Install HA-Proxy + Stunnel on Linux Machine
Prerequisites:
yum install perl-5*
yum install make wget gcc-* pcre-static pcre-deve
openssl
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar zxvf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
make clean
./config shared --prefix=/usr --openssldir=/usr/local/openssl
make && make test
make install
Download HA-Proxy source package:
wget www.haproxy.org/download/1.5/src/haproxy-1.5.8.tar.gz
tar -zxvf haproxy-1.5.8.tar.gz
cd haproxy-1.5.8
make TARGET=linux26 USE_STATIC_PCRE=1 USE_LINUX_TPROXY=1
cp haproxy /usr/sbin/haproxy
cp examples/haproxy.cfg /etc/haproxy.cfg
vi /etc/haproxy.cfg
--------------------------------------------------------------------
global
daemon
maxconn 500000
stats socket /tmp/haproxy
log 127.0.0.1 local0 debug
defaults
log global
mode http
timeout connect 3600s
timeout client 3600s
timeout server 3600s
#option keepalive
option http-server-close
option forwardfor
maxconn 500000
option httplog
#balance roundrobin
#balance source
retries 3
option redispatch
#stats enable
#stats auth statsadmin:fAzaceg7Dr
####
listen httpfarm
bind 192.168.30.7:80
mode http
option httpchk HEAD /this.txt HTTP/1.1\r\nHost:\ apply.pebc.ca
cookie SERVERID insert nocache indirect maxidle 4h maxlife 4h
balance roundrobin
server web1 192.168.30.4 cookie A check inter 20000 maxconn 500000
server web2 192.168.30.6 cookie B check inter 20000 maxconn 500000
option abortonclose
option httpclose
timeout check 10
#
listen httpsfarm
bind 192.168.30.7:81 accept-proxy
mode http
option httpchk HEAD /this.txt HTTP/1.1\r\nHost:\ www.pebc.com
cookie SERVERID insert nocache indirect maxidle 4h maxlife 4h
balance roundrobin
server web1 192.168.30.4:80 cookie A check inter 20000 maxconn 500000
server web2 192.168.30.6:80 cookie B check inter 20000 maxconn 500000
#option forwardfor except 10.212.238.80
option abortonclose
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
#acl hostname hdr_beg(host) -i pebc.
#acl is_ssl src 10.212.238.80
# #redirect prefix http://apply.pebc.com if hostname
## #use_backend purehttp if hostname
##
listen stats 1192.168.30.7:8765
mode http
stats uri /
stats enable
stats auth statsadmin:fAzaceg7Dr
maxconn 500000
--------------------------------------------------------
/usr/sbin/haproxy -f /etc/haproxy.cfg
ps -aux | grep haproxy
http://192.168.30.7:8765/
wget https://www.stunnel.org/downloads/stunnel-5.07.tar.gz
tar -zxvf stunnel-5.07.tar.gz
cd stunnel-5.07
./configure
make
make install
mkdir /etc/stunnel
cp /usr/local/etc/stunnel/stunnel.conf-sample /etc/stunnel/stunnel.conf
vi /etc/stunnel/stunnel.conf
----------------------------------------------------------------
#
chroot = /usr/local/var/lib/stunnel/
protocol = proxy
;CApath==/cert
;cert=/usr/local/var/lib/stunnel/cert/all.pem
;key=/var2/SSL/apply.pebc.ca.key
setuid=nobody
setgid=nobody
; PID is created inside the chroot jail
pid = /stunnel.pid
; Debugging stuff (may useful for troubleshooting)
debug = 7
output = /stunnel.log
options = NO_SSLv2
socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1
[https]
cert=/var/SSL/apply.pebc.ca.crt
key=/var/SSL/apply.pebc.ca.key
;
;key=/var/SSL/www.pebc.ca.key
;CApath=/usr/local/var/lib/stunnel/cert
;CApath=/var/SSL/GEO
;cafile=/var/SSL/www.pebc-intermediate.crt
;cert=/var/SSL/geochainfile.crt
;cafile=/var/SSL/geochainfile.crt
accept = 192.168.30.7:443
connect = 192.168.30.7:81
;xforwardedfor = yes
TIMEOUTclose = 0
;
-----------------------------------------------------------------
useradd stunnel
vi /etc/init.d/stunnel
-------------------------------------------------------------------
#! /bin/sh -e
### BEGIN INIT INFO
# Provides: stunnel
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $syslog
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons)
### END INIT INFO
DEFAULTPIDFILE="/var/run/stunnel.pid"
DAEMON=/usr/local/bin/stunnel
NAME=stunnel
DESC="SSL tunnels"
FILES="/etc/stunnel/*.conf"
OPTIONS=""
ENABLED=1
get_pids() {
local file=$1
if test -f $file; then
CHROOT=`grep "^chroot" $file|sed "s;.*= *;;"`
PIDFILE=`grep "^pid" $file|sed "s;.*= *;;"`
if [ "$PIDFILE" = "" ]; then
PIDFILE=$DEFAULTPIDFILE
fi
if test -f $CHROOT/$PIDFILE; then
cat $CHROOT/$PIDFILE
fi
fi
}
startdaemons() {
if ! [ -d /var/run/stunnel ]; then
rm -rf /var/run/stunnel
install -d -o stunnel -g stunnel /var/run/stunnel
fi
for file in $FILES; do
if test -f $file; then
ARGS="$file $OPTIONS"
PROCLIST=`get_pids $file`
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
echo -n "[Already running: $file] "
elif $DAEMON $ARGS; then
echo -n "[Started: $file] "
else
echo "[Failed: $file]"
echo "You should check that you have specified the pid= in you configuration file"
exit 1
fi
fi
done;
}
killdaemons()
{
SIGNAL=${1:-TERM}
for file in $FILES; do
PROCLIST=`get_pids $file`
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
kill -s $SIGNAL $PROCLIST
echo -n "[stopped: $file] "
fi
done
}
if [ "x$OPTIONS" != "x" ]; then
OPTIONS="-- $OPTIONS"
fi
test -f /etc/default/stunnel && . /etc/default/stunnel
if [ "$ENABLED" = "0" ] ; then
echo "$DESC disabled, see /etc/default/stunnel"
exit 0
fi
test -x $DAEMON || exit 0
set -e
case "$1" in
start)
echo -n "Starting $DESC: "
startdaemons
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
killdaemons
echo "$NAME."
;;
reopen-logs)
echo -n "Reopening log files $DESC: "
killdaemons USR1
echo "$NAME."
;;
force-reload|reload)
echo -n "Reloading configuration $DESC: "
killdaemons HUP
echo "$NAME."
;;
restart)
echo -n "Restarting $DESC: "
killdaemons
sleep 5
startdaemons
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|reload|reopen-logs|restart}" >&2
exit 1
;;
esac
exit 0
-------------------------------------------------------------
chmod +x /etc/init.d/stunnel
service stunnel start
To start HA-Proxy:
/usr/sbin/haproxy -f /etc/haproxy.cfg -p /var/run/haproxy.pid
ps -aux | grep haproxy
service stunnel restart
to create haproxy logs:
vi /etc/rsyslog.conf
#proxy logging
local0.* /var/log/haproxy.log
service rsyslog restart
check haproxy stats on http://localhost:8765
Prerequisites:
yum install perl-5*
yum install make wget gcc-* pcre-static pcre-deve
openssl
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar zxvf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
make clean
./config shared --prefix=/usr --openssldir=/usr/local/openssl
make && make test
make install
Download HA-Proxy source package:
wget www.haproxy.org/download/1.5/src/haproxy-1.5.8.tar.gz
tar -zxvf haproxy-1.5.8.tar.gz
cd haproxy-1.5.8
make TARGET=linux26 USE_STATIC_PCRE=1 USE_LINUX_TPROXY=1
cp haproxy /usr/sbin/haproxy
cp examples/haproxy.cfg /etc/haproxy.cfg
vi /etc/haproxy.cfg
--------------------------------------------------------------------
global
daemon
maxconn 500000
stats socket /tmp/haproxy
log 127.0.0.1 local0 debug
defaults
log global
mode http
timeout connect 3600s
timeout client 3600s
timeout server 3600s
#option keepalive
option http-server-close
option forwardfor
maxconn 500000
option httplog
#balance roundrobin
#balance source
retries 3
option redispatch
#stats enable
#stats auth statsadmin:fAzaceg7Dr
####
listen httpfarm
bind 192.168.30.7:80
mode http
option httpchk HEAD /this.txt HTTP/1.1\r\nHost:\ apply.pebc.ca
cookie SERVERID insert nocache indirect maxidle 4h maxlife 4h
balance roundrobin
server web1 192.168.30.4 cookie A check inter 20000 maxconn 500000
server web2 192.168.30.6 cookie B check inter 20000 maxconn 500000
option abortonclose
option httpclose
timeout check 10
#
listen httpsfarm
bind 192.168.30.7:81 accept-proxy
mode http
option httpchk HEAD /this.txt HTTP/1.1\r\nHost:\ www.pebc.com
cookie SERVERID insert nocache indirect maxidle 4h maxlife 4h
balance roundrobin
server web1 192.168.30.4:80 cookie A check inter 20000 maxconn 500000
server web2 192.168.30.6:80 cookie B check inter 20000 maxconn 500000
#option forwardfor except 10.212.238.80
option abortonclose
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https
#acl hostname hdr_beg(host) -i pebc.
#acl is_ssl src 10.212.238.80
# #redirect prefix http://apply.pebc.com if hostname
## #use_backend purehttp if hostname
##
listen stats 1192.168.30.7:8765
mode http
stats uri /
stats enable
stats auth statsadmin:fAzaceg7Dr
maxconn 500000
--------------------------------------------------------
/usr/sbin/haproxy -f /etc/haproxy.cfg
ps -aux | grep haproxy
http://192.168.30.7:8765/
wget https://www.stunnel.org/downloads/stunnel-5.07.tar.gz
tar -zxvf stunnel-5.07.tar.gz
cd stunnel-5.07
./configure
make
make install
mkdir /etc/stunnel
cp /usr/local/etc/stunnel/stunnel.conf-sample /etc/stunnel/stunnel.conf
vi /etc/stunnel/stunnel.conf
----------------------------------------------------------------
#
chroot = /usr/local/var/lib/stunnel/
protocol = proxy
;CApath==/cert
;cert=/usr/local/var/lib/stunnel/cert/all.pem
;key=/var2/SSL/apply.pebc.ca.key
setuid=nobody
setgid=nobody
; PID is created inside the chroot jail
pid = /stunnel.pid
; Debugging stuff (may useful for troubleshooting)
debug = 7
output = /stunnel.log
options = NO_SSLv2
socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1
[https]
cert=/var/SSL/apply.pebc.ca.crt
key=/var/SSL/apply.pebc.ca.key
;
;key=/var/SSL/www.pebc.ca.key
;CApath=/usr/local/var/lib/stunnel/cert
;CApath=/var/SSL/GEO
;cafile=/var/SSL/www.pebc-intermediate.crt
;cert=/var/SSL/geochainfile.crt
;cafile=/var/SSL/geochainfile.crt
accept = 192.168.30.7:443
connect = 192.168.30.7:81
;xforwardedfor = yes
TIMEOUTclose = 0
;
-----------------------------------------------------------------
useradd stunnel
vi /etc/init.d/stunnel
-------------------------------------------------------------------
#! /bin/sh -e
### BEGIN INIT INFO
# Provides: stunnel
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $syslog
# Should-Stop: $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start or stop stunnel 4.x (SSL tunnel for network daemons)
### END INIT INFO
DEFAULTPIDFILE="/var/run/stunnel.pid"
DAEMON=/usr/local/bin/stunnel
NAME=stunnel
DESC="SSL tunnels"
FILES="/etc/stunnel/*.conf"
OPTIONS=""
ENABLED=1
get_pids() {
local file=$1
if test -f $file; then
CHROOT=`grep "^chroot" $file|sed "s;.*= *;;"`
PIDFILE=`grep "^pid" $file|sed "s;.*= *;;"`
if [ "$PIDFILE" = "" ]; then
PIDFILE=$DEFAULTPIDFILE
fi
if test -f $CHROOT/$PIDFILE; then
cat $CHROOT/$PIDFILE
fi
fi
}
startdaemons() {
if ! [ -d /var/run/stunnel ]; then
rm -rf /var/run/stunnel
install -d -o stunnel -g stunnel /var/run/stunnel
fi
for file in $FILES; do
if test -f $file; then
ARGS="$file $OPTIONS"
PROCLIST=`get_pids $file`
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
echo -n "[Already running: $file] "
elif $DAEMON $ARGS; then
echo -n "[Started: $file] "
else
echo "[Failed: $file]"
echo "You should check that you have specified the pid= in you configuration file"
exit 1
fi
fi
done;
}
killdaemons()
{
SIGNAL=${1:-TERM}
for file in $FILES; do
PROCLIST=`get_pids $file`
if [ "$PROCLIST" ] && kill -s 0 $PROCLIST 2>/dev/null; then
kill -s $SIGNAL $PROCLIST
echo -n "[stopped: $file] "
fi
done
}
if [ "x$OPTIONS" != "x" ]; then
OPTIONS="-- $OPTIONS"
fi
test -f /etc/default/stunnel && . /etc/default/stunnel
if [ "$ENABLED" = "0" ] ; then
echo "$DESC disabled, see /etc/default/stunnel"
exit 0
fi
test -x $DAEMON || exit 0
set -e
case "$1" in
start)
echo -n "Starting $DESC: "
startdaemons
echo "$NAME."
;;
stop)
echo -n "Stopping $DESC: "
killdaemons
echo "$NAME."
;;
reopen-logs)
echo -n "Reopening log files $DESC: "
killdaemons USR1
echo "$NAME."
;;
force-reload|reload)
echo -n "Reloading configuration $DESC: "
killdaemons HUP
echo "$NAME."
;;
restart)
echo -n "Restarting $DESC: "
killdaemons
sleep 5
startdaemons
echo "$NAME."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|reload|reopen-logs|restart}" >&2
exit 1
;;
esac
exit 0
-------------------------------------------------------------
chmod +x /etc/init.d/stunnel
service stunnel start
To start HA-Proxy:
/usr/sbin/haproxy -f /etc/haproxy.cfg -p /var/run/haproxy.pid
ps -aux | grep haproxy
service stunnel restart
to create haproxy logs:
vi /etc/rsyslog.conf
#proxy logging
local0.* /var/log/haproxy.log
service rsyslog restart
check haproxy stats on http://localhost:8765
No comments:
Post a Comment