# Install HAProxy 1.8 using SCL repo
yum install centos-release-scl
yum install rh-haproxy18-haproxy rh-haproxy18-haproxy-syspaths
# Run HAProxy if it’s not already started by CRON
systemctl enable rh-haproxy18-haproxy
systemctl restart rh-haproxy18-haproxy
systemctl status rh-haproxy18-haproxy
# Set firewall
#firewall-cmd –zone=public –permanent –add-port=9000/tcp
firewall-cmd –zone=public –add-service=http –permanent
firewall-cmd –zone=public –add-service=https –permanent
firewall-cmd –reload
# This step is a must to resolve error: “cannot bind UNIX socket [/run/haproxy/admin.sock]
crontab -e
@reboot mkdir /run/haproxy && systemctl start rh-haproxy18-haproxy
# This step is to resolve 503 service unavailable errors in selinux enforce systems
setsebool -P haproxy_connect_any 1
# Edit config file
cp /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg.bak
vim /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg
################################## Sample Config ######################
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
# ca-base “/etc/certs/dragoncoin.com”
# crt-base “/etc/certs/dragoncoin.com”
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers – change this to remove weak ciphers: kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
defaults
log global
mode http
option httplog
option dontlognull
# timeout connect 5000
# timeout client 50000
# timeout server 50000
# errorfile 400 /etc/haproxy/errors/400.http
# errorfile 403 /etc/haproxy/errors/403.http
# errorfile 408 /etc/haproxy/errors/408.http
# errorfile 500 /etc/haproxy/errors/500.http
# errorfile 502 /etc/haproxy/errors/502.http
# errorfile 503 /etc/haproxy/errors/503.http
# errorfile 504 /etc/haproxy/errors/504.http
option forwardfor except 127.0.0.1/8
option http-server-close
timeout client 1d
timeout server 1d
option redispatch
retries 30
timeout http-request 300s
timeout queue 1m
timeout connect 10s
timeout http-keep-alive 10s
timeout check 10s
maxconn 10000
listen stats
bind *:999999
# balance
mode http
stats enable
maxconn 10
timeout client 10s
timeout server 10s
timeout connect 10s
timeout queue 10s
stats auth kimconnect:’PASSWORD’
stats hide-version
stats refresh 30s
stats show-node
stats realm Haproxy \ Statistics
stats uri /
stats admin if TRUE
frontend http_in
bind *:80
mode http
redirect scheme https code 301 if !{ ssl_fc }
frontend https_in
bind *:443 ssl crt /etc/certs/dragoncoin.com/dragoncoin.com.pem
reqadd X-Forwarded-Proto:\ https
# acl letsencrypt-acl path_beg /.well-known/acme-challenge/
# use_backend letsencrypt-backend if letsencrypt-acl
# Define Sites:
acl host_docker hdr(host) -i docker.dragoncoin.com
use_backend docker if host_docker
acl host_dragoncoin hdr(host) -i dragoncoin.com
use_backend dragoncoin if host_dragoncoin
# special URI to define blogs
acl blog_in_url path_beg /blog/
acl dragoncoin_com path_dom dragoncoin.com
use_backend dragoncoin_blog if dragoncoin_com blog_in_url
# acl host_dragoncoin hdr(host) -i dragoncoin.com
# use_backend dragoncoin_blog if host_dragoncoin
# acl host_project hdr(host) -i project.dragoncoin.com
# use_backend project if host_project
acl host_shell hdr(host) -i shell.dragoncoin.com
use_backend shell if host_shell
# acl host_proxy hdr(host) -h proxy.dragoncoin.com
# use_backend proxy if host_proxy
userlist shell-users
user kim insecure-password ‘PASSWORD’
backend shell
acl devops-auth http_auth(shell-users)
http-request auth realm devops if !devops-auth
# http-request realm auth kim:’PASSWORD’
mode http
option forwardfor
option http-keep-alive
server web01 127.0.0.1:8080
#backend project
# mode http
# option forwardfor
# option http-keep-alive
# stats enable
# server web01 127.0.0.1:3000
backend docker
mode http
stats enable
option forwardfor
option http-keep-alive
server web01 127.0.0.1:9000
backend dragoncoin
mode http
option forwardfor
option http-keep-alive
stats enable
server dragoncoin.com 127.0.0.1:8082
backend dragoncoin_blog
mode http
option forwardfor
option http-keep-alive
server blog 127.0.0.1:8081
####################################################################
Troubleshooting
# Check backend connections using SSL
openssl s_client -connect 127.0.0.1:3000
WEB02 HAProxy Config
vim /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg
#### Add these at the end ####
frontend http_in
bind *:80
mode http
redirect scheme https code 301 if !{ ssl_fc }
frontend https_in
bind *:443 ssl crt /etc/certs/dragoncoin.com/dragoncoin.com.pem
reqadd X-Forwarded-Proto:\ https
# ShellInABox
acl host_shell hdr(host) -i shell.dragoncoin.com
use_backend shell if host_shell
# Portainer
acl host_docker hdr(host) -i docker.dragoncoin.com
use_backend docker if host_docker
# Project
acl host_project hdr(host) -i project.dragoncoin.com
use_backend project if host_project
#———————————————————————
# simple passwords to protect certain backends
#———————————————————————
userlist shell-users
user kimconnect insecure-password ‘PASSWORD’
#———————————————————————
# backends
#———————————————————————
backend shell
acl devops-auth http_auth(shell-users)
http-request auth realm devops if !devops-auth
mode http
option forwardfor
option http-keep-alive
server static web01 127.0.0.1:8080 check
backend project
mode http
option forwardfor
option http-keep-alive
server web01 127.0.0.1:3000
backend docker
mode http
stats enable
option forwardfor
option http-keep-alive
server web01 127.0.0.1:9000