top of page
Search
  • Suraj Roy

Integrating HAProxy (OpenSource LoadBalancer) with Horizon View Connection Servers.

Updated: Apr 7, 2022


In this blog we will learn how to install and configure HAProxy and how to integrate with VMware Horizon View for Lab purpose.


HAProxy is an OpenSource Load Balancer. By deploying HAProxy, we can load balance Connection Servers and check how load balancer work.


NOTE: Unified Access Gateway itself is a proxy server and hence would not recommend load balancing UAG via HAProxy.


1: Prepare the PhotonOS Vritual Machine.


For our lab purpose, we will use VMware PhotonOS as a base Operating System for HAProxy virtual machine.


For lab purpose I have used Photon OS 4.0 Rev2 x86_64 .iso file



  • Import the OVA/ISO to vCenter or ESXi host.

Screenshots of PhotonOS Installation:



















NOTE: By default, the PhotonOS OVA is setup to acquire a DHCP address and SSH is enabled.


  • Login to PhotonOS OVA as “root” and password “changeme” OR use the credential defined at the time of deploying PhotonOS .iso.

Incase if the SSH is not enabled, follow the below steps to enable SSH Login.


vim /etc/ssh/sshd_config and set PermitRootLogin to "yes"

Restart the ssh service “systemctl restart sshd


  • After login into the PhotonOS, first thing we will do is to update the VM with the latest security patches and install nano editor by running below commands.

tdnf upgrade -y

tdnf install nano –y




  • Next, make sure the VM is using Static IP, if not follow the below steps to set the VM to use Static IP address.


By default, the network configuration file in /etc/systemd/network called 99-dhcp-en.network set to use DHCP on all network adapters.


Edit the default “/etc/systemd/network/99-dhcp-en.network” file to disable DHCP:


[Match]

Name=e*

[Network]

DHCP=no



Create a new file “/etc/systemd/network/10-static-en.network” using “touch” command and edit the file with below details


[Match]


Name=eth0

[Network]

Address=<IP Address of the HAProxy>/24

Gateway=<IP address of the Gateway>

DNS=<DNS Server IP>

[DHCP]

UseDNS=false



Change the owner of the new file:

chown systemd-network:systemd-network /etc/systemd/network/10-static-en.network



To be able to use the virtual IP in HAProxy, we need to make changes to allow ipv4 forwarding and to allow HAProxy to use an IP that is not defined on a physical interface (virtual IP’s).


By default, this is disabled on PhotonOS. We need to enable those by creating a new file in /etc/sysctl.d called 55-keepalived.conf and put the following lines in it:


#Enable IPv4 Forwarding

net.ipv4.ip_forward = 1

#Enable non-local IP bind

net.ipv4.ip_nonlocal_bind = 1


NOTE: 50-security-hardening.conf file already exist in the same folder. By using higher number of the new configuration file, we overwrite the setting that are already defined in the default file.


To allow http/https access. Changed the file /etc/systemd/scripts/ip4save


# init

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

# Allow local-only connections

-A INPUT -i lo -j ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#keep commented till upgrade issues are sorted

#-A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A INPUT -p tcp --dport 80 -j ACCEPT

-A INPUT -p tcp --dport 443 -j ACCEPT

-A INPUT -p tcp --dport 8404 -j ACCEPT


-A OUTPUT -j ACCEPT

COMMIT


  • For the changes to be effective, reboot the VM.


2: Installing and configuring HAProxy :


  • Run the below command to install HAProxy on PhotonOS.

tdnf install haproxy –y



  • Rename the default HAProxy.cfg file “/etc/haproxy/haproxy.cfg


  • Create directory where HAProxy will be chrooted

mkdir /var/lib/haproxy

chmod 755 /var/lib/haproxy


  • Create the configuration file /etc/haproxy/haproxy.cfg with below entries.


# HAProxy configuration


#Global definitions

global

chroot /var/lib/haproxy

stats socket /var/lib/haproxy/stats

daemon


defaults

timeout connect 5s

timeout client 30s

timeout server 30s


### Statistics & Admin configuration ###

userlist stats-auth

group admin users <Admin username>

user admin insecure-password <admin password>

group ro users stats

user stats insecure-password ReadOnly

frontend stats-http8404

mode http

bind <HAProxy IP>:8404

default_backend statistics

backend statistics

mode http

stats enable

stats show-legends

stats show-node

stats refresh 30s

acl AUTH http_auth(stats-auth)

acl AUTH_ADMIN http_auth_group(stats-auth) admin

stats http-request auth unless AUTH

stats admin if AUTH_ADMIN

stats uri /stats

######


### Horizon Connection servers ###

frontend horizon-http

mode http

bind <HAProxy IP>:80

# Redirect http to https

redirect scheme https if !{ ssl_fc }


frontend horizon-https

mode tcp

bind <HAProxy IP>:443

default_backend horizon

backend horizon

mode tcp

option ssl-hello-chk

balance source

server HZNConn01 <Connection Server1 IP>:443 weight 1 check inter 30s fastinter 2s downinter 5s rise 3 fall 3

server HZNConn02 <Connection Server2 IP>:443 weight 1 check inter 30s fastinter 2s downinter 5s rise 3 fall 3

######


  • Restart the haproxy service “systemctl restart haproxy.service

  • Command to check the status of the haproxy service “systemctl status haproxy.service


URL to connect to HAProxy Stats page: http://<haproxy ipaddress>:8404/stats

Username: admin

Password:<admin password defined in the config file>




1,148 views1 comment

1 Comment


Shreyskar Srivastava
Shreyskar Srivastava
Apr 08, 2022

Wonderful content! Thank you for making this.

Like
Post: Blog2 Post
bottom of page