Proxy
Using a Proxy Server for High Availability
There are many proxy server options available, such as HAProxy, NGINX, and Traefik, each offering load balancing and failover capabilities to ensure high availability.
This document focuses on HAProxy, but you are free to choose any reverse proxy that suits your environment. The goal is to distribute traffic across multiple nodes and provide seamless failover, improving system reliability.
HAProxy
HAProxy is a robust and widely used load balancer and reverse proxy that can distribute network traffic across multiple backend servers, ensuring high availability and fault tolerance. To configure HAProxy for your setup, follow these key steps in your proxy server:
HAProxy here is used as a TCP load balancer.
A RHEL 9 based system (in this case AlmaLinux) is used in this example.
Install HAProxy
First, install HAProxy using the dnf package manager:
sudo dnf install haproxy
After installation, ensure that HAProxy is enabled to start on boot:
sudo systemctl enable haproxy --now
Configure firewall
add fire rules to allow the necessary ports
| Port | reason |
|---|---|
| 80/tcp | http |
| 443/tcp | https |
| 6443/tcp | kubernetes api server |
| 8080/tcp | haproxy status page |
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --permanent --add-port=6443/tcp
sudo firewall-cmd --permanent --add-port=8080/tcp
Reload the firewall
sudo firewall-cmd --reload
Configure HAProxy
The primary configuration file for HAProxy is located at /etc/haproxy/haproxy.cfg. Open this file to define the frontend and backend sections.
sudo vim /etc/haproxy/haproxy.cfg
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM
defaults
mode tcp
log global
option tcplog
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
maxconn 3000
# Frontend for port 80 (HTTP)
frontend http_front
bind *:80
default_backend http_back
# Frontend for port 443 (HTTPS)
frontend https_front
bind *:443
default_backend https_back
# Frontend for Kubernetes API server (6443)
frontend kube_front
bind *:6443
default_backend kube_back
# Frontend for HAProxy status page (e.g., port 8080)
frontend stats_front
mode http
bind *:8080
#Add some extra security if needed
#acl is_local src 127.0.0.1 # Allow only local access (for security)
#http-request deny if !is_local # Deny access if not local
#stats auth admin:password # Basic authentication (username:password)
stats uri /status # The URL path for the status page
stats refresh 10s # Auto-refresh the status page every 10 seconds
stats hide-version # Hide HAProxy version on the page
# Backend for port 80
backend http_back
mode tcp
balance roundrobin
server worker01 worker01.nomadesk.org:80 check
server worker02 1worker02.nomadesk.org:80 check
server worker03 1worker03.nomadesk.org:80 check
# Backend for port 443
backend https_back
mode tcp
balance roundrobin
server worker01 worker01.nomadesk.org:443 check
server worker02 1worker02.nomadesk.org:443 check
server worker03 1worker03.nomadesk.org:443 check
# Backend for Kubernetes API server (6443)
backend kube_back
mode tcp
balance roundrobin
server worker01 worker01.nomadesk.org:6443 check
server worker02 worker02.nomadesk.org:6443 check
server worker03 worker03.nomadesk.org:6443 check
SELinux Support
Install semange
sudo dnf install policycoreutils-python-utils
Allow binding of port 6443:
sudo semanage port -a -t http_port_t -p tcp 6443
Restart haproxy:
systemctl restart haproxy