrobin
option httpchk GET /check
http-check expect rstring ^UP$
default-server inter 10s fall 3 rise 2
server earth1 127.0.0.1:8082 check
backend pluto
rspadd Access-Control-Allow-Origin:\ *
rspadd Access-Control-Max-Age:\ 31536000
balance roundrobin
option httpchk GET /check
http-check expect rstring ^UP$
default-server inter 10s fall 3 rise 2
server pluto1 127.0.0.1:8084 check
backend mercury
balance roundrobin
option httpchk GET /check
http-check expect rstring ^UP$
default-server inter 10s fall 3 rise 2
server mercury1 127.0.0.1:8086 check
server mercury2 127.0.0.1:8087 check
backend venus
rspadd Access-Control-Max-Age:\ 31536000
rspadd Access-Control-Allow-Credentials:\ true
rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT
rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization
balance roundrobin
option httpchk GET /check
http-check expect rstring ^UP$
default-server inter 10s fall 3 rise 2
server venus1 127.0.0.1:8088 check
backend venus_cors_headers
errorfile 503 /root/venus.http
backend earth_cors_headers
errorfile 503 /root/earth.http
Create venus.http and insert the following (leave the two empty rows):
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://mercury.dudewhereismy.mx, https://sun.dudewhereismy.mx
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,PATCH,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
Access-Control-Max-Age: 31536000
Access-Control-Allow-Credentials: true
Content-Length: 0
Cache-Control: private
Create earth.http and insert the following (leave the two empty rows):
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://sun.dudewhereismy.mx
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,PATCH,OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
Access-Control-Max-Age: 31536000
Access-Control-Allow-Credentials: true
Content-Length: 0
Cache-Control: private
To run
sudo service haproxy restart
sudo service haproxy reload
More info about cross-origin resource sharing here