HAProxy Load Balancer einrichten

HAProxy ist ein leistungsstarker Open-Source Load Balancer und Reverse Proxy. Er verteilt Traffic auf mehrere Backend-Server und erhöht Verfügbarkeit und Performance.

Installation

# Ubuntu/Debian
sudo apt update
sudo apt install haproxy -y

# Version prüfen
haproxy -v

# Status
sudo systemctl status haproxy

Grundkonfiguration

sudo nano /etc/haproxy/haproxy.cfg

global
    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # SSL-Einstellungen
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

# Statistik-Seite
listen stats
    bind *:8404
    stats enable
    stats uri /stats
    stats refresh 10s
    stats auth admin:password

# Frontend
frontend http_front
    bind *:80
    default_backend http_back

# Backend
backend http_back
    balance roundrobin
    option httpchk GET /health
    server web1 192.168.1.101:80 check
    server web2 192.168.1.102:80 check
    server web3 192.168.1.103:80 check backup

Load Balancing Algorithmen

SSL-Terminierung

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
    http-request redirect scheme https unless { ssl_fc }
    default_backend http_back

# HTTP zu HTTPS Redirect
frontend http_front
    bind *:80
    redirect scheme https code 301

Zertifikat vorbereiten

# Fullchain + Key in eine Datei
cat /etc/letsencrypt/live/example.com/fullchain.pem \
    /etc/letsencrypt/live/example.com/privkey.pem \
    > /etc/haproxy/certs/example.com.pem

chmod 600 /etc/haproxy/certs/example.com.pem

Health Checks

backend http_back
    option httpchk GET /health HTTP/1.1\r\nHost:\ example.com
    http-check expect status 200
    
    server web1 192.168.1.101:80 check inter 5000 rise 2 fall 3
    server web2 192.168.1.102:80 check inter 5000 rise 2 fall 3

• inter: Check-Intervall (ms)
• rise: Erfolgreiche Checks bis "healthy"
• fall: Fehlgeschlagene Checks bis "unhealthy"

Session Persistence (Sticky Sessions)

backend http_back
    balance roundrobin
    cookie SERVERID insert indirect nocache
    server web1 192.168.1.101:80 check cookie s1
    server web2 192.168.1.102:80 check cookie s2

Mehrere Backends

frontend http_front
    bind *:80
    
    # ACL-Regeln
    acl is_api path_beg /api
    acl is_static path_end .css .js .jpg .png
    
    # Backend-Zuweisung
    use_backend api_back if is_api
    use_backend static_back if is_static
    default_backend web_back

backend api_back
    server api1 192.168.1.201:3000 check

backend static_back
    server cdn1 192.168.1.301:80 check

backend web_back
    server web1 192.168.1.101:80 check

Konfiguration testen

# Syntax prüfen
haproxy -c -f /etc/haproxy/haproxy.cfg

# Neu laden ohne Downtime
sudo systemctl reload haproxy

# Statistik-Seite
http://SERVER-IP:8404/stats

Weitere Hilfe

• 📖 HAProxy Dokumentation
• 📧 E-Mail: support@enjyn.de