In this blog we will learn how to install and configure HAProxy and how to integrate with VMware Horizon View for Lab purpose.
HAProxy is an OpenSource Load Balancer. By deploying HAProxy, we can load balance Connection Servers and check how load balancer work.
NOTE: Unified Access Gateway itself is a proxy server and hence would not recommend load balancing UAG via HAProxy.
1: Prepare the PhotonOS Vritual Machine.
For our lab purpose, we will use VMware PhotonOS as a base Operating System for HAProxy virtual machine.
Download and import the photonOS in the vCenter / ESXi : https://github.com/vmware/photon/wiki/Downloading-Photon-OS
For lab purpose I have used Photon OS 4.0 Rev2 x86_64 .iso file
Import the OVA/ISO to vCenter or ESXi host.
Screenshots of PhotonOS Installation:
NOTE: By default, the PhotonOS OVA is setup to acquire a DHCP address and SSH is enabled.
Login to PhotonOS OVA as “root” and password “changeme” OR use the credential defined at the time of deploying PhotonOS .iso.
Incase if the SSH is not enabled, follow the below steps to enable SSH Login.
vim /etc/ssh/sshd_config and set PermitRootLogin to "yes"
Restart the ssh service “systemctl restart sshd”
After login into the PhotonOS, first thing we will do is to update the VM with the latest security patches and install nano editor by running below commands.
tdnf upgrade -y
tdnf install nano –y
Next, make sure the VM is using Static IP, if not follow the below steps to set the VM to use Static IP address.
By default, the network configuration file in /etc/systemd/network called 99-dhcp-en.network set to use DHCP on all network adapters.
Edit the default “/etc/systemd/network/99-dhcp-en.network” file to disable DHCP:
[Match]
Name=e*
[Network]
DHCP=no
Create a new file “/etc/systemd/network/10-static-en.network” using “touch” command and edit the file with below details
[Match]
Name=eth0
[Network]
Address=<IP Address of the HAProxy>/24
Gateway=<IP address of the Gateway>
DNS=<DNS Server IP>
[DHCP]
UseDNS=false
Change the owner of the new file:
chown systemd-network:systemd-network /etc/systemd/network/10-static-en.network
To be able to use the virtual IP in HAProxy, we need to make changes to allow ipv4 forwarding and to allow HAProxy to use an IP that is not defined on a physical interface (virtual IP’s).
By default, this is disabled on PhotonOS. We need to enable those by creating a new file in /etc/sysctl.d called 55-keepalived.conf and put the following lines in it:
#Enable IPv4 Forwarding
net.ipv4.ip_forward = 1
#Enable non-local IP bind
net.ipv4.ip_nonlocal_bind = 1
NOTE: 50-security-hardening.conf file already exist in the same folder. By using higher number of the new configuration file, we overwrite the setting that are already defined in the default file.
To allow http/https access. Changed the file /etc/systemd/scripts/ip4save
# init
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allow local-only connections
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#keep commented till upgrade issues are sorted
#-A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 8404 -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
For the changes to be effective, reboot the VM.
2: Installing and configuring HAProxy :
Run the below command to install HAProxy on PhotonOS.
tdnf install haproxy –y
Rename the default HAProxy.cfg file “/etc/haproxy/haproxy.cfg”
Create directory where HAProxy will be chrooted
mkdir /var/lib/haproxy
chmod 755 /var/lib/haproxy
Create the configuration file /etc/haproxy/haproxy.cfg with below entries.
# HAProxy configuration
#Global definitions
global
chroot /var/lib/haproxy
stats socket /var/lib/haproxy/stats
daemon
defaults
timeout connect 5s
timeout client 30s
timeout server 30s
### Statistics & Admin configuration ###
userlist stats-auth
group admin users <Admin username>
user admin insecure-password <admin password>
group ro users stats
user stats insecure-password ReadOnly
frontend stats-http8404
mode http
bind <HAProxy IP>:8404
default_backend statistics
backend statistics
mode http
stats enable
stats show-legends
stats show-node
stats refresh 30s
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats http-request auth unless AUTH
stats admin if AUTH_ADMIN
stats uri /stats
######
### Horizon Connection servers ###
frontend horizon-http
mode http
bind <HAProxy IP>:80
# Redirect http to https
redirect scheme https if !{ ssl_fc }
frontend horizon-https
mode tcp
bind <HAProxy IP>:443
default_backend horizon
backend horizon
mode tcp
option ssl-hello-chk
balance source
server HZNConn01 <Connection Server1 IP>:443 weight 1 check inter 30s fastinter 2s downinter 5s rise 3 fall 3
server HZNConn02 <Connection Server2 IP>:443 weight 1 check inter 30s fastinter 2s downinter 5s rise 3 fall 3
######
Restart the haproxy service “systemctl restart haproxy.service”
Command to check the status of the haproxy service “systemctl status haproxy.service”
URL to connect to HAProxy Stats page: http://<haproxy ipaddress>:8404/stats
Username: admin
Password:<admin password defined in the config file>
