home > linux > sks-loadbalanced-with-haproxy

SKS loadbalanced with haproxy

10 | 14 Nov 2015

SKS Keyserver loadbalcing with HAProxy

Here's my config for loadbalancing sks keyservers. With a little help from Kristian from sks-keyservers.net to understand which urls need to be served from a master node, i've put together the following config for haproxy.

Keyserver: https://sks.mj2.uk/

# haproxy-1.6.1 Config for SKS LB

global
    #log 127.0.0.1    local0 info
    maxconn 4096
    chroot /usr/share/haproxy
    uid 99
    gid 99
    daemon
    tune.ssl.default-dh-param 4096
    ssl-default-bind-options no-sslv3 no-tls-tickets
    stats socket /var/run/haproxy.stat mode 600 level operator
    stats timeout 5s
    ssl-default-bind-ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-DES-CBC3-SHA"
    tune.ssl.maxrecord 2859
    tune.ssl.cachesize 100000
    tune.ssl.lifetime 600

defaults
    mode    http
    option    httplog
    option    dontlognull
    retries    3
    maxconn    2000
    timeout connect        5000
    timeout client        50000
    timeout server        50000

##################################################
# frontends
##################################################

frontend http-sks
    mode http
    rspadd Via: lb1.mj2.uk
    rsprep    ^Server.* Server: Unix
    bind 178.32.66.144:80
    bind 178.32.66.144:11371
    bind 2001:41d0:2:a8b4::10:80
    bind 2001:41d0:2:a8b4::10:11371
    acl mast_url path_beg /pks/add /pks/hashquery
    acl mast_param urlp(op) stats
    use_backend http-sks-master if mast_url
    use_backend http-sks-master if mast_param
    default_backend http-sks

frontend tcp-sks-recon
    mode tcp
    bind 178.32.66.144:11370
    #bind 2001:41d0:2:a8b4::10:11370
    default_backend tcp-sks-recon

frontend https-sks
    mode http
    rspadd Via: lb1.mj2.uk
    rsprep    ^Server.* Server: Unix
    bind 178.32.66.144:443 ssl crt /etc/haproxy/ssl/sks.mj2.uk.pem crt /etc/haproxy/ssl/pgp.mj2.uk.pem # strict-sni
    bind 2001:41d0:2:a8b4::10:443 ssl crt /etc/haproxy/ssl/sks.mj2.uk.pem crt /etc/haproxy/ssl/pgp.mj2.uk.pem # strict-sni
    acl mast_url path_beg /pks/add /pks/hashquery
    acl mast_param urlp(op) stats
    use_backend https-sks-master if mast_url
    use_backend https-sks-master if mast_param
    use_backend https-sks if { ssl_fc_sni cert1 } # content switching based on SNI
    default_backend https-sks

##################################################
# Backends
##################################################

backend http-sks-master
    mode http
    option  httpchk GET /?mode=http HTTP/1.1rnHost: sks.mj2.uk
    option forwardfor

    server node1 192.168.0.2:11371 weight 1 maxconn 1000 check port 80 inter 20000 rise 2 fall 2

backend http-sks
    mode http
    option  httpchk GET /?mode=http HTTP/1.1rnHost: sks.mj2.uk
    balance leastconn
    hash-type consistent
    option forwardfor
    stick-table type ip size 1m expire 1m
    stick on src

    server node1 192.168.0.2:11371 weight 10 maxconn 1000 check port 80 inter 20000 rise 2 fall 2
    server node2 192.168.0.3:11371 weight 20 maxconn 1000 check port 80 inter 20000 rise 2 fall 2
    server node3 192.168.0.4:11371 weight 20 maxconn 1000 check port 80 inter 20000 rise 2 fall 2

backend tcp-sks-recon
    mode tcp
    balance leastconn

    server node1 192.168.0.2:11370 cookie node1 weight 1 maxconn 1000

backend https-sks-master
    mode http
    option  httpchk GET /?mode=https HTTP/1.1rnHost: sks.mj2.uk
    option forwardfor
    server node1 192.168.0.2:11371 weight 1 maxconn 1000 check port 80 inter 20000 rise 2 fall 2

backend https-sks
    mode http
    option  httpchk GET /?mode=https HTTP/1.1rnHost: sks.mj2.uk
    balance leastconn
    option forwardfor
    stick-table type ip size 1m expire 1m
    stick on src

    server node1 192.168.0.2:11371 weight 10 maxconn 1000 check port 80 inter 20000 rise 2 fall 2
    server node2 192.168.0.3:11371 weight 20 maxconn 1000 check port 80 inter 20000 rise 2 fall 2
    server node3 192.168.0.4:11371 weight 20 maxconn 1000 check port 80 inter 20000 rise 2 fall 2

Post a Comment

XHTML | CSS | AAA | 508 | RSS | Site design and content copyright © 2006-2012 Michael Jones