Knowledgebase

Installing HAProxy For Load Blancing And Protecting Apache From DDos

Installing HAProxy:-

You can check for the latest version here:- http://haproxy.1wt.eu/#down
At present 1.5 is in development phase 7 and we are going to use that

Note: The configuration file we have used is for single server Protection not for multiple server and made by its owner Willy Tarreau

First:-

wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev7.tar.gz
tar xvfz haproxy-1.5-dev7.tar.gz
$ cd haproxy-1.5-dev7



Second:-
Now we have to compile the installation file, we are taking example of centost OS


make install



Third:-
Now make a new directory and copy haproxy configuration file there


mkdir /etc/haproxy
cd /etc/haproxy
vi haproxy.cfg





change the ip address below and copy it to haproxy.cfg
-----------------------------------------------------------------

global
daemon
maxconn 20000        # count about 1 GB per 20000 connections
pidfile /var/run/haproxy.pid
stats socket /var/run/haproxy.stat mode 600

defaults
mode http
maxconn 19500        # Should be slightly smaller than global.maxconn.
timeout client 60s   # Client and server timeout must match the longest
timeout server 60s   # time we may wait for a response from the server.
timeout queue  60s   # Don't queue requests too long if saturated.
timeout connect 4s   # There's no reason to change this one.
timeout http-request 5s    # A complete request may never take that long.
# Uncomment the following one to protect against nkiller2. But warning!
# some slow clients might sometimes receive truncated data if last
# segment is lost and never retransmitted :
# option nolinger
option http-server-close
option abortonclose
balance roundrobin
option forwardfor    # set the client's IP in X-Forwarded-For.
option tcp-smart-accept
option tcp-smart-connect
retries 2

frontend public
bind 192.168.1.1:80
bind 192.168.1.2:80
bind 192.168.1.3:80
bind 192.168.1.4:80

# table used to store behaviour of source IPs
stick-table type ip size 200k expire 5m store gpc0,conn_rate(10s)

# IPs that have gpc0 > 0 are blocked until the go away for at least 5 minutes
acl source_is_abuser src_get_gpc0 gt 0
tcp-request connection reject if source_is_abuser

# connection rate abuses get blocked
acl conn_rate_abuse  sc1_conn_rate gt 30
acl mark_as_abuser   sc1_inc_gpc0  gt 0
tcp-request connection track-sc1 src
tcp-request connection reject if conn_rate_abuse mark_as_abuser

default_backend apache

backend apache
# set the maxconn parameter below to match Apache's MaxClients minus
# one or two connections so that you can still directly connect to it.
stats uri /haproxy?stats
server srv 0.0.0.0:8181 maxconn 254

# Enable the stats page on a dedicated port (8811). Monitoring request errors
# on the frontend will tell us how many potential attacks were blocked.
listen stats
# Uncomment "disabled" below to disable the stats page :
# disabled
bind       :8811
stats uri /





------------------------------------------------------------------

In the above file replace 192.168.1.1 to 192.168.1.4 with your server ip address.

Fourth:
Change your Apache port to 8181 as in configuration file we are using that server srv 0.0.0.0:8181 maxconn 254.In WHM goto Tweak Settings and find Apache non-SSL IP/port and change it to 8181.

Fifth:
Restart apache

/etc/init.d/apache2 restart



Last:
Start haproxy

haproxy -f /etc/haproxy/haproxy.cfg





Now we have to check if its working. Go to your stats page to see
serverip:8811

Replace serverip with your server ip used in configuration file and you will see full result generated by haproxy

 

  • 11 Users Found This Useful
Was this answer helpful?