HAproxy
HAproxy 
Config TCP
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend www80_front
mode tcp
bind *:80
default_backend www80_back
backend www80_back
mode tcp
balance roundrobin
server NGINX00 192.168.0.16:80 check weight 60
server NGINX01 192.168.0.17:80 check weight 40
Config http vhost
frontend www80_front
bind *:80
acl is_nginx02.example.com hdr_end(host) -i nginx02.example.com
use_backend vhost_redirect_back if is_nginx02.example.com
default_backend www80_back
backend www80_back
balance roundrobin
server NGINX00 192.168.0.16:80 check weight 60
server NGINX01 192.168.0.17:80 check weight 40
backend vhost_redirect_back
server NGINX02 192.168.0.18:80 check
Config https vhost
frontend www80_front
bind *:80
acl is_ok.trastero.org hdr_end(host) -i ok.trastero.org
use_backend vhost_redirect_back if is_ok.trastero.org
default_backend www80_back
frontend www443_front
mode tcp
option tcplog
bind *:443
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
acl is_ok.trastero.org_443 req.ssl_sni -i ok.trastero.org
use_backend vhost_redirect_back_443 if is_ok.trastero.org_443
default_backend www443_back
backend www80_back
balance roundrobin
server k3s00 k3s00.local:80 check weight 60
server k3s01 k3s01.local:80 check weight 40
server k3s02 k3s02.local:80 check weight 40
backend www443_back
mode tcp
balance roundrobin
server k3s00 k3s00.local:443 check weight 60
server k3s01 k3s01.local:443 check weight 40
server k3s02 k3s02.local:443 check weight 40
backend vhost_redirect_back
server OK00 192.168.0.165:80 check
backend vhost_redirect_back_443
mode tcp
option tcplog
option ssl-hello-chk
server OK00443 192.168.0.165:443
KeepAlived
install on debian
apt install -y keepalived psmisc
touch /etc/keepalived/keepalived.conf
Master /etc/keepalived/keepalived.conf
vrrp_script chk_haproxy {
script "killall -0 haproxy" # verify the pid existance
interval 2 # check every 2 seconds
weight 2 # add 2 points of prio if OK
}
vrrp_instance VI_1 {
interface eth0 # interface to monitor
state MASTER
virtual_router_id 51 # Assign one ID for this route
priority 101 # 101 on master, 100 on backup
virtual_ipaddress {
192.168.0.99 # the virtual IP
}
track_script {
chk_haproxy
}
}
Slave /etc/keepalived/keepalived.conf
vrrp_script chk_haproxy {
script "killall -0 haproxy" # verify the pid existance
interval 2 # check every 2 seconds
weight 2 # add 2 points of prio if OK
}
vrrp_instance VI_1 {
interface eth0 # interface to monitor
state BACKUP
virtual_router_id 51 # Assign one ID for this route
priority 100 # 101 on master, 100 on backup
virtual_ipaddress {
192.168.0.99 # the virtual IP
}
track_script {
chk_haproxy
}
}