HAProxy Load Balancer configuration example for use with AppsAnywhere, Cloudpaging and Parallels RAS.

In this article


Overview

The following configuration is provided as a guide. It should be reviewed before you apply it, and referenced against any existing HAProxy configuration currently in use.

The configuration is based on the default OOB (out-of-box) haproxy.cfg configuration file.

Please note, there is currently a known issue with the Parallels RAS Windows Client and HAProxy version 2.x.  In order to workaround this issue, additional items must be added to the AppsAnywhere and Global configuration (depending on which version of HAProxy is being used).  Details of these changes are documented in the relevant sections below.   Parallels have confirmed this particular issue will be resolved in a future release.  Please contact Software2 support if you require further information.

Global and Default settings

The Global configuration below included definitions for default SSL certificate locations. It also includes updated crypto policies to remove insecure ciphers and increase the Diffie-Hellman key size.

#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# https://www.haproxy.org/download/1.8/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
	log 127.0.0.1 local2

	chroot /var/lib/haproxy
	pidfile /var/run/haproxy.pid
	maxconn 4000
	user haproxy
	group haproxy
	daemon

	# turn on stats unix socket
	stats socket /var/lib/haproxy/stats

	# Default SSL material locations
	ca-base /etc/pki/tls/certs
	crt-base /etc/pki/tls/private

	#Crypto policies
	ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256
	ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

	#The maximum size of the Diffie-Hellman parameters used for generating
	# the ephemeral/temporary Diffie-Hellman key in case of DHE key exchange.
	tune.ssl.default-dh-param 2048

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    #option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
TEXT

If HAProxy v2.1x or later is used and Parallels RAS have been deployed, the following addition is required within the global section of the configuration documented above:

h1-case-adjust content-length Content-Length
TEXT

AppsAnywhere 

The following frontend and backend configurations can be used with AppsAnywhere.  

frontend

frontend fappsanywhere

	#Bind AppsAnywhere LB address
	bind <IP ADDRESS>:443 ssl crt <SSL Certificate Filename> force-tlsv12
	#Prevents X-Forwarded-For spoofing
	http-request del-header ^X-Forwarded-For:.* 
	#Default backend config
	default_backend bappsanywhere
	#Set HTTP style logging
	option httplog
TEXT

backend

backend bappsanywhere

	#Layer4/HTTP connection mode
	mode http
	#Enable X-Forwarded-For
	option forwardfor
	#LB least connection rule
	balance leastconn
	#Set X-Forwarded-For Header
	http-request set-header X-Forwarded-For %[src]
	#Session stick table and based on source IP
	stick-table type ip size 1m expire 1h
	stick on src
	#Health check URI and status code check
	option httpchk GET /healthcheck
	http-check expect status 200
	#Backend server options - Including SSL for HTTPS, check and check-ssl options
	# for healthcheck over HTTPS, Inter value of 120 seconds. Verify none to prevent
	# backend server SSL certificate checks.
	server apps1 <IP ADDRESS>:443 ssl check inter 120s check-ssl verify none
	server apps2 <IP ADDRESS>:443 ssl check inter 120s check-ssl verify none

TEXT
In both the frontend and backend sections you will need to replace the <IP ADDRESS> value with the relevant IP address or FQDN of your service and backend AppsAnywhere server(s). The frontend section also contains the <SSL Certificate Filename> value that must be replaced with the correct SSL certificate filename.

If HAProxy v2.0x is used and Parallels RAS has been deployed , the following addition is required within both the frontend and backend sections of the configuration documented above:

no option http-use-htx
TEXT

If HAProxy v2.1x or later is used and Parallels RAS has been deployed,  the following addition is required within the frontend section only of the configuration documented above:

option h1-case-adjust-bogus-client
TEXT

The above configuration assumes that a single/specific VIP is used for AppsAnywhere only.

If there are multiple services using the same VIP then you can use the following rules within the existing frontend section for the AppsAnywhere service.

use_backend bappsanywhere if { hdr(host) -i <MYApps.UNI.EDU> } || { hdr(host) -i <MYApps.UNI.EDU>:443 }
TEXT
Replace the <MyApps.UNI.EDU> value with the FQDN of your AppsAnywhere service.

Cloudpaging

The following frontend and backend configurations can be used with Numecent Cloudpaging Admin/License service.  

frontend

frontend fcpadmin

	#Bind Cloudpaging LB address
	bind <IP ADDRESS>:443 ssl crt <SSL Certificate Filename> force-tlsv12
	#Prevents X-Forwarded-For spoofing
	http-request del-header ^X-Forwarded-For:.* 
	#Default backend config
	default_backend bcpadmin
	#Set HTTP style logging
	option httplog
TEXT

backend

backend bcpadmin

    #Layer4/HTTP connection mode
    mode http
    #Enable X-Forwarded-For
    option forwardfor
    #LB least connection rule
    balance leastconn
    #Set X-Forwarded-For Header
    http-request set-header X-Forwarded-For %[src]
    #Session stick table and based on source IP
    stick-table type ip size 1m expire 1h
    stick on src
    #Health check URI and status code check
    option httpchk GET /jukeboxserver/do/license/token/renew.tok?msid=ping
    http-check expect status 200
    #Backend server options - Including SSL for HTTPS, check and check-ssl options
    # for healthcheck over HTTPS, Inter value of 120 seconds.  Verfiy none to prevent
    # backend server SSL certificate checks.
    server	cp1 <IP ADDRESS>:443 ssl check inter 120s check-ssl verify none
	server	cp2 <IP ADDRESS>:443 ssl check inter 120s check-ssl verify none

TEXT

In both the frontend and backend sections you will need to replace the <IP ADDRESS> value with the relevant IP address or FQDN of your Cloudpaging Admin/License service and server(s).  The frontend section also contains the <SSL Certificate Filename> value that must be replaced with the correct SSL certificate filename.

The above configuration assumes that a single/specific VIP is used for Cloudpaging Admin/License service only.

If there are multiple services using the same VIP then you can use the following rules within the existing frontend section for the Cloudpaging Admin/License service.

use_backend bcpadmin if { hdr(host) -i <cpadmin.UNI.EDU> } || { hdr(host) -i <cpadmin.UNI.EDU>:443 }
TEXT
Replace the <cpadmin.UNI.EDU> value with the FQDN of your Cloudpaging Admin/License service.

Parallels RAS

The following frontend and backend configurations can be used with Parallels RAS Gateway service.  

frontend

frontend fparallels
   bind <IP ADDRESS>:443
   mode tcp
   option tcplog
   default_backend bparallels
TEXT

backend

backend bparallels
    mode tcp
    balance leastconn
    #Session stick table and based on source IP
    stick-table type ip size 1m expire 1h
    stick on src
    server gw1 <IP ADDRESS>:443 check inter 120s verify none
	server gw2 <IP ADDRESS>:443 check inter 120s verify none
TEXT
In both the frontend and backend sections you will need to replace the <IP ADDRESS> value with the relevant IP address or FQDN of your Parallels RAS Gateway service and server(s).
It is important to note that in order to support traffic/access for both the Parallels RAS Native Client and HTML5 Gateway, the traffic mode must be defined as TCP and NOT HTTP.  Using HTTP mode will prevent the Parallels RAS Native Client from connecting correctly to the Parallels RAS Gateway.
Please consult the HAProxy User Documentation for more information regarding any of the settings used in the above example.


Some other articles you might find useful:


Written By: