Until recently, I wasn’t aware of the ACL system in HAProxy, but once I found it I realized that I have been missing a very important part of load balancing with HAProxy!
While the full configuration settings available for the ACL are listed in the configuration doc, the below example includes the basics that you’ll need to build an HAProxy load balancer that supports multiple host headers.
Here is a quick example haproxy configuration file that uses ACLs:
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
frontend http-in
bind *:80
acl is_www_example_com hdr_end(host) -i example.com
acl is_www_domain_com hdr_end(host) -i domain.com
use_backend www_example_com if is_www_example_com
use_backend www_domain_com if is_www_domain_com
default_backend www_example_com
backend www_example_com
balance roundrobin
cookie SERVERID insert nocache indirect
option httpchk HEAD /check.txt HTTP/1.0
option httpclose
option forwardfor
server Server1 10.1.1.1:80 cookie Server1
server Server2 10.1.1.2:80 cookie Server2
backend www_domain_com
balance roundrobin
cookie SERVERID insert nocache indirect
option httpchk HEAD /check.txt HTTP/1.0
option httpclose
option forwardfor
server Server1 192.168.5.1:80 cookie Server1
server Server2 192.168.5.2:80 cookie Server2
In HAProxy 1.3, the ACL rules are placed in a “frontend” and (depending on the logic) the request is proxied through to any number of “backends”. You’ll notice in our frontend entitled “http-in” that I’m checking the host header using the hdr_end feature. This feature performs a simple check on the host header to see if it ends with the provided argument.
You can find the rest of the Layer 7 matching options by searching for “7.5.3. Matching at Layer 7” in the configuration doc I linked to above. A few of the options I didn’t use but you might find useful are path_beg, path_end, path_sub, path_reg, url_beg, url_end, url_sub, and url_reg. The *_reg commands allow you to perform RegEx matching on the url/path, but there is the usual performance consideration you need to make for RegEx (especially since this is a load balancer).
The first “use_backend” that matches a request will be used, and if none are matched, then HAProxy will use the “default_backend”. You can also combine ACL rules in the “use_backend” statements to match one or more rules. See the configuration doc for more helpful info.
If you’re looking to use HAProxy with SSL, that requires a different approach, and I’ll blog about that soon.
Thanks for this post – the HAProxy docs are a huge laundry list of options so it was really helpful to see a concrete example of how to do a multi-backend configuration with ACLs.
Hi,Matt,thanks for the sharing. you mentioned about the HAProxy with SSL, do you have some information about this? I tested the HAProxy with SSL use the TCP mode,but have some questions about the session persistence ,if you can give me some suggestions that’s will be good.Thanks.
Matt, this is an awesome article, eagerly waiting to read the haproxy with SSL article and much better if it also mentions about using ACL’s in TCP mode
Hi, this scenario was what I want 😀
Thanks you,
But in according to my needs
how if :
Server1 (www.example.com) and Server1 (www.domain.com) are in one machine (using vhost/same ip)
But,
Server2 (www.example.com) and Server2 (www.domain.com) are in Different machine (different ip, not vhost)
Is it Posible??
How??
Thank you so mucccchh 🙂
HAProxy is a load balancer. In your second example, both http://www.example.com and http://www.domain.com will need DNS A records that point to the HAProxy server. While it isn’t a requirement that they use the same IP (you can have HAProxy listen to as many interfaces/IPs on one server that you want), you *are* able to use the same IP for both websites, and use HAProxy to examine the HTTP headers to find out what backend servers to send to.
Hello,
Thank you very much . as i can see you have seperate cluter for seperate domain.
How will you do to configure backup/failover for both domains ?
the option backup only works when all the server in the cluster is down.
I tried using acl for a backup/failover, it worked only for my first domain. for the second one . nope.
Help plzz 🙁
Brilliant thank you. It worked well for me
Hi Matt,
The article on HA Proxy is very informative. I thought you could help on this issue i have encountered:
Environment:
hn3.example.com(Load Balancer http://hn3_host_ip:6080)
hn2.example.com(ApplicationServer1 – http://hn2_host_ip:6080)
hn1.example.com(ApplicationServer2 – http://hn1_host_ip:6080)
I have to access my application from LoadBalancer i.e, http://hn3_host_ip:6080 which should redirect to hn2 and hn3 with roundrobin .
Problem: I am able to access only my login page on http://hn3_host_ip:6080, after entering the credentials it takes me back again to the login page again. I would require help in redirecting to GET the application page after the login. Please help me with the piece of configurations to add to redirect it to the application page.
Below is the /etc/haproxy/haproxy.cfg details:
*******************************************************************
frontend haproxy_in
bind hn3_host_ip:6080
default_backend ranger_ha
backend ranger_ha
balance roundrobin
mode http
option httpclose
option forwardfor
cookie SERVERID insert nocache indirect
option httpchk HEAD /check.txt HTTP/1.0
server hn1.example.com hn1_host_ip:6080 check
server hn2.example.com hn2_host_ip:6080 check
Regards,
Harini
Thank you for this article it has helped me massively,
I really needed a raw to redirect my traffic in my local network through 1 IP internet to proxy and the alias defines which local machine the alis is sent to.
Perfect!