haproxy는 Proxy의 일종이며, Load balance의 역할로 사용된다.haproxy는 보통 여러 node에 대상으로 접근 시 load balancing을 위해 사용되며 performance 또한 다른 proxy server 대비 우수하다.
설치는 간단하다.
보통 haproxy는 LB에 목적을 두고 있어 보통 keepalived와 같이 사용된다. (물론 목적 상 따로 사용 가능)
# psmisc는 process 관리를 위해 설치 함
leeyoonho@is-ha1:~$ sudo apt install haproxy keepalived psmisc
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
psmisc is already the newest version (23.4-2build3).
Suggested packages:
vim-haproxy haproxy-doc
The following NEW packages will be installed:
haproxy keepalived
0 upgraded, 2 newly installed, 0 to remove and 87 not upgraded.
Need to get 2,092 kB of archives.
After this operation, 4,998 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 <http://mirror.kakao.com/ubuntu> jammy-security/main amd64 haproxy amd64 2.4.18-0ubuntu1.1 [1,639 kB]
Get:2 <http://mirror.kakao.com/ubuntu> jammy/main amd64 keepalived amd64 1:2.2.4-0.2build1 [453 kB]
Fetched 2,092 kB in 0s (6,303 kB/s)
Selecting previously unselected package haproxy.
(Reading database ... 115965 files and directories currently installed.)
Preparing to unpack .../haproxy_2.4.18-0ubuntu1.1_amd64.deb ...
Unpacking haproxy (2.4.18-0ubuntu1.1) ...
Selecting previously unselected package keepalived.
Preparing to unpack .../keepalived_1%3a2.2.4-0.2build1_amd64.deb ...
Unpacking keepalived (1:2.2.4-0.2build1) ...
Setting up keepalived (1:2.2.4-0.2build1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/keepalived.service → /lib/systemd/system/keepalived.service.
Setting up haproxy (2.4.18-0ubuntu1.1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/haproxy.service → /lib/systemd/system/haproxy.service.
Processing triggers for dbus (1.12.20-2ubuntu4.1) ...
Processing triggers for rsyslog (8.2112.0-2ubuntu2.2) ...
Processing triggers for man-db (2.10.2-1) ...
Scanning processes...
Scanning candidates...
Scanning processor microcode...
Scanning linux images...
Running kernel seems to be up-to-date.
Failed to check for processor microcode upgrades.
Restarting services...
Service restarts being deferred:
systemctl restart cron.service
systemctl restart ssh.service
systemctl restart systemd-journald.service
systemctl restart systemd-logind.service
/etc/needrestart/restart.d/systemd-manager
systemctl restart systemd-networkd.service
systemctl restart systemd-resolved.service
systemctl restart [email protected]
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host
Testbed는 HA 1대로 k8s의 마스터를 proxy하는 구조다.
만약 2대 node 이상을 세팅하려면 /etc/haproxy/haproxy.cfg세팅 파일을 하나의 storage에 넣어두고 mount하여 세팅해도 좋을 법하다.
# 기본 설정값
leeyoonho@is-ha1:~$ cat /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: <https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate>
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http