Install HAproxy Load Balancer with Rate Limiting on Ubuntu 16/18/20

Haproxy:
HAProxy (High-Availability proxy) is free, open-source software that provides a high availability load balancer and proxy server for TCP and HTTP-based applications that spreads requests across multiple servers connected to it. It has a reputation for being fast and working efficiently.

This is useful when there will be too many concurrent connections over-saturate the capability of a single server. Instead of a client connecting to a single server that processes all the requests, the client will connect to an HAProxy instance, which will use a reverse proxy to forward the request to one of the available endpoints(server), based on a load-balancing algorithm and ratios.
By HAproxy, We can scale backend servers as per our need at any time.

What is Load Balancing?

The process of distributing workloads across multiple computing resources

Types of Load balancing Algorithms:

  • Roundrobin: Each server is used in turns according to their weights. This is the smoothest and fairest algorithm when the servers’ processing time remains equally distributed. This algorithm is dynamic, which allows server weights to be adjusted on the fly.
  • Leastconn: The server with the lowest number of connections is chosen. Round-robin is performed between servers with the same load. Using this algorithm is recommended with long sessions, such as LDAP, SQL, TSE, etc, but it is not very well suited for short sessions such as HTTP.
  • First: The first server with available connection slots receives the connection. The servers are chosen from the lowest numeric identifier to the highest, which defaults to the server’s position on the farm. Once a server reaches its maxconn value, the next server is used.
  • Source: The source IP address is hashed and divided by the total weight of the running servers to designate which server will receive the request. This way the same client IP address will always reach the same server while the servers stay the same.

Install Haproxy

To check the version

To edit the config file of Haproxy

After editing save the file by pressing ctrl + x, then y, then Enter.

HAproxy Configuration:
We need to add global, default, auth, frontend and backend to route the public request for getting a response with load balancing.
Note: Before adding backend server, Kindly check if the backend server response is ok or not by doing curl from inside the load balancer server.

Full Config File with Rate-Limiting:

Before restarting check the configurational file is valid or not.

Restart daemon for logging of HAproxy logs

Detailed Description

Global configuration:

For logging

Root directory for haproxy running process and its children

Creates a UNIX socket in stream mode at location /var/run/haproxy.sock and the socket will return various statistics outputs and even allow some commands to be issued to change some runtime settings.

User and group name for haproxy

Makes the process fork into background. This is the recommended mode of operation. It is equivalent to the command line “-D” argument.

Assigns a default directory to fetch SSL CA certificates and CRLs from when a relative path is used with “ca-file” or “crl-file” directives.

Assigns a default directory to fetch SSL certificates from when a relative path is used with “crtfile” directives.

Sets the default string describing the list of cipher algorithms
ssl-default-bind-ciphers

It sets default ssl-options to force on all “bind” lines.

Sets the maximum CPU usage HAProxy can reach before stopping the compression for new requests or decreasing the compression level of current requests.

Sets the maximum per-process input compression rate to <number> kilobytes per second.A value 0 means no limit

Returns an integer value corresponding to the number of processes that were started

The default behavior for SSL verifies on server side. If specified to ‘none’, servers certificates are not verified.

Default Configuration

Log be same as mentioned in global

Request mode

Enable logging of the HTTP request, session state and timers

Enable or disable HTTP keep-alive from client to server

Enable or disable logging of null connections

Set the maximum time to wait for a connection attempt

Set the error file to override applications error files

List of supported compression algorithms and applies gzip compression

Set the number of retries to perform on a server after a connection failure

Enable insertion of the X-Forwarded-For header to requests sent to servers

Enable or disable HTTP connection closing on the server side

Frontend Configuration:

This section helps you to identify which IP address and port, the client can connect and listen to. You can include several front-end sections (to maintain various websites) as much as you need but at the same time, need to differentiate one front-end from the other via labelling.

Frontend name (name must be unique)

The port haproxy will listen

The port haproxy will listen for ssl certification

No of maximum concurrent users

For auto redirecting all http request to https

For pointing www.example.com same as frontend https://example.com

Access Control Lists (ACL) is to provide a flexible solution to make decisions based on content extracted from the request, the response, or any environmental status.
host_admin: Frontend name used to point backend.
hdr(host) -i : Accept HTTP requests containing a Host header saying “admin.example.com”
admin.example.com: Host name to listen on

Backend Configuration:

Here the group of servers handles the forwarded requests and load balancing. As mentioned in the front-end case, you can label the different servers of yours in order to distinguish one from the other.

Use backend named be-http-admin if frontend name is host_admin

Backend name

Tpye of load balancing

Enable insertion of the X-Forwarded-For header to requests sent to servers

Request type HTTP

Backend server with name ip and port
check: To check if the server is live or not
fall 3: After 3 consecutive connection fall, consider the server is dead
rise 5: Server will be considered as operational after 5 consecutive successful health checks.

Authentication Statics Page:

Port to listen stats on

Enable stats

Enable statistics and set authentication realm

Url to check stats and title

Enable statistics and hide HAProxy version reporting

Enable statistics with authentication and grant access to an account

Extra Configuration on Rate limiting

Create a table of size 500k which contains no of request of unique ip every 30 seconds.

Rate limiting based on the IP address

Deny the request with code 429 if the request rate is greater than 350 in the above-mentioned timeframe.

For any queries or feedback feel free to email me at animeshnayak99@gmail.com

--

--

--

A self-motivated terminal-savvy guy learning DevOps with expertise in many DevOps tools and Linux Server Administration who loves to automate everything.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What you should do to Excel at ALX Software Engineering.

How to get FOOBAR CHALLENGE Right Now.

Lombok and Streams in Java 9, Uncle Bob’s Dark Path, and Thoughts on Writing

Kickstart the Process for Building an Online Analytical Engine

How to Maintain a Regression Test Suite

ELK with Filebeat, Indexing microservices logs.

Basic Introduction of Python Programming Language

Passwordless Authentication to Support Multi-Channel User Actions

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Animesh Kumar

Animesh Kumar

A self-motivated terminal-savvy guy learning DevOps with expertise in many DevOps tools and Linux Server Administration who loves to automate everything.

More from Medium

Create a helm chart for nginx and deploy on Kubernetes

Kubernetes & Docker Swarm — A Comparison

Full setup of a Kubernetes K3D cluster managed by Flux on a local Git server

Youtube recording of the live session on the interactive mode

WebSphere Application in Kubernetes