HAProxy Load Balancer – Example configuration
You should use a Load Balancer best suited for your organization. The information below provides an example setup for an HAProxy (v2.4) Load Balancer.
In this example, Blue Prism utilized HAProxy v2.4 on a Linux machine (minimum specification: Ubuntu 20.04 with 1 vcpu and 2 GB RAM).
Example (HAProxy) Load Balancer script
The following examples use the HAProxy (v2.4) Load Balancer, which uses the /etc/haproxy/haproxy.cfg file.
Example of basic script structure
Copy
global
# global settings here
defaults
# defaults here
frontend
# a frontend that accepts requests from clients
backend
# servers that fulfill the requests
Where:
- Settings under the global heading define process-wide security and performance configurations that affect HAProxy at a low level.
- Using a defaults section reduces duplication. Settings apply to all of the frontend and backend sections that come after it. You can override settings in the sections that follow.
- When you place HAProxy as a reverse proxy in front of your back-end servers, a frontend section defines the IP addresses and ports that clients can connect to.
- A backend section defines a group of servers that will be load balanced and assigned to handle requests. You can add a label to each backend, such as "web_servers".
Example configuration
Copy
#Example of HAPROXY config
#ANMQP loadbalancer for 3 nodes with IP-addresses 10.30.0.10,10.30.0.20,10.30.0.30
#HTTPS loadbalancer without SSL termination for 2 nodes with IP-addresses 10.30.0.50,10.30.0.60
#statistics is available at https://haproxyname.yourdomainname.com:10001/stats with adminname:adminpassword credits
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend stats
bind *:10001 ssl crt /etc/haproxy/cert/yourdomainname.pem
mode http
stats enable
stats hide-version
stats refresh 10s
stats show-node
stats auth adminname:adminpassword
stats uri /stats
frontend main_frontend
bind *:443 ssl crt /etc/haproxy/cert/yourdomainname.pem
acl ims_acl hdr(host) -i ims.yourdomainname.com
acl hub_acl hdr(host) -i hub.yourdomainname.com
acl interact_acl hdr(host) -i interact.yourdomainname.com
acl audit_acl hdr(host) -i audit.yourdomainname.com
acl emailqueue_acl hdr(host) -i emailqueue.yourdomainname.com
acl fileserver_acl hdr(host) -i fileserver.yourdomainname.com
acl iada_acl hdr(host) -i iada.yourdomainname.com
acl interactremoteapi_acl hdr(host) -i interactremoteapi.yourdomainname.com
acl licensemanager_acl hdr(host) -i licensemanager.yourdomainname.com
acl notificationcenter_acl hdr(host) -i notificationcenter.yourdomainname.com
acl signalr_acl hdr(host) -i signalr.yourdomainname.com
use_backend ims_backend if ims_acl
use_backend hub_backend if hub_acl
use_backend interact_backend if interact_acl
use_backend audit_backend if audit_acl
use_backend emailqueue_backend if emailqueue_acl
use_backend fileserver_backend if fileserver_acl
use_backend iada_backend if iada_acl
use_backend interactremoteapi_backend if interactremoteapi_acl
use_backend licensemanager_backend if licensemanager_acl
use_backend notificationcenter_backend if notificationcenter_acl
use_backend signalr_backend if signalr_acl
frontend amqp_frontend
bind *:5672
mode tcp
option tcplog
use_backend amqp_backend
backend amqp_backend
mode tcp
balance roundrobin
server rabbit1 10.30.0.10:5672 check inter 5s
server rabbit2 10.30.0.20:5672 check inter 5s
server rabbit3 10.30.0.30:5672 check inter 5s
backend ims_backend
balance roundrobin
option httpchk
http-check send meth GET uri /health ver HTTP/1.1 hdr host ims.yourdomainname.com
http-check expect string Healthy
server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
backend hub_backend
balance roundrobin
option httpchk
http-check send meth GET uri /health ver HTTP/1.1 hdr host hub.yourdomainname.com
http-check expect string Healthy
server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
backend interact_backend
balance roundrobin
option httpchk
http-check send meth GET uri /health ver HTTP/1.1 hdr host interact.yourdomainname.com
http-check expect string Healthy
server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
backend audit_backend
balance roundrobin
option httpchk
http-check send meth GET uri /health ver HTTP/1.1 hdr host audit.yourdomainname.com
http-check expect string Healthy
server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
backend emailqueue_backend
balance roundrobin
option httpchk
http-check send meth GET uri /health ver HTTP/1.1 hdr host emailqueue.yourdomainname.com
http-check expect string Healthy
server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
backend fileserver_backend
balance roundrobin
option httpchk
http-check send meth GET uri /health ver HTTP/1.1 hdr host fileserver.yourdomainname.com
http-check expect string Healthy
server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
backend iada_backend
balance roundrobin
option httpchk
http-check send meth GET uri /health ver HTTP/1.1 hdr host iada.yourdomainname.com
http-check expect string Healthy
server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
backend interactremoteapi_backend
balance roundrobin
option httpchk
http-check send meth GET uri /health ver HTTP/1.1 hdr host interactremoteapi.yourdomainname.com
http-check expect string Healthy
server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
backend licensemanager_backend
balance roundrobin
option httpchk
http-check send meth GET uri /health ver HTTP/1.1 hdr host licensemanager.yourdomainname.com
http-check expect string Healthy
server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
backend notificationcenter_backend
balance roundrobin
option httpchk
http-check send meth GET uri /health ver HTTP/1.1 hdr host notificationcenter.yourdomainname.com
http-check expect string Healthy
server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
backend signalr_backend
balance roundrobin
option httpchk
cookie SERVERID insert indirect nocache
http-check send meth GET uri /health ver HTTP/1.1 hdr host signalr.yourdomainname.com
http-check expect string Healthy
server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s cookie web1
server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s cookie web2
Where:
- Load balancer uses separate frontend sections for each service, for RabbitMQ cluster, and for a page with statistics.
- To enable SSL support, HAProxy must have certificates in the cert folder located in /etc/haproxy/cert/.
- HAProxy sends requests at a five second interval to the /health page and expects Healthy as the reply.
- SignalR service uses sticky-sessions (client sticks to a single server).