How to install and configure HAProxy on CentOS 7

April 24, 2020April 3, 2021

In this tutorial we gonna show how to install and configure HAProxy on CentOS 7.

HAProxy is an open source TCP/HTTP load balancer, proxy server and SSL/TLS terminator with high performance and reliability for web sites that have high volume of traffics.

In this guide we want to implement HAProxy as a load balancer for 2 Nginx web servers. So here is our environment:

OS: CentOS 7 on VMware
Firewall: firewalld
SElinux: enforcing
HAProxy Public IP address: 192.168.147.132
HAProxy Private IP address: 192.168.17.128
Web server 1 IP address: 192.168.17.130
Web server 1 IP address: 192.168.17.131
Client: Windows 10
Client IP Address: 192.168.147.129

1- Install Nginx

Refer to this guide to know How to install Nginx web server on CentOS 7 Linux

2- Install and configure HAProxy

to install HAProxy we simply do it through repository:

# yum install haproxy

then we start and enable HAProxy service:

# systemctl start haproxy
# systemctl enable haproxy
# systemctl status haproxy

3- Configure SELinux

to allow HAProxy access to port 5002 when SELinux is enabled we should modify SELinux policies. so issue the following commnads:

# grep haproxy /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

4- Configure HAProxy

Now it’s time to configure HAProxy. related configuration file is located in /etc/haproxy/haproxy.cfg. so we open it with Vim:

# vim /etc/haproxy/haproxy.cfg

The configuration file is divided into four major sections.
global settings – sets process-wide parameters.
defaults – this section sets default parameters for all other sections following its declaration.
frontend – this section describes a set of listening sockets accepting client connections.
Backend – this section describes a set of servers to which the proxy will connect to forward incoming connections.
To understand the options under global settings and defaults, read the HAProxy documentation. Here we will use the defaults.
First we configure logging because when HAProxy being implemented, it plays a significant role and we need to know how things go exactly.
so we achieve this by reading HAProxy logs.
Default configuration for logging is:

log 127.0.0.1 local2

and it tells us to use syslog facility for logging. so we should tell syslog server how to receive and process HAProxy logs.
so do it as follow:

# vim /etc/rsyslog.d/haproxy.conf

and put the following lines in above file:

$ModLoad imudp
$UDPServerAddress 127.0.0.1
$UDPServerRun 514
local2.* /var/log/haproxy-traffic.log
local2.notice /var/log/haproxy-admin.log

then restart syslog server:

# systemctl restart rsyslog

4.1- Configure HAProxy front-end and back-ends

The following configuration defines a section to access HAProxy Stats page, front-end and back-end servers. Here we implement load balancer based on TCP connection. there are other modes that HAProxy can operate on it. it has been demonstrated in documentation.

listen stats
     bind *:9000
     stats enable
     stats hide-version
     stats uri /stats
     stats admin if LOCALHOST
     stats auth haproxy:Lostp@1ss

frontend TT
     bind *:80
     mode tcp
     option tcplog
     option contstats
     option tcpka
     default_backend TT_web_servers

backend TT_web_servers
     balance roundrobin
     mode tcp
     option tcpka
     option srvtcpka
     server webserver1 192.168.17.130:80 weight 1 maxconn 1024 check
     server webserver2 192.168.17.131:80 weight 1 maxconn 1024 check

then comment out any other front-end and back-end servers.
Now we restart HAProxy server for configuration to be applied:

# systemctl restart haproxy

5- Configure Firewall

Now we need to open ports 80, 443 and 9000:

# firewall-cmd --zone=public --permanent --add-service=http
# firewall-cmd --zone=public --permanent --add-service=https
# firewall-cmd --zone=public --permanent --add-port=9000/tcp
# firewall-cmd --reload

6- Testing Configuration

to test configuration, in our client (Windows 10) we define the following test domain in c:\windows\system32\drivers\etc\hosts:

192.168.147.128 www.tuxtips.local

Now we open browser and point to this address in client:

http://www.tuxtips.local

by every refresh in browser we must see served page from Web server 1 then Web server 1 and this continue because we use Round Robin algorithm.
also to access statistics page we point to this address:

http://www.tuxtips.local:9000/stats

7- Configure HTTPS

In this extra step, we configure https for our HAProxy. here we use self-signed certificate, but if you have a public IP address, you can use Letsencrypt.
for generating certificate, we need private and public key. so generate it:

# mkdir /etc/ssl/tuxtips.local
# cd /etc/ssl/tuxtips.local/
# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tuxtips.local.key -out tuxtips.local.crt
# cd /etc/ssl/tuxtips.local/
# cat tuxtips.local.crt tuxtips.local.key > tuxtips.local.pem

Now open HAProxy configuration file and edit front-end section like the following:

# vim /etc/haproxy/haproxy.cfg

frontend TL    
    bind *:80
    bind *:443 ssl crt /etc/ssl/tuxtips.local/tuxtips.local.pem
    redirect scheme https if !{ ssl_fc }
    mode tcp
    option tcplog
    option contstats
    option tcpka
    default_backend TT_web_servers

then we restart HAProxy service:

# systemctl restart haproxy.service

finally we point to https version of our local domain:

https://www.tuxtips.local