Install and Configure HAProxy 1.5 on CentOS

HAProxy is an open source load balancer. The RPMs in the EPEL repo for CentOS 6 are for version 1.4. In version 1.5 SSL termination was introduced making it a very capable layer 7 http/https load balancer, so lets build that from source. I believe CentOS 7 has rpms for 1.5 but I would need to double check that.

wget http://www.haproxy.org/download/1.5/src/haproxy-1.5.11.tar.gz

Now lets untar it, and enter the directory.

tar xfz haproxy-1.5.11.tar.gz
cd haproxy-1.5.11/

Check out the README file for build options, but basically, we're going to build it with OpenSSL support, and build it dynamically to use the system's OpenSSL libraries. If you build it to be static and have all libraries compiled in, it can be more portable, but remember if a vulnerability is discovered in Openssl, HAProxy built statically will still be vulnerable until it's rebuilt against the latest patched OpenSSL even if you update OpenSSL on that server. We are also going to add libz so that asset files like CSS, and JS files can be compressed.

Install openssl-devel and pcre-devel from yum first in order to build.

yum -y install openssl-devel pcre-devel

We now have the haproxy binary built, and you will see it if you ls for it.

ls haproxy

Copy this file into /usr/sbin. Next we'll want an init script and configuration file. I'll go over a few examples with simple tcp load balancing, http load balancing, https load balancing - ssl termination and passthrough, mysql load balancing and postgres load balancing.

Lets execute the binary with the -vv flags to get information about the build, it should look something like this.

./haproxy -vv
HA-Proxy version 1.5.11 2015/01/31
Copyright 2000-2015 Willy Tarreau <w@1wt.eu>

Build options :
TARGET = linux26
CPU = generic
CC = gcc
CFLAGS = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built without zlib support (USE_ZLIB not set)
Compression algorithms supported : identity
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.