Installing HAProxy on Amazon Linux AMI
How to setup HAProxy on Amazon Web Services’s Amazon Linux AMI.
What is HAProxy?
HAProxy stands for High Availability Proxy and is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. HAProxy is particularly suited for websites or services under very high loads while needing persistence or Layer7 processing. Supporting tens of thousands of connections is clearly realistic with today’s hardware. HAProxy modes of operation makes its integration into existing architectures very easy and risk-less, while still offering the possibility not to expose fragile web servers.
What is an Amazon Linux AMI?
The Amazon Linux AMI is a supported and maintained Linux image provided by Amazon Web Services for use on Amazon Elastic Compute Cloud (Amazon EC2). It is designed to provide a stable, secure, and high performance execution environment for applications running on Amazon EC2. It also includes packages that enable easy integration with Amazon Web Services, including launch configuration tools and many popular Amazon Web Services libraries and tools. Amazon Web Services provides on-going security and maintenance updates to all instances running the Amazon Linux AMI. The Amazon Linux AMI is provided at no additional charge to Amazon EC2 users.
Accessing the EC2 instance via SSH
You have two choices accessing the EC2 instance:
- Connect via your browser using the Java SSH Client provided by AWS
- Connect using PuTTY: a free telnet/ssh client
If you choose to use PuTTY you will need to convert the PEM Key.
Check for Yum Updates
sudo yum check-update
Install updates via Yum
sudo yum update
It will ask you to confirm a few things during the process
Stop services that are not required
sudo service sendmail stop sudo chkconfig sendmail off sudo chkconfig sendmail --del
Install HAProxy from EPEL repository
sudo yum install --enablerepo=epel haproxy
Backup HAProxy configuration
sudo cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg_orig sudo cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg_backup
Change permissions on haproxy.cfg_orig
sudo chown ec2-user:ec2-user /etc/haproxy/haproxy.cfg_orig
Update the temporary HAProxy configuration file
/etc/haproxy/haproxy.cfg_orig
Example HAProxy configuration
This only allows access via SSL and redirects all HTTP to HTTPS. It also has a health check on the load balanced servers. And a handy HAProxy status page.
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 50000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
defaults
mode tcp
log global
option dontlognull
retries 9999
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 5s
maxconn 15000
#-----------------------------------
# status page.
#-----------------------------------
listen stats 0.0.0.0:8000
mode http
stats enable
stats uri /haproxy
stats realm HAProxy
#-----------------------------------
# Incoming HTTP / port 80
#-----------------------------------
listen IncomingHTTP
mode http
bind :80
redirect location https://www.example.com code 301
#-----------------------------------
# Incoming HTTPS / port 443
#-----------------------------------
listen IncomingHTTPS
mode tcp
bind :443
option ssl-hello-chk
balance source
option httpchk GET /healthcheck HTTP/1.1\r\nHost:\ www.example.com
server ec2-server-1 ec2-xxx-xxx-xxx-xxx.eu-west-1.compute.amazonaws.com:443 check port 80 maxconn 5000
server ec2-server-2 ec2-xxx-xxx-xxx-xxx.eu-west-1.compute.amazonaws.com:443 check port 80 maxconn 5000
Simple HAProxy configuration
This allows access to HTTP. It also has a health check on the load balanced servers. And a handy HAProxy status page.
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 50000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
defaults
mode tcp
log global
option dontlognull
retries 9999
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 5s
maxconn 15000
#-----------------------------------
# HAProxy Status page / port 8000
#-----------------------------------
listen stats 0.0.0.0:8000
mode http
stats enable
stats uri /haproxy
stats realm HAProxy
#-----------------------------------
# Incoming HTTP / port 80
#-----------------------------------
listen IncomingHTTPS
mode tcp
bind :80
option ssl-hello-chk
balance source
option httpchk GET /healthcheck HTTP/1.1\r\nHost:\ www.example.com
server ec2-server-1 ec2-xxx-xxx-xxx-xxx.eu-west-1.compute.amazonaws.com:80 check port 80 maxconn 5000
server ec2-server-2 ec2-xxx-xxx-xxx-xxx.eu-west-1.compute.amazonaws.com:80 check port 80 maxconn 5000
Copy the HAProxy configuration to live
sudo cp /etc/haproxy/haproxy.cfg_orig /etc/haproxy/haproxy.cfg
Starting HAProxy
sudo service haproxy start
Getting HAProxy’s Status
sudo service haproxy status
Stopping HAProxy
sudo service haproxy stop
Security Groups
The configuration above would require a security group configured like
- Allow port 22 from your office IP e.g. XXX.XXX.XXX.XXX/32
- Allow 8000 access from your office IP
- Allow HTTP (port 80) access from everyone e.g. 0.0.0.0/0
- Allow HTTPS (port 443) access from everyone
Your HAProxy configuration will require a different security groups configuration
Cel May 16th
thanks so much for this hands-on guide, saved me numerous hours of frustration!
the only thing i did differently was just use
sudo yum install haproxy
as dont seem to need to enable any disabled repositories if using Amazon Linux AMI 2013.03 (http://aws.amazon.com/amazon-linux-ami/latest-release-notes/)
DevMon January 7th
This is very good article. Thank you very much and keep up the good work.
Cheers
dD January 24th
Thank you! This helped so much and I was up and running within minutes of just finding out that I couldn’t do this with Amazon’s ELB. This is a great alternative for people that need to have only the A record on their domain registrar changed. Instead of futzing with CNAMEs and apex domain forwarding.
Add Yours
YOU