ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

HAProxyBy ChinaNetCloudPioneers in OaaS – Operations-as-a-Service

January, 2015

www.ChinaNetCloud.com

Copyright 2015 ChinaNetcloud Training Program

ChinaNetCloud Training

2

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Introduction

● HAProxy key part of most large systems● World's most powerful software load balancer● A little complex● Interesting and fun

3

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Load Balancer Overview

● Listen on front-end ports, usually 80/443● Forwards to a back-end pool of servers● Has health checks of back-end

● Only send to Healthy & UP servers

● Has sticky sessions, usually using cookies● Web servers see LB as client, with LB's IP● Use X-Forwarded-for Header to send real IP

● Important for web server logs

4

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Load Balancer Overview

● Single LB, many web

● Two LB, many web

5

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

High-Avail HAProxy

● Two HAProxy● Run KeepAlived to manage failover● Have front-end VIP● We have standard config, Wiki● Usually Physical / Private

● On Public Cloud use ELB or Heartbeat

6

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

HA Load Balancer – Public Cloud

● Amazon, Aliyun – Have their ELB/SLB in front● Use their to help bandwidth and failover

● AWS – Need ELB for HA between zones● Aliyun – Need SLB for single bandwidth point

● Still use two HAProxy● HAProxy more powerful, configurable● HAProxy can be monitored (Nginx can't)

7

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Parts of HAProxy

● Front-End Listeners● Back-End Pools● ACLs● Rewrites● Logs● Monitoring

8

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Front-End

● Listening part of HAProxy● Pretty simple● Has IP, port to listen on● Has networking options, like timeouts● Includes vhost, name to listen on● Can have several front-ends

● Usually for different domains, www., images., etc.● Can go to same or different back-ends

9

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Back End Pools

● Part that does the work● Lots of options● Also does logging, error handling● And health checks of backend servers● Has a backend server list

● Each server has options, weights, health checks

10

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

ACLs – Control & Multi-Pool

● Can split traffic by URL, host● For vhost split, use second Front-end● For URL split, use ACLs● Based on Headers, URL, or Path● If-then structure● Also can avoid scans, DDoS● Example:

● acl is_www_domain_com hdr_end(host) -i domain.com● use_backend www_ex_com if is_www_example_com

11

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Rewrites

● Has basic rewrites● Can be useful, especially cross-domain● Usually better to rewrite on web server

12

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Configuration

● Single file● Has Global default second, for all Front/Back● Has section for each Front & Back● Not much to change, other than pools & URLs

● Sometimes change timeouts● Sometimes advanced features like keepalive

● Sometimes Tomcat needs more changes● server srv-example-web1_80 10.9.1.205:80 cookie

srv-example-web1_80 check maxconn 2000

13

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Session Stickiness

● Makes sure same user goes to same server● Especially in one session

● Very important for Java● Not very important for PHP if uses shared cache● Can cause instability on big systems● Done with separate (not session) cookie● Remove cookie name in server list to disable

14

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Logs

● Very powerful and useful● Uses syslog, so /var/log/haproxy …● Shows disconnect reason/state

● 4 letter code like CRNI, RHEP● See manual for meaning● Show is Client or Backend server disconnected

– Also often shows why or how

● Also shows if session/cookie was used

15

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Monitoring

● Very good● Keeps stats by pool and by servers● Records status, errors, but not timing● Unusual words:

● Sessions – Concurrent connections● Session Rate – Request rate

● Two ways to use (Can also manage servers)● API called via Socket● GUI web interface

16

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

GUI Web Monitor

● Lots of good detail

17

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

SSL in HAProxy

● Just got support in June, 2014 – Version 1.5● Starting to see in production use

● Until now, we had to:● Have to use Nginx in front● Set Nginx on port 443 as proxy● Sends traffic to Haproxy on port 80 or 81

– Use 81 if need to keep SSL traffic separate

● Now we can use directly in version 1.5● See docs on how to configure

18

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Multi-Process

● HAProxy is single process – use single CPU● Usually okay, but can limit scaling

● 250,000 connections, but only 2,500 requests/sec● 50,000+ requests/sec, but only 2,500 concurrent con

● Need special config and discussion to use● It CAN run multi-process, but monitoring is wrong

● All monitoring by process, so gets confused● Messy

19

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Summary

● HAProxy important and powerful● Very configurable● Has pools● Great logs

● Good luck !

20

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Lab

● Create VM on AWS● Install Nginx & Apache

● Configure Nginx on port 81 and Apache on 82

● Install HAProxy from RPM & Wiki● Create frontend & backend for nginx, test● Add ACL and Apache backend pool

● Split URLs between Nginx & Apache, test

● Look at monitor page, use CLI tools● Look at logs, look up status codes

21

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

About ChinaNetCloud

Www.ChinaNetCloud.com – +86-21-6422-1946 – Sales@ChinaNetCloud.com

ChinaNetCloud is a Shanghai-based, full-service Internet managed services provider (MSP). We architect, build, optimize, and manage large-scale systems for e-commerce, games, apps, mobile, media, and more.

We deliver Reliability, Performance, Scale, Security, and cost savings via our Operations-as-a-Service (OaaS) platform, which includes 7x24 operations, deep predcitive monitoring, networking, security scanning, backups, databases, upgrades,rapid troubleshooting, configuration changes, and much more.

Our OaaS platform is state-of-the-art with a wide variety of sophisticated tools ranging from deep design to audit, migration, management, monitoring, backups, CMDB, load testing, capacity planning, performance analysis, portals, and much more.

Over six years, we've helped hundreds of internet companies improve their systems, focusing on Reliability, Performance, Scalability, Security, and Cost-Savings.

Let us help you today!

22

ChinaNetCloudRunning the World's Internet Servers 管理全球服务器

Contact ChinaNetCloud

Silicon Valley Office:

440 North Wolfe Road

Sunnyvale, 94085 USA ChinaNetCloud www.ChinaNetCloud.com

Sales@ChinaNetCloud.com

Shanghai Headquarters:

X2 Space 10601

1238 Xietu Lu

Shanghai, 200032 China

Beijing Office:

Lee World Business Building #305

57 Middl Xingfu Village Rd., Chaoyang

Beijing, 100027 China

T: +86-21-6422-1946