Notes to Myself

How to configure HAPROXY with KEEPALIVED?

KEEPALIVED CONFIGURATION:

MASTER:

[root@haproxy01 ~]# cat << EOF > /bin/check_haproxy.sh
#!/bin/sh
if [ -z “`pidof haproxy`” ]; then
  exit 1
fi

EOF

[root@haproxy01 ~]# chmod 755 /bin/check_haproxy.sh 

[root@haproxy01 ~]# cat << EOF > /etc/keepalived/keepalived.conf
global_defs {
  router_id nginx_vrrp
  enable_script_security
  script_user root
}

vrrp_script check_haproxy {
  script “/bin/check_haproxy.sh”
  interval 2
  weight 20
}

vrrp_instance VI_1 {
  interface ens192
  virtual_router_id 20
  priority  110
  advert_int 2
  state  MASTER
  virtual_ipaddress {
    10.160.15.76
  }
  track_script {
    check_haproxy
  }
  authentication {
    auth_type PASS
    auth_pass 1ce24b6e
  }
}

EOF

BACKUP:

[root@haproxy02 ~]# cat << EOF >  /bin/check_haproxy.sh
#!/bin/sh
if [ -z “`pidof haproxy`” ]; then
  exit 1
fi

EOF

[root@haproxy02 ~]# chmod 755 /bin/check_haproxy.sh

[root@haproxy02 ~]# cat << EOF > /etc/keepalived/keepalived.conf
global_defs {
  router_id nginx_vrrp
  enable_script_security
  script_user root
}

vrrp_script check_haproxy {
  script “/bin/check_haproxy.sh”
  interval 2
  weight 20
}

vrrp_instance VI_1 {
  interface ens192
  virtual_router_id 20
  priority  100
  advert_int 2
  state  BACKUP
  virtual_ipaddress {
    10.160.15.76
  }
  track_script {
    check_haproxy
  }
  authentication {
    auth_type PASS
    auth_pass 1ce24b6e
  }
}

EOF

HAPROXY01 & HAPROXY02:

[root@api-dev-haproxy01 ~]# cat << EOF > /etc/haproxy/haproxy.cfg
#———————————————————————
# common defaults that all the ‘listen’ and ‘backend’ sections will
# use if not designated in their block
#———————————————————————
global
    maxconn     20000
    log         /dev/log local0 info
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          300s
    timeout server          300s
    timeout http-keep-alive 300s
    timeout check           10s
    timeout tunnel          1h
    maxconn                 20000
listen stats
    bind :9000
    mode http
    stats enable
    stats uri /
    stats refresh 10s

frontend nginx_frontend
    bind :8443
    default_backend nginx_backend
    mode tcp
    option tcplog

backend nginx_backend
    balance source
    mode tcp
    server      nginx-server1 10.10.10.1:8443 check
    server      nginx-server2 10.10.10.2:8443 check
    server      nginx-server3 10.10.10.3:8443 check
EOF


#### FirewallD ####

systemctl start firewalld
systemctl enable firewalld

firewall-cmd –permanent –add-service=ssh
firewall-cmd –permanent –add-service=http
firewall-cmd –permanent –add-service=https
firewall-cmd –permanent –add-port=9000/tcp
firewall-cmd –permanent –add-rich-rule=’rule protocol value=”vrrp” accept’
firewall-cmd –reload
firewall-cmd –list-all

systemctl status haproxy
systemctl status keepalived


SELinux (Optional:
#find the package that provides semanage
yum whatprovides /usr/sbin/semanage

#install package from previous command for semanage
yum install policycoreutils-python-utils -y
semanage port -l | grep http_port

semanage port -a -t http_port_t -p tcp 443
semanage port -a -t http_port_t -p tcp 80

setsebool -P haproxy_connect_any=1

By:

osinetworks

Posted in:

,

Leave a comment