How to set up a basic HAProxy reverse proxy for Hipchat Data Center
Reference configuration only
This article provides an example configuration to help you set up your Hipchat Data Center deployment, however third-party software might require extra configuration work to function in your environment. Atlassian provides best-effort to assist you with your deployment, but does not directly support these components.
目的
This article provides guidance on how to install and configure a basic HAProxy reverse proxy for use in a Small-Scale Hipchat Data Center environment.
In this guide, we will install HAProxy version 1.5 on a CentOS 7 Linux server.
Before you begin, we recommend that you familiarize yourself with installing and configuring CentOS 7 using the Linux command line.
Prepare
- Make sure the system on which HAProxy will be installed meets the Hardware Requirements for the Load Balancer Node.
- Download and install CentOS 7 on the server using the minimal ISO image.
Make sure a DNS record exists for the reverse proxy node and obtain an SSL certificate per the Reverse Proxy Configuration Requirements.
The process of obtaining an SSL certificate falls outside of the scope of this guide. There are plenty of resources on the Internet that can guide you through the process. For example: "How to Install an SSL Certificate from a Commercial CA"
Install and Configure
Install the HAProxy package on CentOS 7:
sudo yum -y install haproxy
Start the service:
sudo systemctl start haproxy
As the root user, open
/etc/haproxy/haproxy.cfg
in a text editor. A sample configuration is below. For the purposes of this setup, there is no need to modify the default values defined in theglobal
anddefaults
sections.- Under the
frontend
section, please ensure that thebind *:443 ssl crt
value points the the actual path of where your SSL certificate exists on the reverse proxy's filesystem. In the below example, the certificate namedhaproxy.pem
exists in the/etc/pki/tls/certs
directory. Under the
backend
section, enter the appropriate IP address for the Data Center node on the server line. Port 80 should be left as-is. In the example configuration, the server line points to a node arbitrarily nameddcnode1
, with an IP address of172.17.0.3
, connecting over port 80. The check directive tells HAProxy to health check the server.More information on how to configure HA Proxy can be found at the project's online Configuration Manual.
global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 3000 frontend localhost bind *:80 bind *:443 ssl crt /etc/pki/tls/certs/haproxy.pem redirect scheme https if !{ ssl_fc } mode http default_backend node backend node mode http option forwardfor option httpchk HEAD / HTTP/1.1\r\nHost:localhost server dcnode1 172.17.0.3:80 check http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc }
Save the changes to the file.
Reload haproxy and configure it to start at boot time:
sudo systemctl reload haproxy sudo systemctl enable haproxy
Modify server's firewall to allow connections on port 80 and 443:
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent sudo firewall-cmd --zone=public --add-port=443/tcp --permanent sudo firewall-cmd --reload
- Continue setting up the Data Center according to the guidelines in the Configure Hipchat Data Center Nodes documentation.