CREATIVE CHAOS   ▋ blog

HAproxy with keepalived

PUBLISHED ON 22/09/2024 — EDITED ON 01/10/2024 — SYSOPS

Under construction, consider it a personal note for now.

Service diagram

graph LR;
	A["`**HA1** (192.168.1.101) `"]
	D["`**HA2** (192.168.1.102) `"]
	B["`**MR1** (192.168.1.103) `"]
	C["`**MR2** (192.168.1.104) `"]
	E["`**Floating IP** (192.168.1.200) `"]
	
	E-->A;
	E-.->D;
	A-->B;
	A-->C;  
	D-.->B;
	D-.->C;

Example of High Availability Setup with HAProxy and Floating IP

In this setup, we use keepalived to manage the floating IP failover:

  1. Two HAProxy Instances:

    • HA1 (Active): Runs on one server (e.g., 192.168.1.101).
    • HA2 (Passive/Backup): Runs on a second server (e.g., 192.168.1.102).

  2. Floating IP:

    • A floating IP address (e.g., 192.168.1.200) is used as the virtual IP for clients to connect to HAProxy.
    • Initially, this floating IP is assigned to the active HAProxy instance (192.168.1.101).

  3. keepalived:

    • keepalived is a service that monitors the health of the HAProxy instances and ensures that the floating IP moves to the backup server in the event of failure. Alternative options are pacemaker or corosync.
    • keepalived runs on both HAProxy servers and monitors the health of the HAProxy service (e.g., by checking whether the HAProxy process is running or whether it can reach the backend servers).

  4. Two backend servers:

    • MR1 and MR2 (e.g., 192.168.1.103 and 192.168.1.103) in this example, we are doing a mail-relay with postfix, but that is outside of the scope of this post.

Network

HA1

vim /etc/NetworkManager/system-connections/eth0.nmconnection

...
address1=192.168.1.101/24,192.168.1.1
address2=192.168.1.200/32
...

HA2

vim /etc/NetworkManager/system-connections/eth0.nmconnection

...
address1=192.168.1.102/24,192.168.1.1
...

HAproxy

Listening on floating IP on both servers.

vim /etc/haproxy/haproxy.cfg

...
        bind 192.168.1.200:25
...
        server MR1 192.168.1.103:25 check
        server MR2 192.168.1.104:25 check
...

keepalived

Master/Slave config

HA1

vim /etc/keepalived/keepalived.conf

check if running MASTER
auth

HA2

vim /etc/keepalived/keepalived.conf

check if running BACKUP
auth

SELinux

setsebool -P haproxy_connect_any=1
getsebool -a | grep -i hap
haproxy_connect_any --> on

/etc/sysctl.conf ?

Firewall

HAproxy on specific port (25, smtp)

firewall-cmd --add-service=smtp --permanent

keepalived

firewall-cmd --permanent --add-rich-rule='rule protocol value="vrrp" accept'

Reload firewall rules

firewall-cmd --reload
TAGS: HAPROXY, KEEPALIVED, POSTFIX, RHEL, SELINUX