How to Install HAProxy Load Balancer on Ubuntu 18.04 Bionic Beaver

Install HAProxy Load Balancer on Ubuntu 18.04

In this article, we will have explained the necessary steps to install and configure HAProxy Load Balancer on Ubuntu 18.04 LTS. Before continuing with this tutorial, make sure you are logged in as a user with sudo privileges. All the commands in this tutorial should be run as a non-root user.

HAProxy is an open-source Linux tool that provides high availability load balancing and proxy services for TCP and HTTP-based network applications. Fue to its easy integration into existing architectures, suitability for high-traffic websites, extreme reliability, and focus on upwards compatibility, it is shipped by default by most mainstream Linux distros.

Install HAProxy on Ubuntu

Step 1. Network Details

For the sake of simplicity, we will assume the following IP addresses and hostnames for the instances:

  • haproxy-server : public IP address 198.18.0.1
  • backend-server1 : private IP address 172.16.0.1, public IP address 198.18.0.1
  • backend-server2 : private IP address 172.16.0.2, public IP address 198.18.0.2

Step 2. First, before you start installing any package on your Ubuntu server, we always recommend making sure that all system packages are updated.

sudo apt update
sudo apt upgrade

Step 3. Install HaProxy on Ubuntu 18.04 LTS.

HaProxy is available on the Ubuntu software repository, so we can install it using the package manager by running the command below:

sudo add-apt-repository ppa:vbernat/haproxy-1.8
sudo apt-get update
sudo apt-get install haproxy

Step 4. Load Balancing Configuration with HAProxy.

Now edit haproxy default configuration file /etc/haproxy/haproxy.cfg and start configuration:

sudo nano /etc/haproxy/haproxy.cfg
global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# Default ciphers to use on SSL-enabled listening sockets.
	# For more information, see ciphers(1SSL). This list is from:
	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256::RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
	ssl-default-bind-options no-sslv3

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

So towards the end of the file, add the content below:

frontend ourwebsitefrontend
    bind *:80
    mode http
    default_backend ourwebsiteendpoin

The bind parameter tells HaProxy to listen to port 80 for connections. At the end of the text, we have specified ourwebsiteendpoint as the directive where our endpoints are located. We can now go ahead and add the backend configuration details as follows:

backend ourwebsiteendpoint
    balance roundrobin
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server backend-server1 172.16.0.1:8080 check
    server backend-server2 172.16.0.2:8080 check

Now if you want you can enable Haproxy statistics by adding following configuration in HAProxy configuration file:

listen stats
    bind :32600
    stats enable
    stats uri /
    stats hide-version
    stats auth username:password

Step 5. Final HAProxy Configuration File.

The final configuration file may look like below:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM$
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend ourwebsitefrontend
        bind *:80
        mode http
        default_backend ourwebsiteendpoint

backend ourwebsiteendpoint
    balance roundrobin
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server backend-server1 172.16.0.1:8080 check
    server backend-server2 172.16.0.2:8080 check

listen stats
    bind :32600
    stats enable
    stats uri /
    stats hide-version
    stats auth username:password

Then, restart HaProxy server to reload the changes:

sudo service haproxy restart

Step 6. Testing the Configuration.

At this stage, we have full functional HAProxy setup. At each web server node I have a demo index.html page showing servers hostname, So we can easily differentiate between servers web pages.

Now access port 80 on IP 198.18.0.1 (as configured above) in the web browser and hit refresh. You will see that HAProxy is sending requests to backend server one by one (as per round robin algorithm).

That’s all you need to do to install HAProxy Load on Ubuntu 18.04. I hope you find this quick tip helpful. If you have questions or suggestions, feel free to leave a comment below.