Uprading HAProxy 1.4 to 1.5 for native SSL support without downtime

Uprading HAProxy 1.4 to 1.5 for native SSL support without downtime

By default Ubuntu 14.04 comes with HAProxy 1.4. It works fine until you need to support SSL for your web application because HAProxy 1.4 doesn’t support SSL natively. This was my case when I had to install SSL for a website which was served behind a load balancer using HAProxy 1.4 on a Ubuntu 14.04 box. At this point I had to choose between keeping using HAProxy 1.4 with some other programs to support SSL or upgrading HAProxy to 1.5 (current dev branch). I prefer the idea of using native support things so I decided to make an upgrade. But on a production system this would be more complex because we don’t want our customers to suffer from server downtime. Something was confused at first but some minutes later I came up with a solution.

The site which needs SSL support was served by two web servers. The traffic to these two servers was not much because it was a brand new website. A server alone could handle all traffic efficiently at near midnight. So making change at this time will be more appropriate and safer. My strategy was to use iptables to forward web traffic to a web server behind the load balancing server (forwarding to two servers is fine, but this was not neccessary). Then I’d remove HAProxy 1.4, compile HAProxy 1.5 (with SSL support), test it and if everything is OK, I’d remove iptables rules. Here’s how (The below commands were performed on the load balancing server):

1. Forward web traffic to a web server

First, enable IP Forwarding:

Then forward web traffic:

At this point all web requests come to the load balancing server will be served by the web server 10.30.37.73 directly, so we can safely remove HAProxy 1.4:

(Before removing HAProxy, you may want to backup the old config file: cp /etc/haproxy/haproxy.cfg ~/haproxy.cfg.bak)

2. Compile HAProxy 1.5

We need to install the prerequisites before we can compile new HAProxy:

Get the source code and begin compiling it:

We reuse the old init script of HAProxy 1.4 (it was not removed):

Change HAPROXY variable to new value:

HAProxy still can not start yet because the /var/lib/haproxy folder was removed. We create it again:

Then start HAProxy:

Check if it is running:

Now HAProxy 1.5 is already running but serve nothing yet. We’ll add our configuration so that it can support SSL:

Then restart HAProxy:

Check if HAProxy is running on port 80 and 443:

3. Test and deploy

Before we remove the iptables rules (which forward web traffic to a web server), we need to make sure that HAProxy is doing it job exactly. Either curl or wget is useful in this situation:

The output of the above command should be what you’re familiar to. Then we’re ready to remove iptables rules so that HAProxy would do what it’s supposed to do:

That’s it. Now open your browser to check your site again. It should be working and support SSL already (Keep calm and check everything again if it isn’t :))

Source: Minh Danh’s Blog

SSS Full-stack Engineer

Love Silicon Straits and want to know more about our company culture, working environment or job vacancies?
Find out more at careers.siliconstraits.vn.

Silicon Straits
Be Challenged. Be Inspired. Be Different.




Posted by

on June 17, 2014

in ,

Comments

Follow us for more later

or subscribe with