Installing HAProxy on Amazon Linux AMI

How to setup HAProxy on Amazon Web Services’s Amazon Linux AMI.

What is HAProxy?

HAProxy stands for High Availability Proxy and is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. HAProxy is particularly suited for websites or services under very high loads while needing persistence or Layer7 processing. Supporting tens of thousands of connections is clearly realistic with today’s hardware. HAProxy modes of operation makes its integration into existing architectures very easy and risk-less, while still offering the possibility not to expose fragile web servers.

What is an Amazon Linux AMI?

The Amazon Linux AMI is a supported and maintained Linux image provided by Amazon Web Services for use on Amazon Elastic Compute Cloud (Amazon EC2). It is designed to provide a stable, secure, and high performance execution environment for applications running on Amazon EC2. It also includes packages that enable easy integration with Amazon Web Services, including launch configuration tools and many popular Amazon Web Services libraries and tools. Amazon Web Services provides on-going security and maintenance updates to all instances running the Amazon Linux AMI. The Amazon Linux AMI is provided at no additional charge to Amazon EC2 users.

Accessing the EC2 instance via SSH

You have two choices accessing the EC2 instance:

  • Connect via your browser using the Java SSH Client provided by AWS
  • Connect using PuTTY: a free telnet/ssh client

If you choose to use PuTTY you will need to convert the PEM Key.

Check for Yum Updates
sudo yum check-update
Install updates via Yum
sudo yum update

It will ask you to confirm a few things during the process

Stop services that are not required
sudo service sendmail stop
sudo chkconfig sendmail off
sudo chkconfig sendmail --del
Install HAProxy from EPEL repository
sudo yum install --enablerepo=epel haproxy
Backup HAProxy configuration
sudo cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg_orig
sudo cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg_backup
Change permissions on haproxy.cfg_orig
sudo chown ec2-user:ec2-user /etc/haproxy/haproxy.cfg_orig
Update the temporary HAProxy configuration file
/etc/haproxy/haproxy.cfg_orig
Example HAProxy configuration

This only allows access via SSL and redirects all HTTP to HTTPS. It also has a health check on the load balanced servers. And a handy HAProxy status page.

global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     50000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

defaults
    mode                    tcp
    log                     global
    option                  dontlognull
    retries                 9999
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout check           5s
    maxconn                 15000


#-----------------------------------
# status page.
#-----------------------------------
listen stats 0.0.0.0:8000
    mode http
    stats enable
    stats uri /haproxy
    stats realm HAProxy

#-----------------------------------
# Incoming HTTP / port 80
#-----------------------------------
listen IncomingHTTP
    mode http
    bind :80
    redirect location https://www.example.com code 301

#-----------------------------------
# Incoming HTTPS / port 443
#-----------------------------------
listen IncomingHTTPS
    mode tcp
    bind :443
    option ssl-hello-chk
    balance source
    option httpchk GET /healthcheck HTTP/1.1\r\nHost:\ www.example.com
    server ec2-server-1 ec2-xxx-xxx-xxx-xxx.eu-west-1.compute.amazonaws.com:443 check port 80 maxconn 5000
    server ec2-server-2 ec2-xxx-xxx-xxx-xxx.eu-west-1.compute.amazonaws.com:443 check port 80 maxconn 5000

Simple HAProxy configuration

This allows access to HTTP. It also has a health check on the load balanced servers. And a handy HAProxy status page.

global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     50000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

defaults
    mode                    tcp
    log                     global
    option                  dontlognull
    retries                 9999
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout check           5s
    maxconn                 15000


#-----------------------------------
# HAProxy Status page / port 8000
#-----------------------------------
listen stats 0.0.0.0:8000
    mode http
    stats enable
    stats uri /haproxy
    stats realm HAProxy

#-----------------------------------
# Incoming HTTP / port 80
#-----------------------------------
listen IncomingHTTPS
    mode tcp
    bind :80
    option ssl-hello-chk
    balance source
    option httpchk GET /healthcheck HTTP/1.1\r\nHost:\ www.example.com
    server ec2-server-1 ec2-xxx-xxx-xxx-xxx.eu-west-1.compute.amazonaws.com:80 check port 80 maxconn 5000
    server ec2-server-2 ec2-xxx-xxx-xxx-xxx.eu-west-1.compute.amazonaws.com:80 check port 80 maxconn 5000

Copy the HAProxy configuration to live
sudo cp /etc/haproxy/haproxy.cfg_orig /etc/haproxy/haproxy.cfg
Starting HAProxy
sudo service haproxy start
Getting HAProxy’s Status
sudo service haproxy status
Stopping HAProxy
sudo service haproxy stop

Security Groups

The configuration above would require a security group configured like

  • Allow port 22 from your office IP e.g. XXX.XXX.XXX.XXX/32
  • Allow 8000 access from your office IP
  • Allow HTTP (port 80) access from everyone e.g. 0.0.0.0/0
  • Allow HTTPS (port 443) access from everyone

Your HAProxy configuration will require a different security groups configuration



Comments

  1. Cel May 16th

    Comment Arrow

    thanks so much for this hands-on guide, saved me numerous hours of frustration!

    the only thing i did differently was just use
    sudo yum install haproxy
    as dont seem to need to enable any disabled repositories if using Amazon Linux AMI 2013.03 (http://aws.amazon.com/amazon-linux-ami/latest-release-notes/)


  2. DevMon January 7th

    Comment Arrow

    This is very good article. Thank you very much and keep up the good work.

    Cheers


  3. dD January 24th

    Comment Arrow

    Thank you! This helped so much and I was up and running within minutes of just finding out that I couldn’t do this with Amazon’s ELB. This is a great alternative for people that need to have only the A record on their domain registrar changed. Instead of futzing with CNAMEs and apex domain forwarding.


Add Yours

  • Author Avatar

    YOU


Comment Arrow




About Author

Robert

Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning hands down.