Documentation

Skip to end of metadata
Go to start of metadata

This document describes how to install HAProxy after the upgrade from 3.10.x to 4.0.x.

Author: Marc Cirauqui

Install HAProxy on the UI Server

Before you begin: check that you have the epel-release package installed. Otherwise HAProxy might not be available or it might be an old version.

# yum -y install haproxy

Configure HAProxy

The configuration to use depends on your architecture.

Running websockify on each Remote Services server

If you have multiple datacenters and are running websockify on each Remote Services server, you will need to define the backend for each server. Configure the UI server with the following model for the /etc/haproxy/haproxy.cfg file and make the changes described below.

/etc/haproxy/haproxy.cfg for multiple RS running websockify
global
  user haproxy
  group haproxy
  log /dev/log local0
  maxconn 1024

frontend public
  bind *:41337 ssl crt /etc/pki/abiquo/haproxy.crt
  mode http
  timeout client 3600s
  log global
  acl 2af9eaa6f48878b7952cbca17bc3d784b642d2ac path 2af9eaa6f48878b7952cbca17bc3d784b642d2ac
  use_backend 2af9eaa6f48878b7952cbca17bc3d784b642d2ac if 2af9eaa6f48878b7952cbca17bc3d784b642d2ac

backend 2af9eaa6f48878b7952cbca17bc3d784b642d2ac
  balance source
  mode http
  log global
  timeout queue 3600s
  timeout server 3600s
  timeout connect 3600s
  server websockify0 13.19.20.20:41338 weight 1 maxconn 1024 check

The frontend block defines where HAProxy will listen for browser connections, which in this case is port 41337. The bind line also specifies the SSL certificate. Use the same one as you use in the UI to avoid certificate warnings. Note that HAProxy only takes one file so you may need to concat certificate and private key into a single file (use cat cert key > haproxycert).

For multiple datacenters in Abiquo, you will need websockify installed on every Remote Services server. Then configure these servers by creating acl and use_backend lines and backend blocks as described here.

For each remote services server, copy the acl and use_backend lines and replace the hash values. To create the hashes for a server, generate an SHA1 digest of the value of the abiquo.datacenter.id property. For example:

# grep datacenter.id /opt/abiquo/config/abiquo.properties
abiquo.datacenter.id = ss008063
 
## With openssl toolkit
# echo -n ss008063 | openssl dgst -sha1 | cut -f2 -d' '
2af9eaa6f48878b7952cbca17bc3d784b642d2ac

## With ruby
# ruby -e 'require "digest/sha1"; puts Digest::SHA1.hexdigest "ss008063"'
2af9eaa6f48878b7952cbca17bc3d784b642d2ac

## With python
# python -c "import hashlib; print hashlib.sha1('ss008063').hexdigest()"
2af9eaa6f48878b7952cbca17bc3d784b642d2ac

So requests with path 2af9eaa6f48878b7952cbca17bc3d784b642d2ac will use backend named 2af9eaa6f48878b7952cbca17bc3d784b642d2ac.

To create the backend block, copy the backend text from the example above, but in the server line, replace the IP and port value with the values for the websockify daemon on the corresponding Remote services server.

When you have all the acl and use_backend lines, as well as the backend blocks for all the datacenters, restart the haproxy daemon to start routing requests.

Running one default websockify daemon

If you have multiple datacenters with ESXi hosts and you can allow access to all hosts in all datacenters, then you could use the following configuration with a single default websockify daemon.

/etc/haproxy/haproxy.cfg for one default websockify daemon
global
  daemon
  maxconn 1024
frontend public
  bind *:41337 ssl crt /etc/pki/abiquo/haproxy.cer
  timeout client 3600s
  default_backend ws
backend ws
  balance source
  timeout queue 3600s
  timeout server 3600s
  timeout connect 3600s
  server websockify1 127.0.0.1:41338 weight 1 maxconn 1024 check

Here the frontend block does not have acl or use_backend statements, but instead has a default_backend pointing to the only backend available. That backend in turn, points to the websockify daemon.

  • No labels