HAProxy Load Balancer Configuration Help

New Contributor III

We have been using a Barracuda Load Balancer for a few years now, and I am not entirely happy with it...so I was looking at HAProxy as a load balancing solution. However, not having had any experience with them...I am in need of some help/verification with the configuration.

I have looking through other posts in Jamf Nation, specifically this one HAProxy configuration for JSS Load Balancing our cluster and this one HAProxy Load Balancer help, and I have also looked at the HAProxy configuration guide. I think I have an idea of what I am doing, but I just wanted to reach out to confirm...

Our load balanced Jamf environment is as follows...

1 x Jamf Pro Cluster Master (not load balancer in the cluster)
3 x Jamf Pro Cluster Nodes (behind load balancer)

I want to start basic, and I can add from there, so this is the configuration I have added to the haproxy.cfg file...

##### Jamf Pro Load Balancing Configuration #####
listen stats     # Goto port 9999 for stats
        mode http
        bind *:9999
        stats enable
        stats uri /

frontend jamfpro-lb     # Jamf Pro Load Balancing
        mode http
        bind *:8080     # Jamf non-SSL port
        bind *:8443 ssl crt /path/to/cert/with/no/key.pem
        timeout client 10000
        default_backend jamfpro-cluster

backend jamfpro-cluster     #Jamf Pro Cluster
        mode http
        option forwardfor
        option http-server-close
        balance leastconn
        option httpchk
        fullconn 1100
        cookie SRVSTICKY insert indirect nocache # Use session cookie to keep on same server
        server jamf-pro02 IP_Address:8080 check cookie jamf-pro02 inter 2000 fall 5
        server jamf-pro03 IP_Address:8080 check cookie jamf-pro03 inter 2000 fall 5
        server jamf-pro04 IP_Address:8080 check cookie jamf-pro04 inter 2000 fall 5
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request add-header X-Forwarded-Proto https if { ssl_fc }

Is there anything else that would be beneficial to add? It seems pretty straight forward. The main thing I am having issues with at this point, is figuring out how to add the wildcard SSL certificate to HAProxy. So if anyone has done that with HAProxy, I would love to know...I understand the premise, I am just not certain on the steps.

Also, is there any configuration that needs to be done on the Tomcat side of things?



Valued Contributor III

On the Tomcat side enable remote valve and remote ip forwarding

On balancer side, you want session persistence turned on so each client completes a full session with the same backend. You also want to use the healthCheck.html page to determine up or down status. Finally you may also have to deal with remote ip forwarding on the balancer side as well.

We use the Kemp load balancer, but each load balancer config is a bit different.

Contributor III

Anyone have any direction on using the healthCheck.html page for up/down status in haproxy? I've been getting some false-downs. Restarting tomcat seems to clear it up, but I'd like to avoid having to do that.

(Oh hey, this thread was started a year ago today. Neat.)