This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring HAProxy

Owned by Former user (Deleted)
Sept 07, 2015
2 min read

Use the following steps to configure HAProxy as the load balancer for WSO2 products.

  1. Install HAProxy. You need version 1.5 since the native SSL support was implemented in version 1.5.
    $ sudo add-apt-repository ppa:vbernat/haproxy-1.5
    $ sudo apt-get update
    $ sudo apt-get install haproxy

    Set ENABLED to 1 if you want the init script to start haproxy.
    $ sudo vi /etc/default/haproxy

  2. Configure HAProxy to direct the HTTP requests to the worker nodes with load balancing as http://as.wso2.com/<service> via HTTP 80 port. Edit the /etc/haproxy/haproxy.cfg file and add the following.

    frontend ft_wrk
	bind as.wso2.com:80
	default_backend bk_wrk

backend bk_wrk
	balance roundrobin
	server node1 xxx.xxx.xxx.xx3:9763
	server node2 xxx.xxx.xxx.xx4:9763

  3. Configure HAProxy to direct the HTTPS requests to the worker nodes with load balancing as https://as.wso2.com/<service> and access the management console as https://mgt.as.wso2.com/carbon via HTTPS 443 port. Edit the /etc/haproxy/haproxy.cfg file and add the following.

    frontend https-in
	bind *:443 ssl crt /etc/haproxy/ssl/server.pem
	acl is_mgt hdr_beg(host) -m beg xxx.xxx.xxx.xx2
	acl is_wrk hdr_beg(host) -m beg xxx.xxx.xxx.xx3

	use_backend mgt_as_wso2_com if is_mgt
	use_backend as_wso2_com if is_wrk
	default_backend as_wso2_com

backend as_wso2_com
    balance roundrobin
    server node1 xxx.xxx.xxx.xx3:9443 check ssl verify none
    server node2 xxx.xxx.xxx.xx4:9443 check ssl verify none
 
backend mgt_as_wso2_com
    server server1 xxx.xxx.xxx.xx2:9443 check ssl verify none

    The load balancer can receive HTTPS requests via the 443 port either to management console (https://mgt.as.wso2.com/carbon) or worker nodes (https://as.wso2.com/) frontend https-in block handles HTTPS requests come to the load balancer via 443 port, bind *:443 ssl crt /etc/haproxy/ssl/haproxy.pem provide valid certificate to HAProxy.

    acl is_mgt hdr_beg(host) -m beg xxx.xxx.xxx.xx2
    acl is_wrk hdr_beg(host) -m beg xxx.xxx.xxx.xx3
    acl properties filter manager and worker requests

    Server verification is enabled by default in HAProxy, so need to specify the ca-file as follows.
    server node1 xxx.xxx.xxx.xx3:9443 check ssl ca-file /ca-file/path

    To disable the server verifications need to specify ssl verify none as follows or specify ssl-server-verify none in global section.
    server node1 xxx.xxx.xxx.xx3:9443 check ssl verify none

  4. Restart the HAProxy.
    $sudo /etc/init.d/haproxy restart

Create SSL certificates

Create SSL certificates for both the manager and worker nodes using the instructions that follow.

  1. Create the Server Key.
    $sudo openssl genrsa -des3 -out server.key 1024
  2. Certificate Signing Request.
    $sudo openssl req -new -key server.key -out server.csr
  3. Remove the password.
    $sudo cp server.key server.key.org
    $sudo openssl rsa -in server.key.org -out server.key
  4. Sign your SSL Certificate.
    $sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  5. Create a .pem file for HAProxy.
    cat server.crt server.key > server.pem