Install HAProxy Load Balancer With HTTPS Let’s Encrypt on CentOS 7

Install HAProxy Load Balancer dengan HTTPS Let’s Encrypt pada CentOS 7

  • Domain:
  • IP Address: 103.157.27.251 > lb.rainui.cloud
  • IP Address: 103.169.7.24 > web01.rainui.cloud
  • IP Address: 103.169.7.25 > web02.rainui.cloud

  • Update Repository package CentOS 7 dan Install repo epel
yum update -y && yum install epel-release nano wget -y
  • Install apache httpd (untuk mengaktifkan virtual host agar bisa meng-generate ssl let’s encrypt)
  • Jalankaan service httpd, cukup di start saja jangan di enable
yum install httpd -y
systemctl start httpd

  • Setting Virtual Host untuk domain lb.rainui.cloud (agar bisa generate ssl dari let’s encrypt)
mkdir /var/www/lb.rainui.cloud/
nano /etc/httpd/conf.d/lb.rainui.cloud.conf
<VirtualHost *:80>
    ServerName lb.rainui.cloud
    ServerAlias www.lb.rainui.cloud
    ServerAdmin [email protected]
    DocumentRoot /var/www/lb.rainui.cloud

    <Directory /var/www/lb.rainui.cloud>
        Options -Indexes +FollowSymLinks
        DirectoryIndex index.php index.html
        AllowOverride All
        Order allow,deny
        Allow from all

        Header set Access-Control-Allow-Headers "ORIGIN, X-REQUESTED-WITH, CONTENT-TYPE"
        Header set Access-Control-Allow-Methods "POST, GET, OPTIONS, PUT, DELETE"
        Header set Access-Control-Allow-Origin "*"
        Header set Access-Control-Allow-Credentials true
        Header set X-XSS-Protection 1;mode=block
        Header set X-Frame-Options SAMEORIGIN
        Header set X-Content-Type-Options nosniff
        Header set Strict-Transport-Security "max-age=15552000; includeSubDomains;preload"
        Header set Referrer-Policy strict-origin-when-cross-origin
        Header set Access-Control-Max-Age 60000
    </Directory>

    ErrorLog /var/log/httpd/lb.rainui.cloud.com-error.log
    CustomLog /var/log/httpd/lb.rainui.cloud-access.log combined
</VirtualHost>
  • Cek konfigurasi Virtual Host, lalu restart service httpd
sudo apachectl configtest
service httpd restart

  • Install Let’s Encrypt
yum install certbot python2-certbot-apache mod_ssl -y
  • Aktifkan https pada domain lb.rainui.cloud
  • File certificate ada pada directory: /etc/letsencrypt/live/lb.rainui.cloud/
certbot --apache --agree-tos --redirect -m [email protected] -d lb.rainui.cloud
  • Tes pada browser, domain lb.rainui.cloud sudah menggunakan https
  • Stop service httpd
systemctl stop httpd

  • Install Pre-requirement HAProxy
yum install gcc pcre-static pcre-devel openssl-devel tar make -y
  • Download HAProxy 1.8.26
http://www.haproxy.org/download/1.8/src/haproxy-1.8.26.tar.gz -O haproxy.tar.gz
tar xzvf haproxy.tar.gz
cd haproxy*
  • Install HAProxy
make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_CRYPT_H=1 USE_LIBCRYPT=1
make install
  • Buat directory haproxy
sudo mkdir -p /etc/haproxy
sudo mkdir -p /var/lib/haproxy 
sudo touch /var/lib/haproxy/stats
  • Buat symbolic link agar haproxy bisa di jalankan sebagai normal user
sudo ln -s /usr/local/sbin/haproxy /usr/sbin/haproxy
  • Buat HAProxy sebagai system service pada system daemon
cp -R examples/haproxy.init /etc/init.d/haproxy
sudo chmod 755 /etc/init.d/haproxy
sudo systemctl daemon-reload
sudo chkconfig haproxy on
  • Tambahkan user haproxy
sudo useradd -r haproxy
  • Cek versi haproxy
haproxy -v
HA-Proxy version 1.8.26 2020/08/03
Copyright 2000-2020 Willy Tarreau <[email protected]>
  • Buat directory certs
mkdir -p /etc/haproxy/certs
  • Gabungkan isi file fullchain.pem dan privkey.pem menjadi satu file lb.rainui.cloud.pem pada directory /etc/haproxy/certs
DOMAIN='lb.rainui.cloud' sudo -E bash -c 'cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem'
  • Setting HAProxy Load Balancer
nano /etc/haproxy/haproxy.cfg
global
   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon

defaults
   log global
   mode http
   option httplog
   option dontlognull
   timeout connect 10000
   timeout client 30000
   timeout server 30000
   maxconn 50000
   fullconn 50000
   retries 10

listen stats
   bind *:8080 ssl crt /etc/haproxy/certs/lb.rainui.cloud.pem
   stats enable
   stats uri /
   stats realm Haproxy\ Statistics
   stats auth admin:admin
   stats refresh 5s

frontend http_front
   mode http
   bind *:80
   reqadd X-Forwarded-Proto:\ http
   redirect scheme https if !{ ssl_fc }
   http-response set-header Access-Control-Allow-Origin "*"
   http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"
   http-response set-header Access-Control-Max-Age 3628800
   http-response set-header Access-Control-Allow-Methods "GET, DELETE, OPTIONS, POST, PUT"
   default_backend http_back

frontend https_front
   mode http
   bind *:443 ssl crt /etc/haproxy/certs/lb.rainui.cloud.pem no-sslv3 force-tlsv12 ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
   reqadd X-Forwarded-Proto:\ https
   http-response set-header Access-Control-Allow-Origin "*"
   http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"
   http-response set-header Access-Control-Max-Age 3628800
   http-response set-header Access-Control-Allow-Methods "GET, DELETE, OPTIONS, POST, PUT"
   default_backend http_back

backend http_back
   mode http
   balance roundrobin
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   option  forwardfor
   option abortonclose
   cookie SERVERID insert indirect nocache
   server server_web01 103.169.7.24:80 check cookie server_web01 check maxconn 10000
   server server_web02 103.169.7.25:80 check cookie server_web02 check maxconn 10000
  • Cek file konfigurasi haproxy.cfg , jika muntul keterangan Configuration file is valid berarti konfigurasi haproxy bisa berjalan dengan baik lalu restart service haproxy
haproxy -f /etc/haproxy/haproxy.cfg -c
systemctl restart haproxy
  • Cek pada browser untuk domain lb.rainui.cloud
  • HAProxy Load Balancer dengan HTTPS berjalan dengan baik
  • HAProxy stats

Konfigurasi HAProxy versi 2.4.7 pada CentOS 7


  • Jika pada backend server menggunakan https (port 443) maka konfigurasi haproxy pada bagian backend seperti berikut:
backend http_back
   mode http
   balance roundrobin
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   option  forwardfor
   option abortonclose
   cookie SERVERID insert indirect nocache
   server server_web01 103.169.7.24:443 check ssl verify none check cookie server_web01 check maxconn 10000
   server server_web02 103.169.7.25:443 check ssl verify none check cookie server_web02 check maxconn 10000

herdiana3389

A system administrator with skills in system administration, virtualization, linux, windows, networking, cloud computing, container, etc.