目的

This article provides guidance on how to install and configure a basic HAProxy reverse proxy for use in a Small-Scale Hipchat Data Center environment.

In this guide, we will install HAProxy version 1.5 on a CentOS 7 Linux server.

Before you begin, we recommend that you familiarize yourself with installing and configuring CentOS 7 using the Linux command line. 

Prepare

1. Make sure the system on which HAProxy will be installed meets the Hardware Requirements for the Load Balancer Node.
2. Download and install CentOS 7 on the server using the minimal ISO image.

3. Make sure a DNS record exists for the reverse proxy node and obtain an SSL certificate per the Reverse Proxy Configuration Requirements.  

   The process of obtaining an SSL certificate falls outside of the scope of this guide. There are plenty of resources on the Internet that can guide you through the process. For example: "How to Install an SSL Certificate from a Commercial CA"

Install and Configure

1. Install the HAProxy package on CentOS 7:

   sudo yum -y install haproxy

2. Start the service:

   sudo systemctl start haproxy

3. As the root user,  open /etc/haproxy/haproxy.cfg in a text editor.  A sample configuration is below.  For the purposes of this setup, there is no need to modify the default values defined in the global and defaults sections.

4. Under the frontend section, please ensure that the bind *:443 ssl crt value points the the actual path of where your SSL certificate exists on the reverse proxy's filesystem.  In the below example, the certificate named haproxy.pem exists in the /etc/pki/tls/certs directory.

5. Under the backend section, enter the appropriate IP address for the Data Center node on the server line.  Port 80 should be left as-is. In the example configuration, the server line points to a node arbitrarily named dcnode1, with an IP address of 172.17.0.3, connecting over port 80.  The check directive tells HAProxy to health check the server. 

   More information on how to configure HA Proxy can be found at the project's online Configuration Manual.

   global
   
     log         127.0.0.1 local2
   
       chroot	/var/lib/haproxy
       pidfile     /var/run/haproxy.pid
       maxconn     4000
       user        haproxy
       group	haproxy
       daemon
   
       # turn on stats unix socket
       stats socket /var/lib/haproxy/stats
   
   defaults
       mode                    http
       log                     global
       option                  httplog
       option                  dontlognull
       option http-server-close
       option forwardfor       except 127.0.0.0/8
       option                  redispatch
       retries                 3
       timeout http-request    10s
       timeout queue           1m
       timeout connect         10s
       timeout client          1m
       timeout server          1m
       timeout http-keep-alive 10s
       timeout check           10s
       maxconn                 3000
   
   frontend localhost
      bind *:80
      bind *:443 ssl crt /etc/pki/tls/certs/haproxy.pem
      redirect scheme https if !{ ssl_fc }
      mode http
      default_backend node
   
   backend node
       mode http
       option forwardfor
       option httpchk HEAD / HTTP/1.1\r\nHost:localhost
       server dcnode1 172.17.0.3:80 check
       http-request set-header X-Forwarded-Port %[dst_port]
       http-request add-header X-Forwarded-Proto https if { ssl_fc }

6. Save the changes to the file.

7. Reload haproxy and configure it to start at boot time:

   sudo systemctl reload haproxy
   sudo systemctl enable haproxy

8. Modify server's firewall to allow connections on port 80 and 443:

   sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
   sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
   sudo firewall-cmd --reload

9. Continue setting up the Data Center according to the guidelines in the Configure Hipchat Data Center Nodes documentation.