HAProxy Load Balancer – Example configuration

You should use a Load Balancer best suited for your organization. The information below provides an example setup for an HAProxy (v2.4) Load Balancer.

In this example, Blue Prism utilized HAProxy v2.4 on a Linux machine (minimum specification: Ubuntu 20.04 with 1 vcpu and 2 GB RAM).

Example (HAProxy) Load Balancer script

The following examples use the HAProxy (v2.4) Load Balancer, which uses the /etc/haproxy/haproxy.cfg file.

Example of basic script structure

Copy

global
    # global settings here

defaults
    # defaults here

frontend
    # a frontend that accepts requests from clients

backend
    # servers that fulfill the requests

Where:

Settings under the global heading define process-wide security and performance configurations that affect HAProxy at a low level.
Using a defaults section reduces duplication. Settings apply to all of the frontend and backend sections that come after it. You can override settings in the sections that follow.
When you place HAProxy as a reverse proxy in front of your back-end servers, a frontend section defines the IP addresses and ports that clients can connect to.
A backend section defines a group of servers that will be load balanced and assigned to handle requests. You can add a label to each backend, such as "web_servers".

Example configuration

Copy

#Example of HAPROXY config 
#ANMQP loadbalancer for 3 nodes with IP-addresses 10.30.0.10,10.30.0.20,10.30.0.30
#HTTPS loadbalancer without SSL termination for 2 nodes with IP-addresses 10.30.0.50,10.30.0.60
#statistics is available at https://haproxyname.yourdomainname.com:10001/stats with adminname:adminpassword credits
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend stats
        bind *:10001 ssl crt /etc/haproxy/cert/yourdomainname.pem
        mode http
        stats enable
        stats hide-version
        stats refresh 10s
        stats show-node
        stats auth adminname:adminpassword
        stats uri /stats

frontend main_frontend
        bind *:443 ssl crt /etc/haproxy/cert/yourdomainname.pem
        acl ims_acl hdr(host) -i ims.yourdomainname.com
        acl hub_acl hdr(host) -i hub.yourdomainname.com
        acl interact_acl hdr(host) -i interact.yourdomainname.com
        acl audit_acl hdr(host) -i audit.yourdomainname.com
        acl emailqueue_acl hdr(host) -i emailqueue.yourdomainname.com
        acl fileserver_acl hdr(host) -i fileserver.yourdomainname.com
        acl iada_acl hdr(host) -i iada.yourdomainname.com
        acl interactremoteapi_acl hdr(host) -i interactremoteapi.yourdomainname.com
        acl licensemanager_acl hdr(host) -i licensemanager.yourdomainname.com
        acl notificationcenter_acl hdr(host) -i notificationcenter.yourdomainname.com
        acl signalr_acl hdr(host) -i signalr.yourdomainname.com
        use_backend ims_backend if ims_acl
        use_backend hub_backend if hub_acl
        use_backend interact_backend if interact_acl
        use_backend audit_backend if audit_acl
        use_backend emailqueue_backend if emailqueue_acl
        use_backend fileserver_backend if fileserver_acl
        use_backend iada_backend if iada_acl
        use_backend interactremoteapi_backend if interactremoteapi_acl
        use_backend licensemanager_backend if licensemanager_acl
        use_backend notificationcenter_backend if notificationcenter_acl
        use_backend signalr_backend if signalr_acl

frontend amqp_frontend
        bind *:5672
        mode tcp
        option tcplog
        use_backend amqp_backend

backend amqp_backend
        mode tcp
        balance roundrobin
        server rabbit1 10.30.0.10:5672 check inter 5s
        server rabbit2 10.30.0.20:5672 check inter 5s
        server rabbit3 10.30.0.30:5672 check inter 5s

backend ims_backend
        balance roundrobin
        option httpchk
        http-check send meth GET uri /health ver HTTP/1.1 hdr host ims.yourdomainname.com
        http-check expect string Healthy
        server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
        server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s

backend hub_backend
        balance roundrobin
        option httpchk
        http-check send meth GET uri /health ver HTTP/1.1 hdr host hub.yourdomainname.com
        http-check expect string Healthy
        server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
        server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s

backend interact_backend
        balance roundrobin
        option httpchk
        http-check send meth GET uri /health ver HTTP/1.1 hdr host interact.yourdomainname.com
        http-check expect string Healthy
        server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
        server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s

backend audit_backend
        balance roundrobin
        option httpchk
        http-check send meth GET uri /health ver HTTP/1.1 hdr host audit.yourdomainname.com
        http-check expect string Healthy
        server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
        server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s

backend emailqueue_backend
        balance roundrobin
        option httpchk
        http-check send meth GET uri /health ver HTTP/1.1 hdr host emailqueue.yourdomainname.com
        http-check expect string Healthy
        server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
        server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s

backend fileserver_backend
        balance roundrobin
        option httpchk
        http-check send meth GET uri /health ver HTTP/1.1 hdr host fileserver.yourdomainname.com
        http-check expect string Healthy
        server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
        server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s

backend iada_backend
        balance roundrobin
        option httpchk
        http-check send meth GET uri /health ver HTTP/1.1 hdr host iada.yourdomainname.com
        http-check expect string Healthy
        server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
        server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s

backend interactremoteapi_backend
        balance roundrobin
        option httpchk
        http-check send meth GET uri /health ver HTTP/1.1 hdr host interactremoteapi.yourdomainname.com
        http-check expect string Healthy
        server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
        server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s

backend licensemanager_backend
        balance roundrobin
        option httpchk
        http-check send meth GET uri /health ver HTTP/1.1 hdr host licensemanager.yourdomainname.com
        http-check expect string Healthy
        server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
        server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s

backend notificationcenter_backend
        balance roundrobin
        option httpchk
        http-check send meth GET uri /health ver HTTP/1.1 hdr host notificationcenter.yourdomainname.com
        http-check expect string Healthy
        server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s
        server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s

backend signalr_backend
        balance roundrobin
        option httpchk
        cookie SERVERID insert indirect nocache
        http-check send meth GET uri /health ver HTTP/1.1 hdr host signalr.yourdomainname.com
        http-check expect string Healthy
        server web1 10.30.0.50:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s cookie web1
        server web2 10.30.0.60:443 ssl ca-file /etc/haproxy/cert/root.ca check inter 5s cookie web2

Where:

Load balancer uses separate frontend sections for each service, for RabbitMQ cluster, and for a page with statistics.
To enable SSL support, HAProxy must have certificates in the cert folder located in /etc/haproxy/cert/.
HAProxy sends requests at a five second interval to the /health page and expects Healthy as the reply.
SignalR service uses sticky-sessions (client sticks to a single server).

	Click here to see the documentation for all Blue Prism products.
© 2024 Blue Prism Limited \| Last updated on 13 Mar 2024