Scaling out on the cloud is easy. Especially, if you have a software provisioning system that helps you to deploy your environment wherever you want. This session will give you an overview of the fantastic new features of HAProxy V 1.5, and how you can integrate it into your environment to build a high available environment, using open source software. Starting with a single-webserver + mysql setup provisioned via chef, we will deploy an HA Proxy Cluster in front and scale out your nginx and mysql database backend.
This webinar introduces Apache Camel's large range of components for connectivity and protocol support, and how the 50+ patterns create a powerful toolbox that lets you build integration solutions "Lego style". This webinar will introduce you to the Camel community and why it is so important for any serious open source project to have a thriving community.
Speaker: Claus Ibsen - Camel PMC member and top committer
Tasklet vs work queues (Deferrable functions in linux)RajKumar Rampelli
Deferrable functions in linux is a mechanism to delay the execution of any piece of code later in the kernel context. Can be implemented using Tasklet and work queues
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Fred Posner
Presentation from AsteriskWorld 2017 at ITEXPO. Discussion of how I started with Asterisk and Kamailio as well as how to build Reliability, Scalability, and Security into your telephony platform.
This webinar introduces Apache Camel's large range of components for connectivity and protocol support, and how the 50+ patterns create a powerful toolbox that lets you build integration solutions "Lego style". This webinar will introduce you to the Camel community and why it is so important for any serious open source project to have a thriving community.
Speaker: Claus Ibsen - Camel PMC member and top committer
Tasklet vs work queues (Deferrable functions in linux)RajKumar Rampelli
Deferrable functions in linux is a mechanism to delay the execution of any piece of code later in the kernel context. Can be implemented using Tasklet and work queues
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Fred Posner
Presentation from AsteriskWorld 2017 at ITEXPO. Discussion of how I started with Asterisk and Kamailio as well as how to build Reliability, Scalability, and Security into your telephony platform.
ProxySQL - High Performance and HA Proxy for MySQLRené Cannaò
High Availability proxy designed to solve real issues of MySQL setups from small to very large production environments.
Presentation at Percona Live Amsterdam 2015
There are many ways to run high availability with PostgreSQL. Here, we present a template for you to create your own customized, high-availability solution using Python and for maximum accessibility, a distributed configuration store like ZooKeeper or etcd.
This is a talk on how you can monitor your microservices architecture using Prometheus and Grafana. This has easy to execute steps to get a local monitoring stack running on your local machine using docker.
Ceph data services in a multi- and hybrid cloud worldSage Weil
IT organizations of the future (and present) are faced with managing infrastructure that spans multiple private data centers and multiple public clouds. Emerging tools and operational patterns like kubernetes and microservices are easing the process of deploying applications across multiple environments, but the achilles heel of such efforts remains that most applications require large quantities of state, either in databases, object stores, or file systems. Unlike stateless microservices, state is hard to move.
Ceph is known for providing scale-out file, block, and object storage within a single data center, but it also includes a robust set of multi-cluster federation capabilities. This talk will cover how Ceph's underlying multi-site capabilities complement and enable true portability across cloud footprints--public and private--and how viewing Ceph from a multi-cloud perspective has fundamentally shifted our data services roadmap, especially for Ceph object storage.
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)Brian Brazil
Prometheus is a next-generation monitoring system. Since being publicly announced last year it has seen wide-spread interest and adoption. This talk will look at the concepts behind monitoring with Prometheus, and how to use it with Kubernetes which has direct support for Prometheus.
Analysis of Database Issues using AHF and Machine Learning v2 - AOUG2022Sandesh Rao
Oracle Autonomous Health Framework (AHF) is Oracle’s Artificial Intelligence Operations platform for autonomous database health management. This session will focus on enhancements to current functionality and new features in 21c. We will discuss how to use the data which is derived from the Bayesian Net framework of AHF to conduct root cause analysis, telemetry and remediations for issues. You will learn to utilize these features to determine workload footprint, ongoing monitoring, early detection of anomalies and performance issues, their root causes and corrective actions, prevention of node or database failures, and targeted postmortem analysis enabling quick resolution.
Session Highlights:
• Insights into AHF enhancements to current functionality and new features in 21c
• Learn early detection of anomalies and performance issues, their root causes and corrective actions
• Targeted postmortem analysis enabling quick resolution
MySQL performance can be improved by tuning queries, server options, and hardware. Traditionally it was an area of responsibility for three different roles: Development, DBA, and System Administrators. Now DevOps handle these all. But there is a gap. Knowledge gained by MySQL DBAs after years or focusing on a single product is hard to gain when you focus on more than one. This is why I am doing this session. I will show a minimal but most effective set of options to improve MySQL performance. For illustrations, I will use real user stories gained from my Support experience and Percona Kubernetes operators for PXC and MySQL.
ProxySQL - High Performance and HA Proxy for MySQLRené Cannaò
High Availability proxy designed to solve real issues of MySQL setups from small to very large production environments.
Presentation at Percona Live Amsterdam 2015
There are many ways to run high availability with PostgreSQL. Here, we present a template for you to create your own customized, high-availability solution using Python and for maximum accessibility, a distributed configuration store like ZooKeeper or etcd.
This is a talk on how you can monitor your microservices architecture using Prometheus and Grafana. This has easy to execute steps to get a local monitoring stack running on your local machine using docker.
Ceph data services in a multi- and hybrid cloud worldSage Weil
IT organizations of the future (and present) are faced with managing infrastructure that spans multiple private data centers and multiple public clouds. Emerging tools and operational patterns like kubernetes and microservices are easing the process of deploying applications across multiple environments, but the achilles heel of such efforts remains that most applications require large quantities of state, either in databases, object stores, or file systems. Unlike stateless microservices, state is hard to move.
Ceph is known for providing scale-out file, block, and object storage within a single data center, but it also includes a robust set of multi-cluster federation capabilities. This talk will cover how Ceph's underlying multi-site capabilities complement and enable true portability across cloud footprints--public and private--and how viewing Ceph from a multi-cloud perspective has fundamentally shifted our data services roadmap, especially for Ceph object storage.
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)Brian Brazil
Prometheus is a next-generation monitoring system. Since being publicly announced last year it has seen wide-spread interest and adoption. This talk will look at the concepts behind monitoring with Prometheus, and how to use it with Kubernetes which has direct support for Prometheus.
Analysis of Database Issues using AHF and Machine Learning v2 - AOUG2022Sandesh Rao
Oracle Autonomous Health Framework (AHF) is Oracle’s Artificial Intelligence Operations platform for autonomous database health management. This session will focus on enhancements to current functionality and new features in 21c. We will discuss how to use the data which is derived from the Bayesian Net framework of AHF to conduct root cause analysis, telemetry and remediations for issues. You will learn to utilize these features to determine workload footprint, ongoing monitoring, early detection of anomalies and performance issues, their root causes and corrective actions, prevention of node or database failures, and targeted postmortem analysis enabling quick resolution.
Session Highlights:
• Insights into AHF enhancements to current functionality and new features in 21c
• Learn early detection of anomalies and performance issues, their root causes and corrective actions
• Targeted postmortem analysis enabling quick resolution
MySQL performance can be improved by tuning queries, server options, and hardware. Traditionally it was an area of responsibility for three different roles: Development, DBA, and System Administrators. Now DevOps handle these all. But there is a gap. Knowledge gained by MySQL DBAs after years or focusing on a single product is hard to gain when you focus on more than one. This is why I am doing this session. I will show a minimal but most effective set of options to improve MySQL performance. For illustrations, I will use real user stories gained from my Support experience and Percona Kubernetes operators for PXC and MySQL.
Your website just went down. As you try to understand what has gone wrong, you quickly realize something is different this time. There’s no clear reason why your site should be down, but indeed it is.
This talk is about the story of our team’s first unprepared fight against a DDoS attack.
USENIX LISA15: How TubeMogul Handles over One Trillion HTTP Requests a MonthNicolas Brousse
TubeMogul grew from few servers to over two thousands servers and handling over one trillion http requests a month, processed in less than 50ms each. To keep up with the fast growth, the SRE team had to implement an efficient Continuous Delivery infrastructure that allowed to do over 10,000 puppet deployment and 8,500 application deployment in 2014. In this presentation, we will cover the nuts and bolts of the TubeMogul operations engineering team and how they overcome challenges.
You always think it will never happen to you but when it does, it’s all hands on deck. My personal site was almost hacked and since then I actively looked at what I could improve. During this talk I will talk what I had before and show all the improvements I made since then. It will be a mixed of using using the existing tools and my own creation in managing my sites.
This is a presentation made at the Burlington, Vermont PHP Users Group about configuring load balancing using the Apache HTTP Server. Load balancing is a technique that can distribute work across multiple server nodes—here we will discuss load balancing HTTP (i.e. web) traffic. There are many software and hardware load balancing options available including HAProxy, Varnish, Pound, Perlbal, Squid, nginx, and Linux-HA (High-Availability Linux) on Linux Standard Base (LSB). However, many web developers are already familiar with Apache as a web server and it is relatively easy to also configure Apache as a load balancer.
Related concepts such as shared nothing architecture are discussed. We also take a look at some basic load balancing scenarios and features including sticky sessions and proxying requests based on HTTP method. Distributed load testing with Tsung is briefly discussed as well.
Presentation by the project founder, Willy Tarreau, on what's new in v1.6, what's coming in 1.7 and how to contribute to the project !
Presentation par le fondateur du projet, Willy Tarreau. Les nouveautés de la v1.6, le roadmap de la v1.7 et comment contribuer au projet !
Lessons from Highly Scalable Architectures at Social Networking SitesPatrick Senti
What are the techniques and technolgies used by popular social networking sites such as Facebook, Twitter, Tumblr, Pinterest or Instagram? How do they architect their systems to scale to multiples of 100 million of visits per day?
Keepalived & HA-Proxy as an alternative to commercial loadbalancer - August 2014inovex GmbH
The speaker Jan Gehring is the initiator of the Rex Project, which he has developed in his free time since 2010. Jan works for inovex GmbH as a senior linux system architect and designs, optimises and deploys highly scalable, automated linux environments for customers. For 13 years he has been professionally with Linux and open source and could through numerous projects gained extensive practical experience. His duties include the design, construction and operation of systems. His focus is here in the Data Center Automation, highly available and highly scalable web architectures, and Java-based application servers.
ElasticSearch in Production: lessons learnedBeyondTrees
With Proquest Udini, we have created the worlds largest online article store, and aim to be the center for researchers all over the world. We connect to a 700M solr cluster for search, but have recently also implemented a search component with ElasticSearch. We will discuss how we did this, and how we want to use the 30M index for scientific citation recognition. We will highlight lessons learned in integrating ElasticSearch in our virtualized EC2 environments, and challenges aligning with our continuous deployment processes.
We present findings in addition to the work in the following analyses.Worm Backdoors and Secures QNAP Network Storage Devices. https://isc.sans.edu/forums/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storage+Devices/19061
Shellshock Worm Exploiting Unpatched QNAP NAS Devices https://threatpost.com/shellshock-worm-exploiting-unpatched-qnap-nas-devices/109870
A little ShellShock fun http://jrnerqbbzrq.blogspot.com/2014/12/a-little-shellshock-fun.html
This is what we found, missing pieces from previous researches.
The need to scale is in high demand in an age where everything is moving to the cloud. Though the standard Apache configuration could handle a website with moderate traffic, the minute it gets slash dotted or twitted multiple times could spell an embarrassing crash landing! If you are the administrator of such a website then good luck finding another job! On the other hand you value high availability in the midst of popularity then read on. On this one day workshop, we will show you how to scale your website and webapps to scale to handle thousands of simultaneous sessions the right way. The topics covered will include:
- Setting up Apache and NGiNXM
- Setting up a sample LAMP web app
- Benchmarking Apache performance
- Fine tuning Apache to improve performance
- Fine tuning NGiNX to improve performance
- Discussion about code level improvements when developing custom webapps using PHP
I will be giving a brief overview of the history of NGINX along with an overview of the features and functionality in the project as it stands today. I will give some real use case of example of how NGINX can be used to solve problems and eliminate complexity within infrastructure. I will then dive into the future of the modern web and how NGINX is monitoring and leveraging industry changes to enhance the product for individuals and companies in the industry.
Join us to discover how to use the PHP frameworks and tools you love in the Cloud with Heroku. We will cover best practices for deploying and scaling your PHP apps and show you how easy it can be. We will show you examples of how to deploy your code from Git and use Composer to manage dependencies during deployment. You will also discover how to maintain parity through all your environments, from development to production. If your apps are database-driven, you can also instantly create a database from the Heroku add-ons and have it automatically attached to your PHP app. Horizontal scalability has always been at the core of PHP application design, and by using Heroku for your PHP apps, you can focus on code features, not infrastructure.
Drupaljam 2017 - Deploying Drupal 8 onto Hosted Kubernetes in Google CloudDropsolid
In this presentation I explain using video examples how kubernetes works and how this can be used to host your Drupal 7 or 8 site. There are obviously also gotcha's and I'd like to warn you to not use this in production until you've verified it
Bare Metal to OpenStack with Razor and ChefMatt Ray
Slides from the OpenStack Spring 2013 Summit workshop presented by Egle Sigler (@eglute) and Matt Ray (@mattray) from Rackspace and Opscode respectively. Please refer to http://anystacker.com/ for additional content.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
2. Why HAProxy?
High availability
Powerful loadbalancer for websites due to its
proxy nature
Open Source
Enterprise ready
HAProxy - Scale out using open source | by Ingo Walz
2
3. HAProxy - Scale out using open source | by Ingo Walz
3
Enterprise options
ALOHA HAProxy Loadbalancer Appliance
HAProxy Enterprise Edition - HAPEE
http://www.haproxy.com/
4. HAProxy - Scale out using open source | by Ingo Walz
4
Who's using it?
http://www.haproxy.org/they-use-it.html
5. HAProxy - Scale out using open source | by Ingo Walz
5
Featureset
Content switching / filtering
Asymetric load balancing
Priority activation
SSL offloading
HTTP compression
TCP buffering
Priority queue / rate shaping
Direct server return (DSR)
http://en.wikipedia.org/wiki/Load_balancing_(computing)#Load_balancer_features
6. HAProxy - Scale out using open source | by Ingo Walz
6
Looks familiar?
7. HAProxy - Scale out using open source | by Ingo Walz
7
Fix your Single-Server Environment
Congratulation, your whole
environment is one Single Point
Of Failure!
8. HAProxy - Scale out using open source | by Ingo Walz
8
Fix your Single-Server Environment
Always try to follow the principle:
One function per component
Not anymore because it scales the best, more because it's
the cleanest way to manage them.
Configure Services, not Servers
9. HAProxy - Scale out using open source | by Ingo Walz
9
Make your application cluster capable
You need to deploy to a various number of different
machines
Do not use something like NFS to workaround
A CI will help you
Session clustering
Avoid to work on the filesystem to save data / user
input
Use central technologies to save your data (e.g.
databases)
11. HAProxy - Scale out using open source | by Ingo Walz
11
Known procedure
$ wget http://www.haproxy.org/download/1.5/src/haproxy-1.5.6.tar.gz
$ tar xvzf haproxy-1.5.6.tar.gz
$ cd haproxy-1.5.6
$ ./configure USE_OPENSSL=1 USE_PCRE=1
$ make
$ sudo make install
http://www.haproxy.org/#down
13. /usr/local/etc/haproxy/haproxy.cfg
HAProxy - Scale out using open source | by Ingo Walz
13
Configuration sections
global
# process wide and eventually OS specific
# some have CLI equivalents
[ .. ]
defaults
# set default parameters for all following sections
[ .. ]
frontend
# describes a set of listening sockets accepting client connections
[ .. ]
backend
# describes a set of servers to which the proxy will connect
# to forward incoming connections
[ .. ]
listen
# defines a complete proxy with its frontend and backend parts combined in one section.
# It is generally useful for TCP-only traffic
[ .. ]
14. /usr/local/etc/haproxy/haproxy.cfg
HAProxy - Scale out using open source | by Ingo Walz
14
TCP vs HTTP loadbalancing
defaults
mode tcp # Can balance everything, the default
defaults
mode http # But you want that!
Layer 7 loadbalancing advantages
● Request inspection
● Content switching
● Header manipulation
● Cookie persistence
● Advanced health checks
15. HAProxy - Scale out using open source | by Ingo Walz
15
Loadbalance your nginx
16. /usr/local/etc/haproxy/haproxy.cfg
HAProxy - Scale out using open source | by Ingo Walz
16
Loadbalance your nginx
global
maxconn 4096
daemon
defaults
mode http
timeout connect 5000
timeout client 50000
timeout server 50000
frontend www_fe
bind :80
# Close connection to server but keep open for client
option http-server-close
default_backend www
backend www_be
server nginx1 10.0.0.10:80 check
server nginx2 10.0.0.15:80 check
17. HAProxy - Scale out using open source | by Ingo Walz
17
Still a single point of failure
18. HAProxy - Scale out using open source | by Ingo Walz
18
HA with HAProxy & keepalived
19. HAProxy - Scale out using open source | by Ingo Walz
19
HA with HAProxy & keepalived
vrrp_script chk_haproxy {
script "killall -0 haproxy"
interval 2
weight 2
}
vrrp_instance VIRTUAL {
interface eth0
virtual_router_id 10
state MASTER #state BACKUP
priority 100 #priority 101
advert_int 1
virtual_ipaddress {
10.0.0.30
}
track_script {
chk_haproxy
}
}
/etc/keepalived/keepalived.conf
20. HAProxy - Scale out using open source | by Ingo Walz
20
HA with public IPs
21. HAProxy - Scale out using open source | by Ingo Walz
21
HA with public IPs - failover
22. The final step
HAProxy - Scale out using open source | by Ingo Walz 22
23. HAProxy - Scale out using open source | by Ingo Walz
23
Loadbalance MySQL - TCP
24. /usr/local/etc/haproxy/haproxy.cfg
HAProxy - Scale out using open source | by Ingo Walz
24
Loadbalance MySQL - TCP
frontend mysql_fe
bind :3306
mode tcp
default_backend mysql_be
backend mysql_be
mode tcp
option mysql-check user haproxy
server mysql1 10.0.0.40:3306 check
server mysql2 10.0.0.45:3306 check backup
mysql~> INSERT INTO mysql.user (Host,USER) VALUES
('10.0.0.20','haproxy'); FLUSH PRIVILEGES;
mysql~> INSERT INTO mysql.user (Host,USER) VALUES
('10.0.0.25','haproxy'); FLUSH PRIVILEGES;
25. HAProxy - Scale out using open source | by Ingo Walz
25
Loadbalance MySQL - TCP
26. HAProxy - Scale out using open source | by Ingo Walz
26
Loadbalance MySQL - TCP
27. All about SSL
HAProxy - Scale out using open source | by Ingo Walz 27
28. /usr/local/etc/haproxy/haproxy.cfg
HAProxy - Scale out using open source | by Ingo Walz
28
Setup SSL Pass-Through
frontend www_fe
bind :80
bind :443
mode tcp
default_backend www_be
backend www_be
mode tcp
server nginx1 10.0.0.10:443 check
server nginx2 10.0.0.15:443 check
No HTTP mode possible – how to inspect encrypted headers?
29. HAProxy - Scale out using open source | by Ingo Walz
29
SSL Termination – why you should offload
Single configuration point for all certificates
Certificates not widely spread across the
infrastructure
Offload the decryption load
Typically, your HAProxy will have a bit of CPU
left
You need to decrypt to inspect the request information
30. /usr/local/etc/haproxy/haproxy.cfg
HAProxy - Scale out using open source | by Ingo Walz
30
Setup SSL offloading
frontend www_fe
bind :80
bind :443 ssl crt /etc/haproxy/sample.pem
# Close connection to server but keep open for client
option http-server-close
default_backend www_be
backend www_be
server nginx1 10.0.0.10:80 check
server nginx2 10.0.0.15:80 check
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout
ssl/sample.key -out ssl/sample.crt
$ cat ssl/sample.key ssl/sample.crt > ssl/sample.pem
31. HAProxy - Scale out using open source | by Ingo Walz
31
SNI – How it works
● Multiple certificates per IP / frontend profile
● Client and server need to support it
32. /usr/local/etc/haproxy/haproxy.cfg
HAProxy - Scale out using open source | by Ingo Walz
32
Setup SNI
frontend www_fe
bind :80
# sample.pem as default, other pem's based on host header
bind :443 ssl crt /etc/haproxy/sample.pem crt /etc/haproxy/certs/
# Content switch based on certificate (and based on host)
use_backend sample1 if { ssl_fc_sni sample1 }
use_backend sample2 if { ssl_fc_sni sample2 }
default_backend www_be
backend sample1
server nginx1 10.0.0.10:80 check
backend sample2
server nginx2 10.0.0.15:80 check
backend www_be
server nginx1 10.0.0.10:80 check
server nginx2 10.0.0.15:80 check
33. Secure your entry point
HAProxy - Scale out using open source | by Ingo Walz 33
34. HAProxy - Scale out using open source | by Ingo Walz
34
Protect against syn flooding
# Consider this amount of clients as valid
$ sysctl -w net.ipv4.tcp_max_syn_backlog=”4096”
# Once net.ipv4.tcp_max_syn_backlog is reached, enable syn cookies
$ sysctl -w net.ipv4.tcp_syncookies=1
# Enable reverse path filtering, is the source routable through the incoming interface?
$ sysctl -w net.ipv4.conf.all.rp_filter=1
35. HAProxy - Scale out using open source | by Ingo Walz
35
Basic iptables
$ cat iptables.sh
#!/bin/bash
iptables -F # Drop current table
# Drop incoming traffic (eth0 is the public available interface)
iptables -i eth0 -P INPUT DROP
iptables -i eth0 -P FORWARD DROP
# Allow outgoing traffic
iptables -P OUTPUT ACCEPT
# Allow ping
iptables -i eth0 -A INPUT -p ICMP -j ACCEPT
# Allow SSH (this should be avoided, SSH to haproxy via internal interface / through VPN)
iptables -i eth0 -A INPUT -j ACCEPT -p tcp --dport 22
# Allow HTTP
iptables -i eth0 -A INPUT -j ACCEPT -p tcp --dport 80
# Allow HTTPS
iptables -i eth0 -A INPUT -j ACCEPT -p tcp --dport 443
# Allow connections from localhost on every port
iptables -i eth0 -A INPUT -j ACCEPT -s 127.0.0.1
# Already opened connections are accepted on every port (required for some daemons)
iptables -i eth0 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
36. /usr/local/etc/haproxy/haproxy.cfg
HAProxy - Scale out using open source | by Ingo Walz
36
Use HAProxy to secure your environment
frontend www_fe
bind :80
bind :443 ssl crt /usr/local/etc/haproxy/sample.pem
option http-server-close
#detect and reject shellshock requests
reqdeny ^[^:]+:s*(s*)s+{
reqdeny ^[^:]+:s+.*?(<<[^<;]+){5,}
#This rule to display SSLv3 error message
acl sslv3 ssl_fc_protocol SSLv3
http-request allow if sslv3
use_backend backend_sslv3 if sslv3
default_backend www_be
backend backend_sslv3
mode http
errorfile 503 /usr/local/etc/haproxy/pages/poodle.http
37. HAProxy - Scale out using open source | by Ingo Walz
37
Check SSLv3 error message
$ openssl s_client -connect 10.0.0.30:443 -ssl3
[ … ]
SSL-Session:
Protocol : SSLv3
---
GET /
[ … ]
<html>
<head>
<title>SSLv3 detected</title>
</head>
[ … ]
</html>
38. /usr/local/etc/haproxy/haproxy.cfg
HAProxy - Scale out using open source | by Ingo Walz
38
Persistent HTTP loadbalancing
backend www_be
cookie PHPSESSID prefix
server nginx1 10.0.0.10:80 cookie nginx1 minconn 10 maxconn 20
check
server nginx2 10.0.0.15:80 cookie nginx2 minconn 10 maxconn 20
check
# Set-Cookie:PHPSESSID=nginx1~7cmjd41klupaderap0q7tve357; path=/
Persistence only if PHPSESSID cookie is set!
backend www_be
cookie server insert indirect nocache
server nginx1 10.0.0.10:80 cookie nginx1 minconn 10 maxconn 20
check
server nginx2 10.0.0.15:80 cookie nginx2 minconn 10 maxconn 20
check
# Set-Cookie:server=nginx1; path=/
39. HAProxy - Scale out using open source | by Ingo Walz
39
ACL
Extract data from request / response stream
Perform content switching
Conditional request handling
Can help you to secure your environment
E.g. display an error message for SSLv3
40. HAProxy - Scale out using open source | by Ingo Walz
40
Loadbalancing algorithms (most useful)
roundrobin
leastconn
Suggested if you have very long sessions
source
Only useful in TCP environments
Other methods available
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-balance
41. /usr/local/etc/haproxy/haproxy.cfg
HAProxy - Scale out using open source | by Ingo Walz
41
“Reverse proxy” usage
frontend www_fe
bind :80
bind :443
[ … ]
use_backend nginx1_backend if { path_beg /nginx1 }
use_backend nginx2_backend if { path_beg /nginx2 }
backend nginx1_backend
reqrep ^([^ :]*) /nginx1(/.*) 1 /2
server nginx1 10.0.0.10:80 cookie nginx1 check
backend nginx2_backend
reqrep ^([^ :]*) /nginx2(/.*) 1 /2
server nginx2 10.0.0.15:80 cookie nginx1 check
You need to cut nginx1/2 from the request
42. HAProxy - Scale out using open source | by Ingo Walz
42
Statistics
43. Run the example
HAProxy - Scale out using open source | by Ingo Walz 43
44. HAProxy - Scale out using open source | by Ingo Walz
44
Reminder
45. HAProxy - Scale out using open source | by Ingo Walz
45
Used technologies
Vagrant >= 1.5.2
ChefDK >= 0.2.0
Berkshelf
47. HAProxy - Scale out using open source | by Ingo Walz
47
Project structure
48. HAProxy - Scale out using open source | by Ingo Walz
48
Vagrant
$ vagrant plugin install vagrant-omnibus
$ vagrant plugin install vagrant-berkshelf
Omnibus for chef solo support
Berkshelf to manage cookbook dependencies
49. HAProxy - Scale out using open source | by Ingo Walz
49
Vagrant up
$ git clone https://github.com/iwalz/zendcon-haproxy
$ cd zendcon-haproxy
$ vagrant up haproxy1
$ vagrant up haproxy2
$ vagrant up nginx1
$ vagrant up nginx2
$ vagrant up mysql1
$ vagrant up mysql2
Don't simply use `vagrant up`, the Berkshelf
Dependencies will be messed up
50. HAProxy - Scale out using open source | by Ingo Walz
50
How to continue
Architecture documentation (outdated, but still useful)
http://www.haproxy.org/download/1.3/doc/architecture.txt
Official documentation
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html
Haproxy.com Blog
http://blog.haproxy.com/