HAProxy ist der führende Open-Source Load Balancer. Er verteilt Anfragen auf mehrere Backend-Server und sorgt für Hochverfügbarkeit und Skalierbarkeit.
Installation
# Debian/Ubuntu
apt install haproxy
# RHEL/CentOS
dnf install haproxy
# Version prüfen
haproxy -vKonfiguration
Struktur
/etc/haproxy/haproxy.cfg
global # Globale Einstellungen
defaults # Standard-Optionen
frontend # Eingehende Verbindungen
backend # Backend-Server
listen # Kombiniert Frontend + BackendGrundkonfiguration
# /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# SSL-Optionen
ssl-default-bind-options ssl-min-ver TLSv1.2
ssl-default-bind-ciphers ECDHE+AESGCM:DHE+AESGCM
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5s
timeout client 50s
timeout server 50s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.httpHTTP Load Balancing
Einfaches Setup
frontend http_front
bind *:80
default_backend http_back
backend http_back
balance roundrobin
server web1 192.168.1.10:80 check
server web2 192.168.1.11:80 check
server web3 192.168.1.12:80 checkMit Health Checks
backend http_back
balance roundrobin
option httpchk GET /health
http-check expect status 200
server web1 192.168.1.10:80 check inter 5s fall 3 rise 2
server web2 192.168.1.11:80 check inter 5s fall 3 rise 2
server web3 192.168.1.12:80 check inter 5s fall 3 rise 2 backupParameter
| Option | Beschreibung | |--------|--------------| | check | Health Check aktivieren | | inter | Check-Intervall | | fall | Fehler bis offline | | rise | Erfolge bis online | | weight | Gewichtung | | backup | Nur wenn andere offline |
Balancing-Algorithmen
# Round Robin (Standard)
balance roundrobin
# Least Connections
balance leastconn
# Source IP Hash (Sticky)
balance source
# URI Hash
balance uri
# Header Hash
balance hdr(Host)SSL-Termination
Let's Encrypt
# Zertifikat erstellen
certbot certonly --standalone -d example.de
# Kombinieren für HAProxy
cat /etc/letsencrypt/live/example.de/fullchain.pem \
/etc/letsencrypt/live/example.de/privkey.pem \
> /etc/haproxy/certs/example.de.pemSSL Frontend
frontend https_front
bind *:443 ssl crt /etc/haproxy/certs/example.de.pem
bind *:80
# HTTP zu HTTPS
http-request redirect scheme https unless { ssl_fc }
default_backend http_back
backend http_back
balance roundrobin
server web1 192.168.1.10:80 check
server web2 192.168.1.11:80 checkSSL zu Backends
backend https_back
balance roundrobin
option ssl-hello-chk
server web1 192.168.1.10:443 ssl check verify none
server web2 192.168.1.11:443 ssl check verify noneACLs und Routing
URL-basiertes Routing
frontend http_front
bind *:80
# ACLs definieren
acl is_api path_beg /api
acl is_static path_beg /static
acl is_websocket path_beg /ws
# Backend-Auswahl
use_backend api_back if is_api
use_backend static_back if is_static
use_backend ws_back if is_websocket
default_backend web_backHost-basiertes Routing
frontend http_front
bind *:80
acl host_www hdr(host) -i www.example.de
acl host_api hdr(host) -i api.example.de
acl host_admin hdr(host) -i admin.example.de
use_backend www_back if host_www
use_backend api_back if host_api
use_backend admin_back if host_adminIP-basierte Einschränkungen
frontend http_front
bind *:80
# Erlaubte IPs
acl allowed_ips src 192.168.1.0/24 10.0.0.0/8
# Admin nur von intern
acl is_admin path_beg /admin
http-request deny if is_admin !allowed_ips
default_backend web_backSession Persistence
Cookie-basiert
backend http_back
balance roundrobin
cookie SERVERID insert indirect nocache
server web1 192.168.1.10:80 check cookie s1
server web2 192.168.1.11:80 check cookie s2Source IP
backend http_back
balance source
hash-type consistent
server web1 192.168.1.10:80 check
server web2 192.168.1.11:80 checkTCP Load Balancing
MySQL
listen mysql_cluster
bind *:3306
mode tcp
balance roundrobin
option mysql-check user haproxy
server mysql1 192.168.1.20:3306 check
server mysql2 192.168.1.21:3306 check
server mysql3 192.168.1.22:3306 check backupRedis
listen redis_cluster
bind *:6379
mode tcp
balance roundrobin
option tcp-check
server redis1 192.168.1.30:6379 check
server redis2 192.168.1.31:6379 check backupStats-Interface
listen stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
stats admin if TRUE
stats auth admin:secret_passwordZugriff: http://server:8404/stats
Logging
Syslog
global
log /dev/log local0
log /dev/log local1 noticersyslog-Konfiguration
# /etc/rsyslog.d/49-haproxy.conf
local0.* /var/log/haproxy/haproxy.log
local1.notice /var/log/haproxy/haproxy-status.logCustom Log-Format
defaults
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"Rate Limiting
frontend http_front
bind *:80
# Stick Table für Rate Limiting
stick-table type ip size 100k expire 30s store http_req_rate(10s)
# Request-Rate speichern
http-request track-sc0 src
# Limit: 100 Requests/10s
acl rate_limited sc_http_req_rate(0) gt 100
http-request deny deny_status 429 if rate_limitedKompression
frontend http_front
bind *:80
compression algo gzip
compression type text/html text/plain text/css application/javascript application/jsonKeepalive
defaults
option http-keep-alive
timeout http-keep-alive 10s
backend http_back
option httpchk
http-reuse safeVerwaltung
Konfiguration prüfen
haproxy -c -f /etc/haproxy/haproxy.cfgGraceful Reload
systemctl reload haproxyRuntime-API
# Server offline schalten
echo "disable server http_back/web1" | socat stdio /run/haproxy/admin.sock
# Server online schalten
echo "enable server http_back/web1" | socat stdio /run/haproxy/admin.sock
# Stats abfragen
echo "show stat" | socat stdio /run/haproxy/admin.sockPraktisches Beispiel
Komplettes Setup
global
log /dev/log local0
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5s
timeout client 50s
timeout server 50s
frontend https_front
bind *:443 ssl crt /etc/haproxy/certs/example.de.pem
bind *:80
http-request redirect scheme https unless { ssl_fc }
# Headers
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Real-IP %[src]
# Routing
acl is_api path_beg /api
use_backend api_back if is_api
default_backend web_back
backend web_back
balance roundrobin
option httpchk GET /health
http-check expect status 200
cookie SERVERID insert indirect nocache
server web1 192.168.1.10:80 check cookie w1 weight 100
server web2 192.168.1.11:80 check cookie w2 weight 100
server web3 192.168.1.12:80 check cookie w3 weight 50 backup
backend api_back
balance leastconn
option httpchk GET /api/health
server api1 192.168.1.20:8080 check
server api2 192.168.1.21:8080 check
listen stats
bind *:8404
stats enable
stats uri /stats
stats auth admin:secretZusammenfassung
| Begriff | Beschreibung | |---------|--------------| | Frontend | Eingehende Verbindungen | | Backend | Server-Pool | | ACL | Access Control List | | Stick Table | Session-Tracking | | Health Check | Server-Prüfung |
| Algorithmus | Verwendung | |-------------|------------| | roundrobin | Gleichmäßige Verteilung | | leastconn | Wenigste Verbindungen | | source | Session-Sticky | | uri | URL-basiert |
| Datei | Funktion | |-------|----------| | /etc/haproxy/haproxy.cfg | Hauptkonfiguration | | /var/log/haproxy/ | Logs | | /run/haproxy/admin.sock | Runtime-API |
Fazit
HAProxy ist extrem leistungsfähig und flexibel. SSL-Termination entlastet Backend-Server. ACLs ermöglichen komplexes Routing. Health Checks sorgen für Ausfallsicherheit. Das Stats-Interface bietet Echtzeit-Überwachung. Für Hochverfügbarkeit sollte HAProxy selbst redundant ausgelegt werden.
