1

We want to use a single ELB to handle the AWS free SSL/TLS certificate with wild card. For example we have n servers app1.example.com app2.example.com ... appn.example.com Each app has its own server or collection of servers.

We want to use HAProxy to solve this because AWS elb cant do layer7 sub-domain balancing and we want to take advantage of aws ssl/tls free certificate. Like This: Infrastructure Diagram

The HAProxy configuration file is as follows.

global
daemon
maxconn 15000

defaults
    mode http
    timeout connect 5000ms
    timeout client 5000ms
    timeout server 5000ms

frontend http-in
    bind *:80
    # Define hosts
    acl host_app1 hdr(host) -i app1.example.com
    acl host_app2 hdr(host) -i app2.example.com
    acl host_app3 hdr(host) -i app3.example.com

## figure out which one to use
    use_backend app1_cluster if host_app1
    use_backend app2_cluster if host_app2
    use_backend app3_cluster if host_app3

backend app1_cluster
    server node1 10.0.1.107:80 check

backend app2_cluster
    server node1 10.0.1.203:80 check

backend app3_cluster
    server node1 10.0.1.41:80 check

This Configuration does not seem to work though. I am new to HAProxy so any advice is greatly appreciated.

Jeancarlo
  • 19
  • 4
  • Why do you want to put HAProxy in instead of just using the ELB load balancer to distribute requests? You also haven't stated the problem you're having. Please edit your question to include this information. – Tim Feb 03 '17 at 19:38
  • Sorry i already edited it. But essentially what to do is to be able to use a ssl/tls wild card certificate for all my servers. Each server belongs to a client and are different from each other. We use sub-domains to access each one. The problem is that this conf file is not working so I will like to have some feedback on it – Jeancarlo Feb 03 '17 at 19:52
  • 1
    Please expound on "doesn't work". – EEAA Feb 03 '17 at 19:58
  • It'd be cheaper to get a free Let's Encrypt certificate than to run an ELB. Getting those certificates is easy, and I believe adding them to HAProxy is easy too. I can't help with HAProxy configuration sorry. – Tim Feb 03 '17 at 19:58
  • Just out of curiosity, is there any reason why you wouldn't just create as many ELB as you needed? You can use the same cert on multiple LB. I might for example have app1, app2 and app3 on ELB1, pointing at servers A,B & C, and have app4, app5 and app6 on ELB2, pointing at servers D, E & F. Adding a HAProxy layer, sounds like inviting trouble and more points of failure. One final note, at this time the new ALB AWS offers would be useless for you as for some reason ATM they don't do subdomain based routing. – KHobbits Feb 04 '17 at 00:30
  • 2
    This is a perfectly reasonble configuration. I'm sure of it, because it's exactly how I do it, just much bigger. :) One massive advantage is real-time logging, and HAProxy's logs are more useful, logging headers, cookies, and several more timers than ELB. Nobody who has ever used it would want to run without it, it's that valuable. Here, there's no obvious fault in this configuration. Verify that the balancer thinks the proxy is healthy. Read the HAProxy logs. Generate a failed request, describe the failure mode, and show the logs in an edit to the question. – Michael - sqlbot Feb 04 '17 at 02:49
  • @KHobbits ELBs are cost-prohibitive for small sites. You can easily pay more for the balancer than you pay for the instances actually running the site. Advantages of ALB is HTTP/2 <> HTTP/1.1 translation support, WAF support, and a potential but probably small cost savings over classic ELB. The scenario needs at least 2 HAProxies for redundancy but HAProxy is highly stable. I do not need to use any fingers (or thumbs) to count my HAProxy production outages. – Michael - sqlbot Feb 04 '17 at 03:00
  • @Michael-sqlbot I was just mentioning that sadly at the moment ALB doesn't support header based routing, only path based routing. Ie you can make /api go to one server and /ipa go to another, but not based on subdomain, seems like a large oversight, but would have otherwise solved this problem. – KHobbits Feb 04 '17 at 03:09
  • Quite right on both counts, @KHobbits. Very large oversight. I see now that you meant it would not solve this problem on its own -- I originally misunderstood you to be saying it would have no advantage over classic in the scenario where it's placed in front of HAProxy. Apologies for the misunderstanding. – Michael - sqlbot Feb 04 '17 at 03:20
  • 2
    @Michael-sqlbot I would have thought that in most environments, given that an ELB is about the same cost as a t2.small or m1.small, and the fact you can stick lots of sites behind a single elb when you cohabit similar sites (a pool of servers serving lots of sites is better than individual servers serving one site), it would easily work out cheaper than ELB coupled with a pair of haproxy. My ELB bill is about 8% my normal instance spend, so I guess I never thought to think that way. Rereading above, I see what you mean about my original ALB statement, either way information is king! – KHobbits Feb 04 '17 at 03:23
  • 1
    @Michael-sqlbot Yes this is a great setup. And you where totally right it was the health-check. You should leave it like an answer so i can upvote it. – Jeancarlo Feb 06 '17 at 13:52
  • Just worth mentioning, amazon just announced header based routing on ALB. – KHobbits Apr 11 '17 at 10:16

0 Answers0