HAProxy Load Balancer with SSL Offloading
In my previous blog, where I mentioned how to use HA Proxy(http://haproxy.1wt.eu/ – Open source Load balancing Solution) based load balancer for Exchange 2010 (Link to Post), I had a few requests on how to do the SSL offloading as well. If you have followed that guide, you have your SSL certificates hosted on the Exchange Hub CAS servers.Microsoft does suggest to use the SSL on the boxes, but you can offload it as well, please remember that I am writing this for a generic https server and we will be using 2 open source products.
We will use HA Proxy for the Load balancing and the Pound for the SSL offloading. Now, for this purposes, I have used a single box, but for production machines, you may want to make a HA Pair of Linux box, which I will cover in a different post.
I have been running HA Proxy in the exchange environment and it is great, the only thing, I could ask for is source port based persistence .
Anycase, back to the topic. Here is how the architecture will look like.
As you can see the Pound will do the SSL offload and send the traffic to HA Proxy and HA Proxy will do the load balancing.
Don’t get me wrong guys, pound is capable of sending the traffic directly to the servers, but then you will not be able to use the cool features of ha proxy like cookie persistence, so on and so forth.
In our test environment, here is what we will do.
Client Facing IP: 192.168.10.10
Server IP Address: 10.10.10.11, 10.10.10.12
The Linux Box is 192.168.10.9
First, install Ubuntu (http://www.ubuntu.com/download/ubuntu/download) on the box.
Add the 192.168.10.10 as a Virtual IP on the box (If you are using a Active standby setup, this will be the floating IP)
Edit the interfaces script in Ubuntu)
vi /etc/network/interfaces auto eth0 iface eth0 inet static address 192.168.10.9 netmask 255.255.255.0 network 192.168.10.0 broadcast 192.168.10.255 gateway 192.168.10.1 auto eth0:1 iface eth0:1 inet static address 192.168.10.10 netmask 255.255.255.0 network 192.168.10.0 broadcast 192.168.10.255 gateway 192.168.10.1
Restart the Networking subsystem
Once that is done, the IP addresses will be shown when you execute “ifconfig –a” command.
Then install the following packages
This will install the haproxy and pound,
Now, lets roll
In order to configure pound, you will need to edit the config file using vi (or editor of your choice)
The file should look like the following. Please note, that I have installed the server certificate as PEM on the system.
## global options:User "www-data"Group "www-data"#RootJail "/chroot/pound"## Logging: (goes to syslog by default)## 0 no logging## 1 normal## 2 extended## 3 Apache-style (common log format)LogLevel 1## check backend every X secs:Alive 30# Creating ListenerListenHTTPSAddress 192.168.10.10Port 443Cert "/etc/pound/testdom.pem"Client 20EndServiceHeadRequire "Host:.*testdomain.com*"BackEndAddress 127.0.0.2Port 80End
So, as you can see, it’s a generic configuration and then it is using the 127.x.x.x subnet to talk to the HA Proxy, the HAProxy will be listening on the particular IP and port.
After the configuration is done, go ahead and restart pound.
The HA Proxy configuration will look like this
This might not seem like worth it, as this is for a single HTTPs client, but let me go ahead and do the same thing for exchange.
Here is how the Pound configuration and HA Proxy configuration will look for Exchange 2010, with SSL offload.
Pound and HAProxy for Exchange 2010
HA Proxy Configuration:
Please note, that you will still have to make those changes on the Exchange server as noted in my earlier blog post.
If you need explanation on any of the configuration components, do ask (for the HA proxy they are all explained in my previous blog post)
I hope you find this informative and would like to thank you for reading.