SdNOG wiki - User contributions [en]

ASKLY moodle platform

2026-02-17T12:38:10Z

Manhal.Mohamed: Created page with "center"

[[File:Askly-ramadan.png|thumb|center]]

File:Askly-ramadan.png

2026-02-17T12:37:54Z

Manhal.Mohamed:

askly

Documentations

2026-02-17T12:15:21Z

Manhal.Mohamed:

[[Category:SdNOG]]
[[Category:SdNOG_KnowBase]]
Welcome to the SDNOG documentation page. This resource provides comprehensive details about our infrastructure and services. Here, you'll find information on how SDNOG's systems are designed, built, and maintained, including various how-to articles and technical documentation. Our goal is to offer clear and detailed insights into the operations and management of SDNOG services.<br>

== Pages ==
* [[sdnog Infrasturcture]] <span style="background:#00FF00"> Done</span>
* [[sdnog Services]] <span style="background:#00FF00"> Done</span>
* [[Business Model Canvas for SDNOG]]<span style="background:#00FF00"> Done</span>
* DMARC and DKIM records for mail.sdnog.sd
* [[Verify sdnog.sd domain with google Postmaster Tools]] <span style="background:#00FF00"> Done</span>
* [[SdNOG DNS infrastructure]] <span style="background:#00FF00"> Done</span>
* [[SdNOG Users creation Ansible code ]] <span style="background:#00FF00"> Done</span>
* [[Using Algo VPN to Access SDNOG Infrastructure ]] <span style="background:#00FF00"> Done</span>
* [[Install and Configure NetBox IPAM on Ubuntu ]]<span style="background:#00FF00"> Done</span>
* [[ IPv6 subnetting for sdnog]]
* [[ ASKLY moodle platform ]]

High Availability Cluster with Pacemaker, Chronyd

2025-07-22T09:38:02Z

Manhal.Mohamed: /* 1. DNS Update Script (/usr/local/bin/update_dns.sh) */

== Introduction ==
This guide documents the setup of a 4-node high availability cluster using:
* '''Pacemaker/Corosync''' for cluster management
* '''HAProxy''' for load balancing
* '''Chronyd''' for time synchronization
* '''Automated DNS updates''' during failover scenarios

== Prerequisites ==
=== Hardware Requirements ===
* 4 identical Debian servers (≥ 2GB RAM, ≥ 2 CPU cores recommended)
* Network interfaces:
** Primary: 1Gbps (for client traffic)
** Secondary: 100Mbps minimum (for heartbeat)

=== Software Requirements ===
* Debian 10/11 (tested on both)
* Root access to all nodes
* DNS server supporting dynamic updates

=== Network Requirements ===
* Static IP assignments for all nodes
* Fully qualified domain names for each node
* Unrestricted communication on ports:
** 2224 (pcsd)
** 5404-5405 (corosync)
** 80/443 (HAProxy)

== Initial Node Setup ==
=== 1. System Preparation ===
On all nodes (node1-node4):

<pre>
sudo apt update && sudo apt upgrade -y

sudo apt install -y \
pacemaker \
pcs \
corosync \
crmsh \
haproxy \
chrony \
bind9utils \
mailutils \
vim
</pre>

=== 2. Hosts File Configuration ===
Add to <code>/etc/hosts</code> on every node:
<pre>
192.168.1.101 node1.cluster.local node1
192.168.1.102 node2.cluster.local node2
192.168.1.103 node3.cluster.local node3
192.168.1.104 node4.cluster.local node4
</pre>

=== 3. Firewall Configuration ===
<pre>
sudo apt install -y ufw
sudo ufw allow from 192.168.1.0/24
sudo ufw enable
</pre>

== Cluster Configuration ==
=== 1. Initialize Cluster Services ===
<pre>
sudo systemctl enable --now pcsd corosync pacemaker
</pre>
=== 2. Set hacluster Password ===
<pre>
echo "hacluster:SecureP@ssw0rd123" | sudo chpasswd
</pre>
=== 3. Authenticate Nodes (from node1) ===
<pre>
sudo pcs cluster auth \
node1.cluster.local \
node2.cluster.local \
node3.cluster.local \
node4.cluster.local \
-u hacluster \
-p SecureP@ssw0rd123 \
--force
</pre>
=== 4. Create Cluster ===
<pre>
sudo pcs cluster setup \
--name haproxy_cluster \
node1.cluster.local \
node2.cluster.local \
node3.cluster.local \
node4.cluster.local \
--force
</pre>
=== 5. Start Cluster ===
<pre>
sudo pcs cluster start --all
sudo pcs cluster enable --all
</pre>
=== 6. Verify Status ===
<pre>
sudo pcs status
</pre>
Expected output:
<pre>
Cluster name: haproxy_cluster
Stack: corosync
Current DC: node1.cluster.local (version x.x.x-x)
4 nodes configured
0 resources configured
</pre>

== HAProxy Setup ==
=== 1. Install HAProxy on All Nodes ===
<pre>
sudo apt install -y haproxy
</pre>
=== 2. Configuration Template (/etc/haproxy/haproxy.cfg) ===
<pre>
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5s
timeout client 50s
timeout server 50s
option forwardfor
option http-server-close

frontend http_front
bind *:80
bind *:443 ssl crt /etc/ssl/private/example.com.pem
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
default_backend http_back

backend http_back
balance roundrobin
cookie SERVERID insert indirect nocache
server webserver1 192.168.1.201:80 check cookie s1
server webserver2 192.168.1.202:80 check cookie s2

listen stats
bind *:1936
stats enable
stats uri /
stats hide-version
stats auth admin:SecureStatsP@ss
</pre>

=== 3. Add as Cluster Resource ===
<pre>
sudo pcs resource create haproxy systemd:haproxy \
op monitor interval=10s timeout=20s \
op start interval=0s timeout=30s \
op stop interval=0s timeout=30s \
--group haproxy_group
</pre>

== Time Synchronization ==
=== 1. Configure Chronyd (/etc/chrony/chrony.conf) ===
<pre>
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst

allow 192.168.1.0/24
leapsectz right/UTC
makestep 1.0 3
</pre>
=== 2. Verify Time Sync ===
<pre>
sudo systemctl restart chronyd
sudo chronyc tracking
</pre>

== Failover Automation ==
=== 1. DNS Update Script (/usr/local/bin/update_dns.sh) ===
<pre>
#!/bin/bash

CLUSTER_NAME="haproxy_cluster"
DNS_RECORD="haproxy.example.com"
DNS_SERVER="ns1.example.com"
DNS_KEY="/etc/bind/cluster.key"
TTL=300

# List your cluster node IPs here for reference (optional, not used in script logic)
NODE_IPS=("192.168.1.101" "192.168.1.102" "192.168.1.103" "192.168.1.104")

# Detect the IP of the current active node (Current DC)
ACTIVE_NODE=$(sudo pcs status | grep "Current DC:" | awk '{print $4}')
ACTIVE_NODE_IP=$(getent hosts $ACTIVE_NODE | awk '{ print $1 }')

logger -t haproxy-cluster "Failover detected. Active node: $ACTIVE_NODE ($ACTIVE_NODE_IP)"

nsupdate -k $DNS_KEY <<EOF
server $DNS_SERVER
update delete $DNS_RECORD A
update add $DNS_RECORD $TTL A $ACTIVE_NODE_IP
send
EOF

dig +short $DNS_RECORD @$DNS_SERVER
</pre>

=== 2. Make Script Executable ===
<pre>
sudo chmod 750 /usr/local/bin/update_dns.sh
sudo chown hacluster:haclient /usr/local/bin/update_dns.sh
</pre>
=== 3. Configure Pacemaker Resource ===
<pre>
sudo pcs resource create dns_update ocf:pacemaker:ClusterMon \
user=hacluster \
extra_options="-e /usr/local/bin/update_dns.sh" \
op monitor interval=15s timeout=30s \
meta target-role=Started

sudo pcs constraint colocation add dns_update with haproxy_group INFINITY
sudo pcs constraint order haproxy_group then dns_update
</pre>

== Testing Procedures ==
=== 1. Manual Failover Test ===
<pre>
sudo pcs resource move haproxy_group node2.cluster.local
sudo pcs status | grep -A5 "haproxy_group"
sudo pcs resource clear haproxy_group
</pre>
=== 2. Simulate Node Failure ===
<pre>
sudo systemctl stop corosync
sudo pcs status
watch -n 1 sudo pcs status
</pre>
=== 3. Verify DNS Updates ===
<pre>
dig +short haproxy.example.com
</pre>

== Maintenance Operations ==
=== 1. Node Maintenance ===
<pre>
sudo pcs node standby node3.cluster.local
sudo pcs node unstandby node3.cluster.local
</pre>
=== 2. Cluster Maintenance ===
<pre>
sudo pcs cluster standby --all
sudo pcs cluster unstandby --all
</pre>
=== 3. Adding/Removing Nodes ===
<pre>
sudo pcs cluster node add node5.cluster.local
sudo pcs cluster node remove node4.cluster.local
</pre>

== Troubleshooting ==
=== Common Issues ===
'''Corosync fails to start'''
<pre>
sudo corosync-cfgtool -s
sudo corosync-cmapctl | grep members
</pre>
'''Split-brain scenario'''
<pre>
sudo pcs property set stonith-enabled=true
sudo pcs stonith create fence_ipmi fence_ipmilan ...
</pre>
'''Resource failures'''
<pre>
sudo pcs resource debug-start haproxy
sudo pcs resource failcount show
sudo pcs resource cleanup haproxy
</pre>

=== Log Locations ===
* '''Corosync''': /var/log/corosync/corosync.log
* '''Pacemaker''': journalctl -u pacemaker
* '''HAProxy''': /var/log/haproxy.log

== Appendix ==
=== Sample DNS Key File (/etc/bind/cluster.key) ===
<pre>
key "cluster-key" {
algorithm hmac-sha256;
secret "Base64EncodedKeyHere==";
};
</pre>
=== Useful Commands ===
<pre>
sudo pcs config show
sudo pcs stonith show
sudo pcs resource operations haproxy
</pre>
=== References & Further Reading ===
* [https://clusterlabs.org/pacemaker/doc/ Pacemaker Documentation]
* [https://www.haproxy.org/download/ HAProxy Configuration Manual]
* [https://wiki.debian.org/HighAvailability Debian Cluster Suite]
* [https://corosync.github.io/ Corosync Documentation]
* [https://chrony.tuxfamily.org/ Chrony Documentation]

----

''This comprehensive guide includes: step-by-step instructions, configuration examples, automated failover procedures, maintenance and troubleshooting, and a reference appendix.''

High Availability Cluster with Pacemaker, Chronyd

2025-07-22T09:36:13Z

Manhal.Mohamed: /* 1. DNS Update Script (/usr/local/bin/update_dns.sh) */

== Introduction ==
This guide documents the setup of a 4-node high availability cluster using:
* '''Pacemaker/Corosync''' for cluster management
* '''HAProxy''' for load balancing
* '''Chronyd''' for time synchronization
* '''Automated DNS updates''' during failover scenarios

== Prerequisites ==
=== Hardware Requirements ===
* 4 identical Debian servers (≥ 2GB RAM, ≥ 2 CPU cores recommended)
* Network interfaces:
** Primary: 1Gbps (for client traffic)
** Secondary: 100Mbps minimum (for heartbeat)

=== Software Requirements ===
* Debian 10/11 (tested on both)
* Root access to all nodes
* DNS server supporting dynamic updates

=== Network Requirements ===
* Static IP assignments for all nodes
* Fully qualified domain names for each node
* Unrestricted communication on ports:
** 2224 (pcsd)
** 5404-5405 (corosync)
** 80/443 (HAProxy)

== Initial Node Setup ==
=== 1. System Preparation ===
On all nodes (node1-node4):

<pre>
sudo apt update && sudo apt upgrade -y

sudo apt install -y \
pacemaker \
pcs \
corosync \
crmsh \
haproxy \
chrony \
bind9utils \
mailutils \
vim
</pre>

=== 2. Hosts File Configuration ===
Add to <code>/etc/hosts</code> on every node:
<pre>
192.168.1.101 node1.cluster.local node1
192.168.1.102 node2.cluster.local node2
192.168.1.103 node3.cluster.local node3
192.168.1.104 node4.cluster.local node4
</pre>

=== 3. Firewall Configuration ===
<pre>
sudo apt install -y ufw
sudo ufw allow from 192.168.1.0/24
sudo ufw enable
</pre>

== Cluster Configuration ==
=== 1. Initialize Cluster Services ===
<pre>
sudo systemctl enable --now pcsd corosync pacemaker
</pre>
=== 2. Set hacluster Password ===
<pre>
echo "hacluster:SecureP@ssw0rd123" | sudo chpasswd
</pre>
=== 3. Authenticate Nodes (from node1) ===
<pre>
sudo pcs cluster auth \
node1.cluster.local \
node2.cluster.local \
node3.cluster.local \
node4.cluster.local \
-u hacluster \
-p SecureP@ssw0rd123 \
--force
</pre>
=== 4. Create Cluster ===
<pre>
sudo pcs cluster setup \
--name haproxy_cluster \
node1.cluster.local \
node2.cluster.local \
node3.cluster.local \
node4.cluster.local \
--force
</pre>
=== 5. Start Cluster ===
<pre>
sudo pcs cluster start --all
sudo pcs cluster enable --all
</pre>
=== 6. Verify Status ===
<pre>
sudo pcs status
</pre>
Expected output:
<pre>
Cluster name: haproxy_cluster
Stack: corosync
Current DC: node1.cluster.local (version x.x.x-x)
4 nodes configured
0 resources configured
</pre>

== HAProxy Setup ==
=== 1. Install HAProxy on All Nodes ===
<pre>
sudo apt install -y haproxy
</pre>
=== 2. Configuration Template (/etc/haproxy/haproxy.cfg) ===
<pre>
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5s
timeout client 50s
timeout server 50s
option forwardfor
option http-server-close

frontend http_front
bind *:80
bind *:443 ssl crt /etc/ssl/private/example.com.pem
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
default_backend http_back

backend http_back
balance roundrobin
cookie SERVERID insert indirect nocache
server webserver1 192.168.1.201:80 check cookie s1
server webserver2 192.168.1.202:80 check cookie s2

listen stats
bind *:1936
stats enable
stats uri /
stats hide-version
stats auth admin:SecureStatsP@ss
</pre>

=== 3. Add as Cluster Resource ===
<pre>
sudo pcs resource create haproxy systemd:haproxy \
op monitor interval=10s timeout=20s \
op start interval=0s timeout=30s \
op stop interval=0s timeout=30s \
--group haproxy_group
</pre>

== Time Synchronization ==
=== 1. Configure Chronyd (/etc/chrony/chrony.conf) ===
<pre>
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst

allow 192.168.1.0/24
leapsectz right/UTC
makestep 1.0 3
</pre>
=== 2. Verify Time Sync ===
<pre>
sudo systemctl restart chronyd
sudo chronyc tracking
</pre>

== Failover Automation ==
=== 1. DNS Update Script (/usr/local/bin/update_dns.sh) ===
<pre>
#!/bin/bash

CLUSTER_NAME="haproxy_cluster"
VIP="192.168.1.100"
DNS_RECORD="haproxy.example.com"
DNS_SERVER="ns1.example.com"
DNS_KEY="/etc/bind/cluster.key"
TTL=300

ACTIVE_NODE=$(sudo pcs status | grep "Current DC:" | awk '{print $4}'
logger -t haproxy-cluster "Failover detected. Active node: $ACTIVE_NODE"

nsupdate -k $DNS_KEY <<EOF
server $DNS_SERVER
update delete $DNS_RECORD A
update add $DNS_RECORD $TTL A $VIP
send
EOF

dig +short $DNS_RECORD @$DNS_SERVER
</pre>

=== 2. Make Script Executable ===
<pre>
sudo chmod 750 /usr/local/bin/update_dns.sh
sudo chown hacluster:haclient /usr/local/bin/update_dns.sh
</pre>
=== 3. Configure Pacemaker Resource ===
<pre>
sudo pcs resource create dns_update ocf:pacemaker:ClusterMon \
user=hacluster \
extra_options="-e /usr/local/bin/update_dns.sh" \
op monitor interval=15s timeout=30s \
meta target-role=Started

sudo pcs constraint colocation add dns_update with haproxy_group INFINITY
sudo pcs constraint order haproxy_group then dns_update
</pre>

== Testing Procedures ==
=== 1. Manual Failover Test ===
<pre>
sudo pcs resource move haproxy_group node2.cluster.local
sudo pcs status | grep -A5 "haproxy_group"
sudo pcs resource clear haproxy_group
</pre>
=== 2. Simulate Node Failure ===
<pre>
sudo systemctl stop corosync
sudo pcs status
watch -n 1 sudo pcs status
</pre>
=== 3. Verify DNS Updates ===
<pre>
dig +short haproxy.example.com
</pre>

== Maintenance Operations ==
=== 1. Node Maintenance ===
<pre>
sudo pcs node standby node3.cluster.local
sudo pcs node unstandby node3.cluster.local
</pre>
=== 2. Cluster Maintenance ===
<pre>
sudo pcs cluster standby --all
sudo pcs cluster unstandby --all
</pre>
=== 3. Adding/Removing Nodes ===
<pre>
sudo pcs cluster node add node5.cluster.local
sudo pcs cluster node remove node4.cluster.local
</pre>

== Troubleshooting ==
=== Common Issues ===
'''Corosync fails to start'''
<pre>
sudo corosync-cfgtool -s
sudo corosync-cmapctl | grep members
</pre>
'''Split-brain scenario'''
<pre>
sudo pcs property set stonith-enabled=true
sudo pcs stonith create fence_ipmi fence_ipmilan ...
</pre>
'''Resource failures'''
<pre>
sudo pcs resource debug-start haproxy
sudo pcs resource failcount show
sudo pcs resource cleanup haproxy
</pre>

=== Log Locations ===
* '''Corosync''': /var/log/corosync/corosync.log
* '''Pacemaker''': journalctl -u pacemaker
* '''HAProxy''': /var/log/haproxy.log

== Appendix ==
=== Sample DNS Key File (/etc/bind/cluster.key) ===
<pre>
key "cluster-key" {
algorithm hmac-sha256;
secret "Base64EncodedKeyHere==";
};
</pre>
=== Useful Commands ===
<pre>
sudo pcs config show
sudo pcs stonith show
sudo pcs resource operations haproxy
</pre>
=== References & Further Reading ===
* [https://clusterlabs.org/pacemaker/doc/ Pacemaker Documentation]
* [https://www.haproxy.org/download/ HAProxy Configuration Manual]
* [https://wiki.debian.org/HighAvailability Debian Cluster Suite]
* [https://corosync.github.io/ Corosync Documentation]
* [https://chrony.tuxfamily.org/ Chrony Documentation]

----

''This comprehensive guide includes: step-by-step instructions, configuration examples, automated failover procedures, maintenance and troubleshooting, and a reference appendix.''

High Availability Cluster with Pacemaker, Chronyd

2025-07-22T09:34:56Z

Manhal.Mohamed:

== Introduction ==
This guide documents the setup of a 4-node high availability cluster using:
* '''Pacemaker/Corosync''' for cluster management
* '''HAProxy''' for load balancing
* '''Chronyd''' for time synchronization
* '''Automated DNS updates''' during failover scenarios

== Prerequisites ==
=== Hardware Requirements ===
* 4 identical Debian servers (≥ 2GB RAM, ≥ 2 CPU cores recommended)
* Network interfaces:
** Primary: 1Gbps (for client traffic)
** Secondary: 100Mbps minimum (for heartbeat)

=== Software Requirements ===
* Debian 10/11 (tested on both)
* Root access to all nodes
* DNS server supporting dynamic updates

=== Network Requirements ===
* Static IP assignments for all nodes
* Fully qualified domain names for each node
* Unrestricted communication on ports:
** 2224 (pcsd)
** 5404-5405 (corosync)
** 80/443 (HAProxy)

== Initial Node Setup ==
=== 1. System Preparation ===
On all nodes (node1-node4):

<pre>
sudo apt update && sudo apt upgrade -y

sudo apt install -y \
pacemaker \
pcs \
corosync \
crmsh \
haproxy \
chrony \
bind9utils \
mailutils \
vim
</pre>

=== 2. Hosts File Configuration ===
Add to <code>/etc/hosts</code> on every node:
<pre>
192.168.1.101 node1.cluster.local node1
192.168.1.102 node2.cluster.local node2
192.168.1.103 node3.cluster.local node3
192.168.1.104 node4.cluster.local node4
</pre>

=== 3. Firewall Configuration ===
<pre>
sudo apt install -y ufw
sudo ufw allow from 192.168.1.0/24
sudo ufw enable
</pre>

== Cluster Configuration ==
=== 1. Initialize Cluster Services ===
<pre>
sudo systemctl enable --now pcsd corosync pacemaker
</pre>
=== 2. Set hacluster Password ===
<pre>
echo "hacluster:SecureP@ssw0rd123" | sudo chpasswd
</pre>
=== 3. Authenticate Nodes (from node1) ===
<pre>
sudo pcs cluster auth \
node1.cluster.local \
node2.cluster.local \
node3.cluster.local \
node4.cluster.local \
-u hacluster \
-p SecureP@ssw0rd123 \
--force
</pre>
=== 4. Create Cluster ===
<pre>
sudo pcs cluster setup \
--name haproxy_cluster \
node1.cluster.local \
node2.cluster.local \
node3.cluster.local \
node4.cluster.local \
--force
</pre>
=== 5. Start Cluster ===
<pre>
sudo pcs cluster start --all
sudo pcs cluster enable --all
</pre>
=== 6. Verify Status ===
<pre>
sudo pcs status
</pre>
Expected output:
<pre>
Cluster name: haproxy_cluster
Stack: corosync
Current DC: node1.cluster.local (version x.x.x-x)
4 nodes configured
0 resources configured
</pre>

== HAProxy Setup ==
=== 1. Install HAProxy on All Nodes ===
<pre>
sudo apt install -y haproxy
</pre>
=== 2. Configuration Template (/etc/haproxy/haproxy.cfg) ===
<pre>
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5s
timeout client 50s
timeout server 50s
option forwardfor
option http-server-close

frontend http_front
bind *:80
bind *:443 ssl crt /etc/ssl/private/example.com.pem
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
default_backend http_back

backend http_back
balance roundrobin
cookie SERVERID insert indirect nocache
server webserver1 192.168.1.201:80 check cookie s1
server webserver2 192.168.1.202:80 check cookie s2

listen stats
bind *:1936
stats enable
stats uri /
stats hide-version
stats auth admin:SecureStatsP@ss
</pre>

=== 3. Add as Cluster Resource ===
<pre>
sudo pcs resource create haproxy systemd:haproxy \
op monitor interval=10s timeout=20s \
op start interval=0s timeout=30s \
op stop interval=0s timeout=30s \
--group haproxy_group
</pre>

== Time Synchronization ==
=== 1. Configure Chronyd (/etc/chrony/chrony.conf) ===
<pre>
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst

allow 192.168.1.0/24
leapsectz right/UTC
makestep 1.0 3
</pre>
=== 2. Verify Time Sync ===
<pre>
sudo systemctl restart chronyd
sudo chronyc tracking
</pre>

== Failover Automation ==
=== 1. DNS Update Script (/usr/local/bin/update_dns.sh) ===
<pre>
#!/bin/bash

CLUSTER_NAME="haproxy_cluster"
VIP="192.168.1.100"
DNS_RECORD="haproxy.example.com"
DNS_SERVER="ns1.example.com"
DNS_KEY="/etc/bind/cluster.key"
TTL=300

ACTIVE_NODE=$(sudo pcs status | grep "Current DC:" | awk '{print $3}' | cut -d. -f1)
logger -t haproxy-cluster "Failover detected. Active node: $ACTIVE_NODE"

nsupdate -k $DNS_KEY <<EOF
server $DNS_SERVER
update delete $DNS_RECORD A
update add $DNS_RECORD $TTL A $VIP
send
EOF

dig +short $DNS_RECORD @$DNS_SERVER
</pre>
=== 2. Make Script Executable ===
<pre>
sudo chmod 750 /usr/local/bin/update_dns.sh
sudo chown hacluster:haclient /usr/local/bin/update_dns.sh
</pre>
=== 3. Configure Pacemaker Resource ===
<pre>
sudo pcs resource create dns_update ocf:pacemaker:ClusterMon \
user=hacluster \
extra_options="-e /usr/local/bin/update_dns.sh" \
op monitor interval=15s timeout=30s \
meta target-role=Started

sudo pcs constraint colocation add dns_update with haproxy_group INFINITY
sudo pcs constraint order haproxy_group then dns_update
</pre>

== Testing Procedures ==
=== 1. Manual Failover Test ===
<pre>
sudo pcs resource move haproxy_group node2.cluster.local
sudo pcs status | grep -A5 "haproxy_group"
sudo pcs resource clear haproxy_group
</pre>
=== 2. Simulate Node Failure ===
<pre>
sudo systemctl stop corosync
sudo pcs status
watch -n 1 sudo pcs status
</pre>
=== 3. Verify DNS Updates ===
<pre>
dig +short haproxy.example.com
</pre>

== Maintenance Operations ==
=== 1. Node Maintenance ===
<pre>
sudo pcs node standby node3.cluster.local
sudo pcs node unstandby node3.cluster.local
</pre>
=== 2. Cluster Maintenance ===
<pre>
sudo pcs cluster standby --all
sudo pcs cluster unstandby --all
</pre>
=== 3. Adding/Removing Nodes ===
<pre>
sudo pcs cluster node add node5.cluster.local
sudo pcs cluster node remove node4.cluster.local
</pre>

== Troubleshooting ==
=== Common Issues ===
'''Corosync fails to start'''
<pre>
sudo corosync-cfgtool -s
sudo corosync-cmapctl | grep members
</pre>
'''Split-brain scenario'''
<pre>
sudo pcs property set stonith-enabled=true
sudo pcs stonith create fence_ipmi fence_ipmilan ...
</pre>
'''Resource failures'''
<pre>
sudo pcs resource debug-start haproxy
sudo pcs resource failcount show
sudo pcs resource cleanup haproxy
</pre>

=== Log Locations ===
* '''Corosync''': /var/log/corosync/corosync.log
* '''Pacemaker''': journalctl -u pacemaker
* '''HAProxy''': /var/log/haproxy.log

== Appendix ==
=== Sample DNS Key File (/etc/bind/cluster.key) ===
<pre>
key "cluster-key" {
algorithm hmac-sha256;
secret "Base64EncodedKeyHere==";
};
</pre>
=== Useful Commands ===
<pre>
sudo pcs config show
sudo pcs stonith show
sudo pcs resource operations haproxy
</pre>
=== References & Further Reading ===
* [https://clusterlabs.org/pacemaker/doc/ Pacemaker Documentation]
* [https://www.haproxy.org/download/ HAProxy Configuration Manual]
* [https://wiki.debian.org/HighAvailability Debian Cluster Suite]
* [https://corosync.github.io/ Corosync Documentation]
* [https://chrony.tuxfamily.org/ Chrony Documentation]

----

''This comprehensive guide includes: step-by-step instructions, configuration examples, automated failover procedures, maintenance and troubleshooting, and a reference appendix.''

High Availability Cluster with Pacemaker, Chronyd

2025-07-22T09:31:29Z

Manhal.Mohamed:

= High Availability Cluster with Pacemaker, Chronyd, and HAProxy =
'''A Comprehensive Guide for Debian Systems'''

[[File:haproxy-cluster-diagram.png|center|600px|HA Cluster Diagram]] 

__TOC__

== Introduction ==
This guide documents the setup of a 4-node high availability cluster using:
* '''Pacemaker/Corosync''' for cluster management
* '''HAProxy''' for load balancing
* '''Chronyd''' for time synchronization
* '''Automated DNS updates''' during failover scenarios

== Prerequisites ==
=== Hardware Requirements ===
* 4 identical Debian servers (≥ 2GB RAM, ≥ 2 CPU cores recommended)
* Network interfaces:
** Primary: 1Gbps (for client traffic)
** Secondary: 100Mbps minimum (for heartbeat)

=== Software Requirements ===
* Debian 10/11 (tested on both)
* Root access to all nodes
* DNS server supporting dynamic updates

=== Network Requirements ===
* Static IP assignments for all nodes
* Fully qualified domain names for each node
* Unrestricted communication on ports:
** 2224 (pcsd)
** 5404-5405 (corosync)
** 80/443 (HAProxy)

== Initial Node Setup ==
=== 1. System Preparation ===
On all nodes (node1-node4):

<syntaxhighlight lang="bash">
# Update system
sudo apt update && sudo apt upgrade -y

# Install base packages
sudo apt install -y \
pacemaker \
pcs \
corosync \
crmsh \
haproxy \
chrony \
bind9utils \
mailutils \
vim
</syntaxhighlight>

=== 2. Hosts File Configuration ===
Add to '''/etc/hosts''' on every node:
<pre>
192.168.1.101 node1.cluster.local node1
192.168.1.102 node2.cluster.local node2
192.168.1.103 node3.cluster.local node3
192.168.1.104 node4.cluster.local node4
</pre>

=== 3. Firewall Configuration ===
<syntaxhighlight lang="bash">
sudo apt install -y ufw
sudo ufw allow from 192.168.1.0/24
sudo ufw enable
</syntaxhighlight>

== Cluster Configuration ==
=== 1. Initialize Cluster Services ===
<syntaxhighlight lang="bash">
sudo systemctl enable --now pcsd corosync pacemaker
</syntaxhighlight>

=== 2. Set hacluster Password ===
<syntaxhighlight lang="bash">
echo "hacluster:SecureP@ssw0rd123" | sudo chpasswd
</syntaxhighlight>

=== 3. Authenticate Nodes (from node1) ===
<syntaxhighlight lang="bash">
sudo pcs cluster auth \
node1.cluster.local \
node2.cluster.local \
node3.cluster.local \
node4.cluster.local \
-u hacluster \
-p SecureP@ssw0rd123 \
--force
</syntaxhighlight>

=== 4. Create Cluster ===
<syntaxhighlight lang="bash">
sudo pcs cluster setup \
--name haproxy_cluster \
node1.cluster.local \
node2.cluster.local \
node3.cluster.local \
node4.cluster.local \
--force
</syntaxhighlight>

=== 5. Start Cluster ===
<syntaxhighlight lang="bash">
sudo pcs cluster start --all
sudo pcs cluster enable --all
</syntaxhighlight>

=== 6. Verify Status ===
<syntaxhighlight lang="bash">
sudo pcs status
</syntaxhighlight>
Expected output:
<pre>
Cluster name: haproxy_cluster
Stack: corosync
Current DC: node1.cluster.local (version x.x.x-x)
4 nodes configured
0 resources configured
</pre>

== HAProxy Setup ==
=== 1. Install HAProxy on All Nodes ===
<syntaxhighlight lang="bash">
sudo apt install -y haproxy
</syntaxhighlight>

=== 2. Configuration Template (/etc/haproxy/haproxy.cfg) ===
<syntaxhighlight lang="conf">
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5s
timeout client 50s
timeout server 50s
option forwardfor
option http-server-close

frontend http_front
bind *:80
bind *:443 ssl crt /etc/ssl/private/example.com.pem
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
default_backend http_back

backend http_back
balance roundrobin
cookie SERVERID insert indirect nocache
server webserver1 192.168.1.201:80 check cookie s1
server webserver2 192.168.1.202:80 check cookie s2

listen stats
bind *:1936
stats enable
stats uri /
stats hide-version
stats auth admin:SecureStatsP@ss
</syntaxhighlight>

=== 3. Add as Cluster Resource ===
<syntaxhighlight lang="bash">
sudo pcs resource create haproxy systemd:haproxy \
op monitor interval=10s timeout=20s \
op start interval=0s timeout=30s \
op stop interval=0s timeout=30s \
--group haproxy_group
</syntaxhighlight>

== Time Synchronization ==
=== 1. Configure Chronyd (/etc/chrony/chrony.conf) ===
<syntaxhighlight lang="conf">
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst

allow 192.168.1.0/24
leapsectz right/UTC
makestep 1.0 3
</syntaxhighlight>

=== 2. Verify Time Sync ===
<syntaxhighlight lang="bash">
sudo systemctl restart chronyd
sudo chronyc tracking
</syntaxhighlight>

== Failover Automation ==
=== 1. DNS Update Script (/usr/local/bin/update_dns.sh) ===
<syntaxhighlight lang="bash">
#!/bin/bash

CLUSTER_NAME="haproxy_cluster"
VIP="192.168.1.100"
DNS_RECORD="haproxy.example.com"
DNS_SERVER="ns1.example.com"
DNS_KEY="/etc/bind/cluster.key"
TTL=300

ACTIVE_NODE=$(sudo pcs status | grep "Current DC:" | awk '{print $3}' | cut -d. -f1)
logger -t haproxy-cluster "Failover detected. Active node: $ACTIVE_NODE"

nsupdate -k $DNS_KEY <<EOF
server $DNS_SERVER
update delete $DNS_RECORD A
update add $DNS_RECORD $TTL A $VIP
send
EOF

dig +short $DNS_RECORD @$DNS_SERVER
</syntaxhighlight>

=== 2. Make Script Executable ===
<syntaxhighlight lang="bash">
sudo chmod 750 /usr/local/bin/update_dns.sh
sudo chown hacluster:haclient /usr/local/bin/update_dns.sh
</syntaxhighlight>

=== 3. Configure Pacemaker Resource ===
<syntaxhighlight lang="bash">
sudo pcs resource create dns_update ocf:pacemaker:ClusterMon \
user=hacluster \
extra_options="-e /usr/local/bin/update_dns.sh" \
op monitor interval=15s timeout=30s \
meta target-role=Started

sudo pcs constraint colocation add dns_update with haproxy_group INFINITY
sudo pcs constraint order haproxy_group then dns_update
</syntaxhighlight>

== Testing Procedures ==
=== 1. Manual Failover Test ===
<syntaxhighlight lang="bash">
sudo pcs resource move haproxy_group node2.cluster.local
sudo pcs status | grep -A5 "haproxy_group"
sudo pcs resource clear haproxy_group
</syntaxhighlight>

=== 2. Simulate Node Failure ===
<syntaxhighlight lang="bash">
sudo systemctl stop corosync
sudo pcs status
watch -n 1 sudo pcs status
</syntaxhighlight>

=== 3. Verify DNS Updates ===
<syntaxhighlight lang="bash">
dig +short haproxy.example.com
</syntaxhighlight>

== Maintenance Operations ==
=== 1. Node Maintenance ===
<syntaxhighlight lang="bash">
sudo pcs node standby node3.cluster.local
sudo pcs node unstandby node3.cluster.local
</syntaxhighlight>

=== 2. Cluster Maintenance ===
<syntaxhighlight lang="bash">
sudo pcs cluster standby --all
sudo pcs cluster unstandby --all
</syntaxhighlight>

=== 3. Adding/Removing Nodes ===
<syntaxhighlight lang="bash">
sudo pcs cluster node add node5.cluster.local
sudo pcs cluster node remove node4.cluster.local
</syntaxhighlight>

== Troubleshooting ==
=== Common Issues ===
'''Corosync fails to start'''
<syntaxhighlight lang="bash">
sudo corosync-cfgtool -s
sudo corosync-cmapctl | grep members
</syntaxhighlight>

'''Split-brain scenario'''
<syntaxhighlight lang="bash">
sudo pcs property set stonith-enabled=true
sudo pcs stonith create fence_ipmi fence_ipmilan ...
</syntaxhighlight>

'''Resource failures'''
<syntaxhighlight lang="bash">
sudo pcs resource debug-start haproxy
sudo pcs resource failcount show
sudo pcs resource cleanup haproxy
</syntaxhighlight>

=== Log Locations ===
* '''Corosync''': /var/log/corosync/corosync.log
* '''Pacemaker''': journalctl -u pacemaker
* '''HAProxy''': /var/log/haproxy.log

== Appendix ==
=== Sample DNS Key File (/etc/bind/cluster.key) ===
<syntaxhighlight lang="conf">
key "cluster-key" {
algorithm hmac-sha256;
secret "Base64EncodedKeyHere==";
};
</syntaxhighlight>

=== Useful Commands ===
<syntaxhighlight lang="bash">
sudo pcs config show
sudo pcs stonith show
sudo pcs resource operations haproxy
</syntaxhighlight>

=== References & Further Reading ===
* [https://clusterlabs.org/pacemaker/doc/ Pacemaker Documentation]
* [https://www.haproxy.org/download/ HAProxy Configuration Manual]
* [https://wiki.debian.org/HighAvailability Debian Cluster Suite]
* [https://corosync.github.io/ Corosync Documentation]
* [https://chrony.tuxfamily.org/ Chrony Documentation]

----

''This comprehensive guide includes: step-by-step instructions, configuration examples, automated failover procedures, maintenance and troubleshooting, and a reference appendix.''

High Availability Cluster with Pacemaker, Chronyd

2025-07-22T09:30:20Z

Manhal.Mohamed: /* Sample DNS Key File (/etc/bind/cluster.key) */

= High Availability Cluster with Pacemaker, Chronyd, and HAProxy =
'''A Comprehensive Guide for Debian Systems'''

== Introduction ==
This guide documents the setup of a 4-node high availability cluster using:
* '''Pacemaker/Corosync''' for cluster management
* '''HAProxy''' for load balancing
* '''Chronyd''' for time synchronization
* '''Automated DNS updates''' during failover scenarios

== Prerequisites ==
=== Hardware Requirements ===
* 4 identical Debian servers (≥ 2GB RAM, ≥ 2 CPU cores recommended)
* Network interfaces:
** Primary: 1Gbps (for client traffic)
** Secondary: 100Mbps minimum (for heartbeat)

=== Software Requirements ===
* Debian 10/11 (tested on both)
* Root access to all nodes
* DNS server supporting dynamic updates

=== Network Requirements ===
* Static IP assignments for all nodes
* Fully qualified domain names for each node
* Unrestricted communication on ports:
** 2224 (pcsd)
** 5404-5405 (corosync)
** 80/443 (HAProxy)

== Initial Node Setup ==
=== 1. System Preparation ===
On all nodes (node1-node4):

<syntaxhighlight lang="bash">
# Update system
sudo apt update && sudo apt upgrade -y

# Install base packages
sudo apt install -y \
pacemaker \
pcs \
corosync \
crmsh \
haproxy \
chrony \
bind9utils \
mailutils \
vim
</syntaxhighlight>

=== 2. Hosts File Configuration ===
Add to '''/etc/hosts''' on every node:
<pre>
192.168.1.101 node1.cluster.local node1
192.168.1.102 node2.cluster.local node2
192.168.1.103 node3.cluster.local node3
192.168.1.104 node4.cluster.local node4
</pre>

=== 3. Firewall Configuration ===
<syntaxhighlight lang="bash">
sudo apt install -y ufw
sudo ufw allow from 192.168.1.0/24
sudo ufw enable
</syntaxhighlight>

== Cluster Configuration ==
=== 1. Initialize Cluster Services ===
<syntaxhighlight lang="bash">
sudo systemctl enable --now pcsd corosync pacemaker
</syntaxhighlight>

=== 2. Set hacluster Password ===
<syntaxhighlight lang="bash">
echo "hacluster:SecureP@ssw0rd123" | sudo chpasswd
</syntaxhighlight>

=== 3. Authenticate Nodes (from node1) ===
<syntaxhighlight lang="bash">
sudo pcs cluster auth \
node1.cluster.local \
node2.cluster.local \
node3.cluster.local \
node4.cluster.local \
-u hacluster \
-p SecureP@ssw0rd123 \
--force
</syntaxhighlight>

=== 4. Create Cluster ===
<syntaxhighlight lang="bash">
sudo pcs cluster setup \
--name haproxy_cluster \
node1.cluster.local \
node2.cluster.local \
node3.cluster.local \
node4.cluster.local \
--force
</syntaxhighlight>

=== 5. Start Cluster ===
<syntaxhighlight lang="bash">
sudo pcs cluster start --all
sudo pcs cluster enable --all
</syntaxhighlight>

=== 6. Verify Status ===
<syntaxhighlight lang="bash">
sudo pcs status
</syntaxhighlight>
Expected output:
<pre>
Cluster name: haproxy_cluster
Stack: corosync
Current DC: node1.cluster.local (version x.x.x-x)
4 nodes configured
0 resources configured
</pre>

== HAProxy Setup ==
=== 1. Install HAProxy on All Nodes ===
<syntaxhighlight lang="bash">
sudo apt install -y haproxy
</syntaxhighlight>

=== 2. Configuration Template (/etc/haproxy/haproxy.cfg) ===
<syntaxhighlight lang="conf">
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5s
timeout client 50s
timeout server 50s
option forwardfor
option http-server-close

frontend http_front
bind *:80
bind *:443 ssl crt /etc/ssl/private/example.com.pem
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
default_backend http_back

backend http_back
balance roundrobin
cookie SERVERID insert indirect nocache
server webserver1 192.168.1.201:80 check cookie s1
server webserver2 192.168.1.202:80 check cookie s2

listen stats
bind *:1936
stats enable
stats uri /
stats hide-version
stats auth admin:SecureStatsP@ss
</syntaxhighlight>

=== 3. Add as Cluster Resource ===
<syntaxhighlight lang="bash">
sudo pcs resource create haproxy systemd:haproxy \
op monitor interval=10s timeout=20s \
op start interval=0s timeout=30s \
op stop interval=0s timeout=30s \
--group haproxy_group
</syntaxhighlight>

== Time Synchronization ==
=== 1. Configure Chronyd (/etc/chrony/chrony.conf) ===
<syntaxhighlight lang="conf">
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst

allow 192.168.1.0/24
leapsectz right/UTC
makestep 1.0 3
</syntaxhighlight>

=== 2. Verify Time Sync ===
<syntaxhighlight lang="bash">
sudo systemctl restart chronyd
sudo chronyc tracking
</syntaxhighlight>

== Failover Automation ==
=== 1. DNS Update Script (/usr/local/bin/update_dns.sh) ===
<syntaxhighlight lang="bash">
#!/bin/bash

CLUSTER_NAME="haproxy_cluster"
VIP="192.168.1.100"
DNS_RECORD="haproxy.example.com"
DNS_SERVER="ns1.example.com"
DNS_KEY="/etc/bind/cluster.key"
TTL=300

ACTIVE_NODE=$(sudo pcs status | grep "Current DC:" | awk '{print $4}'
logger -t haproxy-cluster "Failover detected. Active node: $ACTIVE_NODE"

nsupdate -k $DNS_KEY <<EOF
server $DNS_SERVER
update delete $DNS_RECORD A
update add $DNS_RECORD $TTL A $VIP
send
EOF

dig +short $DNS_RECORD @$DNS_SERVER
</syntaxhighlight>

=== 2. Make Script Executable ===
<syntaxhighlight lang="bash">
sudo chmod 750 /usr/local/bin/update_dns.sh
sudo chown hacluster:haclient /usr/local/bin/update_dns.sh
</syntaxhighlight>

=== 3. Configure Pacemaker Resource ===
<syntaxhighlight lang="bash">
sudo pcs resource create dns_update ocf:pacemaker:ClusterMon \
user=hacluster \
extra_options="-e /usr/local/bin/update_dns.sh" \
op monitor interval=15s timeout=30s \
meta target-role=Started

sudo pcs constraint colocation add dns_update with haproxy_group INFINITY
sudo pcs constraint order haproxy_group then dns_update
</syntaxhighlight>

== Testing Procedures ==
=== 1. Manual Failover Test ===
<syntaxhighlight lang="bash">
sudo pcs resource move haproxy_group node2.cluster.local
sudo pcs status | grep -A5 "haproxy_group"
sudo pcs resource clear haproxy_group
</syntaxhighlight>

=== 2. Simulate Node Failure ===
<syntaxhighlight lang="bash">
sudo systemctl stop corosync
sudo pcs status
watch -n 1 sudo pcs status
</syntaxhighlight>

=== 3. Verify DNS Updates ===
<syntaxhighlight lang="bash">
dig +short haproxy.example.com
</syntaxhighlight>

== Maintenance Operations ==
=== 1. Node Maintenance ===
<syntaxhighlight lang="bash">
sudo pcs node standby node3.cluster.local
sudo pcs node unstandby node3.cluster.local
</syntaxhighlight>

=== 2. Cluster Maintenance ===
<syntaxhighlight lang="bash">
sudo pcs cluster standby --all
sudo pcs cluster unstandby --all
</syntaxhighlight>

=== 3. Adding/Removing Nodes ===
<syntaxhighlight lang="bash">
sudo pcs cluster node add node5.cluster.local
sudo pcs cluster node remove node4.cluster.local
</syntaxhighlight>

== Troubleshooting ==
=== Common Issues ===
'''Corosync fails to start'''
<syntaxhighlight lang="bash">
sudo corosync-cfgtool -s
sudo corosync-cmapctl | grep members
</syntaxhighlight>

'''Split-brain scenario'''
<syntaxhighlight lang="bash">
sudo pcs property set stonith-enabled=true
sudo pcs stonith create fence_ipmi fence_ipmilan ...
</syntaxhighlight>

'''Resource failures'''
<syntaxhighlight lang="bash">
sudo pcs resource debug-start haproxy
sudo pcs resource failcount show
sudo pcs resource cleanup haproxy
</syntaxhighlight>

=== Log Locations ===
* '''Corosync''': /var/log/corosync/corosync.log
* '''Pacemaker''': journalctl -u pacemaker
* '''HAProxy''': /var/log/haproxy.log

== Appendix ==
=== Sample DNS Key File (/etc/bind/cluster.key) ===

<syntaxhighlight lang="conf">
key "cluster-key" {
algorithm hmac-sha256;
secret "Base64EncodedKeyHere==";
};
</syntaxhighlight>

=== Useful Commands ===
<syntaxhighlight lang="bash">
sudo pcs config show
sudo pcs stonith show
sudo pcs resource operations haproxy
</syntaxhighlight>

=== References & Further Reading ===
* [https://clusterlabs.org/pacemaker/doc/ Pacemaker Documentation]
* [https://www.haproxy.org/download/ HAProxy Configuration Manual]
* [https://wiki.debian.org/HighAvailability Debian Cluster Suite]
* [https://corosync.github.io/ Corosync Documentation]
* [https://chrony.tuxfamily.org/ Chrony Documentation]

----

''This comprehensive guide includes: step-by-step instructions, configuration examples, automated failover procedures, maintenance and troubleshooting, and a reference appendix.''

High Availability Cluster with Pacemaker, Chronyd

2025-07-22T09:29:39Z

Manhal.Mohamed: Created page with "= High Availability Cluster with Pacemaker, Chronyd, and HAProxy = '''A Comprehensive Guide for Debian Systems''' == Introduction == This guide documents the setup of a 4-no..."

= High Availability Cluster with Pacemaker, Chronyd, and HAProxy =
'''A Comprehensive Guide for Debian Systems'''

== Introduction ==
This guide documents the setup of a 4-node high availability cluster using:
* '''Pacemaker/Corosync''' for cluster management
* '''HAProxy''' for load balancing
* '''Chronyd''' for time synchronization
* '''Automated DNS updates''' during failover scenarios

== Prerequisites ==
=== Hardware Requirements ===
* 4 identical Debian servers (≥ 2GB RAM, ≥ 2 CPU cores recommended)
* Network interfaces:
** Primary: 1Gbps (for client traffic)
** Secondary: 100Mbps minimum (for heartbeat)

=== Software Requirements ===
* Debian 10/11 (tested on both)
* Root access to all nodes
* DNS server supporting dynamic updates

=== Network Requirements ===
* Static IP assignments for all nodes
* Fully qualified domain names for each node
* Unrestricted communication on ports:
** 2224 (pcsd)
** 5404-5405 (corosync)
** 80/443 (HAProxy)

== Initial Node Setup ==
=== 1. System Preparation ===
On all nodes (node1-node4):

<syntaxhighlight lang="bash">
# Update system
sudo apt update && sudo apt upgrade -y

# Install base packages
sudo apt install -y \
pacemaker \
pcs \
corosync \
crmsh \
haproxy \
chrony \
bind9utils \
mailutils \
vim
</syntaxhighlight>

=== 2. Hosts File Configuration ===
Add to '''/etc/hosts''' on every node:
<pre>
192.168.1.101 node1.cluster.local node1
192.168.1.102 node2.cluster.local node2
192.168.1.103 node3.cluster.local node3
192.168.1.104 node4.cluster.local node4
</pre>

=== 3. Firewall Configuration ===
<syntaxhighlight lang="bash">
sudo apt install -y ufw
sudo ufw allow from 192.168.1.0/24
sudo ufw enable
</syntaxhighlight>

== Cluster Configuration ==
=== 1. Initialize Cluster Services ===
<syntaxhighlight lang="bash">
sudo systemctl enable --now pcsd corosync pacemaker
</syntaxhighlight>

=== 2. Set hacluster Password ===
<syntaxhighlight lang="bash">
echo "hacluster:SecureP@ssw0rd123" | sudo chpasswd
</syntaxhighlight>

=== 3. Authenticate Nodes (from node1) ===
<syntaxhighlight lang="bash">
sudo pcs cluster auth \
node1.cluster.local \
node2.cluster.local \
node3.cluster.local \
node4.cluster.local \
-u hacluster \
-p SecureP@ssw0rd123 \
--force
</syntaxhighlight>

=== 4. Create Cluster ===
<syntaxhighlight lang="bash">
sudo pcs cluster setup \
--name haproxy_cluster \
node1.cluster.local \
node2.cluster.local \
node3.cluster.local \
node4.cluster.local \
--force
</syntaxhighlight>

=== 5. Start Cluster ===
<syntaxhighlight lang="bash">
sudo pcs cluster start --all
sudo pcs cluster enable --all
</syntaxhighlight>

=== 6. Verify Status ===
<syntaxhighlight lang="bash">
sudo pcs status
</syntaxhighlight>
Expected output:
<pre>
Cluster name: haproxy_cluster
Stack: corosync
Current DC: node1.cluster.local (version x.x.x-x)
4 nodes configured
0 resources configured
</pre>

== HAProxy Setup ==
=== 1. Install HAProxy on All Nodes ===
<syntaxhighlight lang="bash">
sudo apt install -y haproxy
</syntaxhighlight>

=== 2. Configuration Template (/etc/haproxy/haproxy.cfg) ===
<syntaxhighlight lang="conf">
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5s
timeout client 50s
timeout server 50s
option forwardfor
option http-server-close

frontend http_front
bind *:80
bind *:443 ssl crt /etc/ssl/private/example.com.pem
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
default_backend http_back

backend http_back
balance roundrobin
cookie SERVERID insert indirect nocache
server webserver1 192.168.1.201:80 check cookie s1
server webserver2 192.168.1.202:80 check cookie s2

listen stats
bind *:1936
stats enable
stats uri /
stats hide-version
stats auth admin:SecureStatsP@ss
</syntaxhighlight>

=== 3. Add as Cluster Resource ===
<syntaxhighlight lang="bash">
sudo pcs resource create haproxy systemd:haproxy \
op monitor interval=10s timeout=20s \
op start interval=0s timeout=30s \
op stop interval=0s timeout=30s \
--group haproxy_group
</syntaxhighlight>

== Time Synchronization ==
=== 1. Configure Chronyd (/etc/chrony/chrony.conf) ===
<syntaxhighlight lang="conf">
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst

allow 192.168.1.0/24
leapsectz right/UTC
makestep 1.0 3
</syntaxhighlight>

=== 2. Verify Time Sync ===
<syntaxhighlight lang="bash">
sudo systemctl restart chronyd
sudo chronyc tracking
</syntaxhighlight>

== Failover Automation ==
=== 1. DNS Update Script (/usr/local/bin/update_dns.sh) ===
<syntaxhighlight lang="bash">
#!/bin/bash

CLUSTER_NAME="haproxy_cluster"
VIP="192.168.1.100"
DNS_RECORD="haproxy.example.com"
DNS_SERVER="ns1.example.com"
DNS_KEY="/etc/bind/cluster.key"
TTL=300

ACTIVE_NODE=$(sudo pcs status | grep "Current DC:" | awk '{print $4}'
logger -t haproxy-cluster "Failover detected. Active node: $ACTIVE_NODE"

nsupdate -k $DNS_KEY <<EOF
server $DNS_SERVER
update delete $DNS_RECORD A
update add $DNS_RECORD $TTL A $VIP
send
EOF

dig +short $DNS_RECORD @$DNS_SERVER
</syntaxhighlight>

=== 2. Make Script Executable ===
<syntaxhighlight lang="bash">
sudo chmod 750 /usr/local/bin/update_dns.sh
sudo chown hacluster:haclient /usr/local/bin/update_dns.sh
</syntaxhighlight>

=== 3. Configure Pacemaker Resource ===
<syntaxhighlight lang="bash">
sudo pcs resource create dns_update ocf:pacemaker:ClusterMon \
user=hacluster \
extra_options="-e /usr/local/bin/update_dns.sh" \
op monitor interval=15s timeout=30s \
meta target-role=Started

sudo pcs constraint colocation add dns_update with haproxy_group INFINITY
sudo pcs constraint order haproxy_group then dns_update
</syntaxhighlight>

== Testing Procedures ==
=== 1. Manual Failover Test ===
<syntaxhighlight lang="bash">
sudo pcs resource move haproxy_group node2.cluster.local
sudo pcs status | grep -A5 "haproxy_group"
sudo pcs resource clear haproxy_group
</syntaxhighlight>

=== 2. Simulate Node Failure ===
<syntaxhighlight lang="bash">
sudo systemctl stop corosync
sudo pcs status
watch -n 1 sudo pcs status
</syntaxhighlight>

=== 3. Verify DNS Updates ===
<syntaxhighlight lang="bash">
dig +short haproxy.example.com
</syntaxhighlight>

== Maintenance Operations ==
=== 1. Node Maintenance ===
<syntaxhighlight lang="bash">
sudo pcs node standby node3.cluster.local
sudo pcs node unstandby node3.cluster.local
</syntaxhighlight>

=== 2. Cluster Maintenance ===
<syntaxhighlight lang="bash">
sudo pcs cluster standby --all
sudo pcs cluster unstandby --all
</syntaxhighlight>

=== 3. Adding/Removing Nodes ===
<syntaxhighlight lang="bash">
sudo pcs cluster node add node5.cluster.local
sudo pcs cluster node remove node4.cluster.local
</syntaxhighlight>

== Troubleshooting ==
=== Common Issues ===
'''Corosync fails to start'''
<syntaxhighlight lang="bash">
sudo corosync-cfgtool -s
sudo corosync-cmapctl | grep members
</syntaxhighlight>

'''Split-brain scenario'''
<syntaxhighlight lang="bash">
sudo pcs property set stonith-enabled=true
sudo pcs stonith create fence_ipmi fence_ipmilan ...
</syntaxhighlight>

'''Resource failures'''
<syntaxhighlight lang="bash">
sudo pcs resource debug-start haproxy
sudo pcs resource failcount show
sudo pcs resource cleanup haproxy
</syntaxhighlight>

=== Log Locations ===
* '''Corosync''': /var/log/corosync/corosync.log
* '''Pacemaker''': journalctl -u pacemaker
* '''HAProxy''': /var/log/haproxy.log

== Appendix ==
=== Sample DNS Key File (/etc/bind/cluster.key) ===
<syntaxhighlight lang="conf">
key "cluster-key" {
algorithm hmac-sha256;
secret "Base64EncodedKeyHere==";
};
</syntaxhighlight>

=== Useful Commands ===
<syntaxhighlight lang="bash">
sudo pcs config show
sudo pcs stonith show
sudo pcs resource operations haproxy
</syntaxhighlight>

=== References & Further Reading ===
* [https://clusterlabs.org/pacemaker/doc/ Pacemaker Documentation]
* [https://www.haproxy.org/download/ HAProxy Configuration Manual]
* [https://wiki.debian.org/HighAvailability Debian Cluster Suite]
* [https://corosync.github.io/ Corosync Documentation]
* [https://chrony.tuxfamily.org/ Chrony Documentation]

----

''This comprehensive guide includes: step-by-step instructions, configuration examples, automated failover procedures, maintenance and troubleshooting, and a reference appendix.''

HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition)

2025-07-22T09:28:40Z

Manhal.Mohamed: /* Appendix: High Availability Cluster with Pacemaker, Chronyd */

= HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition) =

== Overview ==
This guide documents the setup of HAProxy on Ubuntu servers for load balancing web (HTTP/HTTPS) and MySQL database traffic, using the `sdnog.sd` lab domain. The environment includes multiple backend nodes and complete instructions for configuration, testing, and troubleshooting.

== Prerequisites ==
* 3+ Ubuntu servers/VMs: 1 for HAProxy (load balancer), at least 2 for web/database backends.
* Domain names:
* `lb.lab.sdnog.sd` (HAProxy/load balancer)
* `www.lab.sdnog.sd`, `db.lab.sdnog.sd`, `lb.lab.sdnog.sd` (all pointing to the HAProxy IP)
* Backends: `web01.lab.sdnog.sd`, `web02.lab.sdnog.sd`
* Sudo/root access on all nodes.
* Ability to update `/etc/hosts` or your DNS zone for lab domains.

== Local Hosts or DNS Configuration ==
Set the following entries on your local hosts file or DNS server, pointing to your HAProxy IP (`X.X.X.X`):

X.X.X.X lb.lab.sdnog.sd
X.X.X.X www.lab.sdnog.sd
X.X.X.X db.lab.sdnog.sd

Backends (`web01.lab.sdnog.sd`, `web02.lab.sdnog.sd`) should resolve to their actual server IPs.

== Step 1: Install HAProxy on Ubuntu ==
<pre>
sudo apt update
sudo apt install haproxy
</pre>

== Step 2: Install Web Servers on Backends ==
On `web01.lab.sdnog.sd` and `web02.lab.sdnog.sd`, install Nginx on one and Apache on another:
<pre>
# Nginx (on web01)
sudo apt install nginx
echo "This is web01.lab.sdnog.sd" | sudo tee /var/www/html/index.html

# Apache (on web02)
sudo apt install apache2
echo "This is web02.lab.sdnog.sd" | sudo tee /var/www/html/index.html
</pre>

== Step 3: Install MySQL on Backends ==
On both `web01.lab.sdnog.sd` and `web02.lab.sdnog.sd`:
<pre>
sudo apt install mysql-server
</pre>

== Step 4: Configure MySQL User for HAProxy ==
On both DB nodes (MySQL prompt):
<pre>
CREATE USER 'sdnoguser'@'%' IDENTIFIED BY 'StrongPassword';
GRANT ALL PRIVILEGES ON *.* TO 'sdnoguser'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
</pre>

== Step 5: HAProxy Configuration for Web & Database Load Balancing ==
Edit `/etc/haproxy/haproxy.cfg` on the HAProxy server:

<pre>
global
log 127.0.0.1:514 local1 info
maxconn 4000
user haproxy
group haproxy

defaults
mode http
log global
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option http-server-close
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend https-in
bind *:443 ssl crt /home/sdnog/lab/cert.pem
mode http
acl host_lab_sdnog hdr(host) -i www.lab.sdnog.sd
use_backend www_back if host_lab_sdnog
default_backend www_back

frontend http-in
bind *:80
redirect scheme https code 301 if !{ ssl_fc }

backend www_back
balance roundrobin
cookie SERVERID insert indirect nocache
server nginx_server web01.lab.sdnog.sd:80 check cookie web01
server apache_server web02.lab.sdnog.sd:80 check cookie web02

frontend database_frontend
bind *:3306
mode tcp
default_backend database_backend

backend database_backend
mode tcp
balance roundrobin
server db01 web01.lab.sdnog.sd:3306 check
server db02 web02.lab.sdnog.sd:3306 check

listen stats
bind 0.0.0.0:8080
bind :::8080
mode http
stats uri /stats
stats realm HAProxy\ Statistics
stats auth admin:StrongPassword
stats admin if TRUE
timeout client 5000
timeout connect 4000
timeout server 30000
</pre>

== Step 6: SSL Certificate for HAProxy ==
Generate or copy your SSL certificate and key as `/home/sdnog/lab/cert.pem` (or another path if you adjust your config).

== Step 7: Restart and Enable HAProxy ==
<pre>
sudo systemctl restart haproxy
sudo systemctl enable haproxy
</pre>

== Step 8: Testing ==

=== Web Load Balancing ===
Test the round-robin backend selection:
<pre>
curl -I https://www.lab.sdnog.sd | grep SERVERID
</pre>
You should see alternating results like:
set-cookie: SERVERID=web01; path=/
set-cookie: SERVERID=web02; path=/

See for example output.

[[File:Web servrs test.png|thumb|center|Web test ]]

=== Database Load Balancing ===
Test DB backend switching:
<pre>
mysql -u sdnoguser -p -h db.lab.sdnog.sd -e "show variables like 'hostname';"
</pre>
You should see the hostname alternating between `db01.lab.sdnog.sd` and `db02.lab.sdnog.sd`

[[File:DB loadbalancer test.png|thumb|center|Layer 4 loadbalancing ]]

=== HAProxy Stats Page ===
Browse to: http://lb.lab.sdnog.sd:8080/stats
for an example:

[[File:Stats page.png|thumb|center]]

== HAProxy Log ==

=== How to Enable HAProxy Logging ===

To enable and view HAProxy logs, follow these steps:

# Edit your HAProxy configuration file (usually <code>/etc/haproxy/haproxy.cfg</code>) and add the following in the <code>global</code> and/or <code>defaults</code> sections:
<pre>
global
log 127.0.0.1 local0

defaults
log global
option httplog
option dontlognull
</pre>
* <code>log 127.0.0.1 local0</code>: Sends logs to the local syslog server.
* <code>option httplog</code>: Enables detailed HTTP log format.
* <code>option dontlognull</code>: Avoids logging empty connections.

# Configure your syslog service (such as <code>rsyslog</code>) to receive HAProxy logs:
* Add the following to <code>/etc/rsyslog.conf</code> or <code>/etc/rsyslog.d/haproxy.conf</code>:
<pre>
$ModLoad imudp
$UDPServerRun 514

local0.* /var/log/haproxy.log
</pre>
# Restart your syslog service:
<pre>
sudo systemctl restart rsyslog
</pre>

# Restart HAProxy:
<pre>
sudo systemctl restart haproxy
</pre>

# Check your HAProxy log output:
<pre>
sudo tail -f /var/log/haproxy.log
</pre>

----

=== Example Log Line ===

<pre>
2025-07-18T15:51:04+00:00 localhost haproxy[8400]: 102.117.90.22:57291 [18/Jul/2025:15:51:04.732] https-in~ www_back/nginx_server 0/0/1/1/2 200 210 - - --NI 1/1/0/0/0 0/0 "HEAD https://www.lab.sdnog.sd/ HTTP/2.0"
</pre>

=== Explanation of Fields ===

; '''Timestamp and Host'''
: <code>2025-07-18T15:51:04+00:00</code> — Date and time (ISO 8601 format)
: <code>localhost</code> — Hostname where HAProxy is running
: <code>haproxy[8400]</code> — Process name and PID

; '''Client Info'''
: <code>102.117.90.22:57291</code> — Source IP address and port of the client

; '''Accept Date'''
: <code>[18/Jul/2025:15:51:04.732]</code> — When HAProxy accepted the connection/request

; '''Frontend, Backend, Server'''
: <code>https-in~</code> — HAProxy frontend handling the request
: <code>www_back/nginx_server</code> — Backend and backend server that handled the request

; '''Timers (ms)'''
: <code>0/0/1/1/2</code>
* '''Tq''': Time spent waiting in queue
* '''Tw''': Time waiting for connection to backend server
* '''Tc''': Time to establish connection to backend
* '''Tr''': Time to get the full HTTP request from the client
* '''Tt''': Total time from accept to response

; '''HTTP Status and Bytes'''
: <code>200</code> — HTTP status code returned to the client (OK)
: <code>210</code> — Number of bytes sent to the client (response size)

; '''Captured Request/Response Cookies'''
: <code>- -</code> — (Dashes mean "not captured" or "not set")

; '''Termination State'''
: <code>--NI</code> — How/why the session ended (see [https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4 HAProxy documentation] for codes)

; '''Connections (ActConn/FeConn/BeConn/SrvConn/Retry)'''
: <code>1/1/0/0/0</code>
* '''ActConn''': Active connections on the frontend
* '''FeConn''': Connections on the frontend
* '''BeConn''': On the backend
* '''SrvConn''': On the server
* '''Retry''': Retries

; '''Queues (SrvQueue/BackendQueue)'''
: <code>0/0</code>
* '''SrvQueue''': Number of queued requests on the server
* '''BackendQueue''': Number of queued requests on the backend

; '''Request Line'''
: <code>"HEAD https://www.lab.sdnog.sd/ HTTP/2.0"</code> — The HTTP method, URL, and protocol

----

== Explanation ==

* Each line is a single request processed by HAProxy.
* The log shows: when it happened, who connected, what request they made, what server handled it, how long each step took, and what the result was.
* If you see different backends/servers (like <code>nginx_server</code> or <code>apache_server</code>), it means HAProxy is load balancing between them.
* '''Status codes''' like <code>200</code> mean “OK”. If you see <code>500</code>, <code>404</code>, etc., that means there was an error.
* '''Timings''' help you diagnose where delays are happening (queue, connection, etc.).
* '''Termination state''' (<code>--NI</code>) can show if the connection ended normally or with errors/timeouts.

----

== Quick Reference Table ==

{| class="wikitable"
! Field !! Example Value !! Meaning
|-
| Timestamp || 2025-07-18T15:51:04+00:00 || When the event happened
|-
| Client IP:Port || 102.117.90.22:57291 || Who made the request
|-
| Accept Date || [18/Jul/2025:15:51:04.732] || When HAProxy accepted the request
|-
| Frontend~ || https-in~ || Which frontend handled it
|-
| Backend/Server || www_back/nginx_server || Backend/server chosen
|-
| Timers || 0/0/1/1/2 || Time in each HAProxy phase
|-
| Status || 200 || HTTP status code
|-
| Bytes || 210 || Bytes sent to client
|-
| Term. State || --NI || How session ended
|-
| Connections || 1/1/0/0/0 || Conn. counts (frontend, backend, etc.)
|-
| Queues || 0/0 || Queued requests
|-
| Request || "HEAD ... HTTP/2.0" || HTTP Method, URL, Protocol
|}

----

'''Tip:''' For more details, see the [https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4 HAProxy log format documentation].

== Troubleshooting ==

=== Common Issues and Solutions ===

# '''HAProxy not starting:'''
#* Check the configuration file for syntax errors:
<pre>
haproxy -c -f /etc/haproxy/haproxy.cfg
</pre>
#* Verify that the ports HAProxy is trying to bind to are not already in use.

# '''Backend servers not responding:'''
#* Make sure Apache/Nginx/MySQL are running on their respective servers.
#* Check firewall rules (UFW, iptables, or cloud security groups) to allow traffic between HAProxy and backend nodes.
#* Confirm the correct backend IP addresses and ports in the HAProxy configuration.

# '''SSL certificate issues:'''
#* Double-check the certificate and private key path in your HAProxy config.
#* Ensure your `.pem` file has correct permissions and the combined format (cert + key).

# '''ACLs/routing not working as expected:'''
#* Verify that your local `/etc/hosts` or DNS is configured for the lab domains.
#* Use `tcpdump` or `wireshark` to inspect HTTP headers if needed.

# '''Stats page not accessible:'''
#* Confirm the `listen stats` block in your config.
#* Make sure port 8080 is open on the HAProxy machine and not blocked by a firewall.

# '''MySQL authentication errors:'''
#* Ensure user/password is the same on all DB nodes.
#* Make sure MySQL is listening on 0.0.0.0 or the correct interface.

== Performance Tuning ==

# '''Increase maximum connections:'''
#* Adjust the `maxconn` parameter in the `global` and `defaults` sections based on your hardware.
# '''Enable kernel TCP keepalive:'''
#* Add `option tcpka` in the `defaults` section if needed.
# '''Enable HTTP/2:'''
#* Update your SSL binding to:
<pre>
bind *:443 ssl crt /home/sdnog/lab/cert.pem alpn h2,http/1.1
</pre>
# '''Implement caching:'''
#* Consider using Varnish in front of HAProxy for static content.

== Troubleshooting ==

=== Common Issues and Solutions ===

# '''HAProxy not starting:'''
#* Check the configuration file for syntax errors:
haproxy -c -f /etc/haproxy/haproxy.cfg
#* Verify that the ports HAProxy is trying to bind to are not in use by other services.

# '''Backend servers not responding:'''
#* Ensure that Apache and Nginx are running on their respective VMs.
#* Check firewall rules to allow traffic between HAProxy and backend servers.
#* Verify the IP addresses and ports in the HAProxy configuration.

# '''SSL certificate issues:'''
#* Double-check the path to the SSL certificate and key in the HAProxy configuration.
#* Ensure the combined PEM file has the correct permissions.

# '''ACLs not working as expected:'''
#* Verify that your local hosts file is correctly configured.
#* Use `tcpdump` or `wireshark` to inspect the HTTP headers and ensure the correct `Host` header is being sent.

== Performance Tuning ==

=== Optimizing HAProxy ===

# '''Increase maximum connections:'''
#* Adjust the `maxconn` parameter in the `global` section based on your server's capacity.

# '''Enable kernel TCP splicing:'''
#* Add `option tcpka` to the `defaults` section for keep-alive connections.

# '''Use HTTP/2:'''
#* Update your SSL binding to support HTTP/2:
bind *:443 ssl crt /etc/ssl/certs/haproxy.pem alpn h2,http/1.1

# '''Implement caching:'''
#* Consider adding a caching layer with Varnish in front of HAProxy for static content.

=== Optimal Configuration Options for Web-Based Frontends ===
It's crucial to customize the following according to your application's specific requirements.
'''
frontend http-in
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/cert.pem no-sslv3
mode http
option httplog
log global

# Redirect HTTP to HTTPS (enforce HTTPS for all traffic)
http-request redirect scheme https code 301 if !{ ssl_fc }

# Set default security headers for responses
# Enforce HSTS for HTTPS (1 year, include subdomains, preload)
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# Clickjacking protection, allow only the same origin to embed this site
http-response set-header X-Frame-Options "SAMEORIGIN"

# XSS filtering enabled in browsers, block if an attack is detected
http-response set-header X-XSS-Protection "1; mode=block"

# Prevent MIME type sniffing (force browser to honor content type declared by the server)
http-response set-header X-Content-Type-Options "nosniff"

# Add Content Security Policy to mitigate XSS and data injection attacks
http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'"

# Disable referrer information leakage when navigating to a different origin
http-response set-header Referrer-Policy "no-referrer-when-downgrade"

# Prevent browsers and proxies from caching sensitive data
http-response set-header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"

# Set secure cookies (only for HTTPS, HttpOnly, and prevent cross-site requests)
acl secure_cookie hdr_sub(cookie) Secure
http-response set-header Set-Cookie %[res.hdr(Set-Cookie)] if secure_cookie
http-response set-header Set-Cookie Secure; HttpOnly; SameSite=Strict if secure_cookie

# Forward client's original IP in X-Forwarded-For header
http-request add-header X-Forwarded-For %[src]

# Forward the protocol used by the client (HTTP/HTTPS) in X-Forwarded-Proto header
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request add-header X-Forwarded-Proto http if !{ ssl_fc }

# Preserve the original Host header
http-request add-header X-Forwarded-Host %[req.hdr(host)]

default_backend servers
'''

== Appendix: Useful Commands ==

* Check HAProxy config: <pre>haproxy -c -f /etc/haproxy/haproxy.cfg</pre>
* Restart HAProxy: <pre>sudo systemctl restart haproxy</pre>
* View HAProxy logs: <pre>sudo tail -f /var/log/haproxy.log</pre>
* Test backend health: <pre>curl http://web01.lab.sdnog.sd</pre>

== Appendix B : ==

[[High Availability Cluster with Pacemaker, Chronyd ]]

== Author ==
* '''Author''': [[User:Manhal.Mohamed|Manhal Mohamed]] , SdNOG Team

----
''This guide is based on practical deployment, tested with Ubuntu 22.04+. For additional features and advanced security, consult the [https://www.haproxy.org/ HAProxy documentation].''

HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition)

2025-07-22T09:27:18Z

Manhal.Mohamed: /* Appendix: Useful Commands */

= HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition) =

== Overview ==
This guide documents the setup of HAProxy on Ubuntu servers for load balancing web (HTTP/HTTPS) and MySQL database traffic, using the `sdnog.sd` lab domain. The environment includes multiple backend nodes and complete instructions for configuration, testing, and troubleshooting.

== Prerequisites ==
* 3+ Ubuntu servers/VMs: 1 for HAProxy (load balancer), at least 2 for web/database backends.
* Domain names:
* `lb.lab.sdnog.sd` (HAProxy/load balancer)
* `www.lab.sdnog.sd`, `db.lab.sdnog.sd`, `lb.lab.sdnog.sd` (all pointing to the HAProxy IP)
* Backends: `web01.lab.sdnog.sd`, `web02.lab.sdnog.sd`
* Sudo/root access on all nodes.
* Ability to update `/etc/hosts` or your DNS zone for lab domains.

== Local Hosts or DNS Configuration ==
Set the following entries on your local hosts file or DNS server, pointing to your HAProxy IP (`X.X.X.X`):

X.X.X.X lb.lab.sdnog.sd
X.X.X.X www.lab.sdnog.sd
X.X.X.X db.lab.sdnog.sd

Backends (`web01.lab.sdnog.sd`, `web02.lab.sdnog.sd`) should resolve to their actual server IPs.

== Step 1: Install HAProxy on Ubuntu ==
<pre>
sudo apt update
sudo apt install haproxy
</pre>

== Step 2: Install Web Servers on Backends ==
On `web01.lab.sdnog.sd` and `web02.lab.sdnog.sd`, install Nginx on one and Apache on another:
<pre>
# Nginx (on web01)
sudo apt install nginx
echo "This is web01.lab.sdnog.sd" | sudo tee /var/www/html/index.html

# Apache (on web02)
sudo apt install apache2
echo "This is web02.lab.sdnog.sd" | sudo tee /var/www/html/index.html
</pre>

== Step 3: Install MySQL on Backends ==
On both `web01.lab.sdnog.sd` and `web02.lab.sdnog.sd`:
<pre>
sudo apt install mysql-server
</pre>

== Step 4: Configure MySQL User for HAProxy ==
On both DB nodes (MySQL prompt):
<pre>
CREATE USER 'sdnoguser'@'%' IDENTIFIED BY 'StrongPassword';
GRANT ALL PRIVILEGES ON *.* TO 'sdnoguser'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
</pre>

== Step 5: HAProxy Configuration for Web & Database Load Balancing ==
Edit `/etc/haproxy/haproxy.cfg` on the HAProxy server:

<pre>
global
log 127.0.0.1:514 local1 info
maxconn 4000
user haproxy
group haproxy

defaults
mode http
log global
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option http-server-close
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend https-in
bind *:443 ssl crt /home/sdnog/lab/cert.pem
mode http
acl host_lab_sdnog hdr(host) -i www.lab.sdnog.sd
use_backend www_back if host_lab_sdnog
default_backend www_back

frontend http-in
bind *:80
redirect scheme https code 301 if !{ ssl_fc }

backend www_back
balance roundrobin
cookie SERVERID insert indirect nocache
server nginx_server web01.lab.sdnog.sd:80 check cookie web01
server apache_server web02.lab.sdnog.sd:80 check cookie web02

frontend database_frontend
bind *:3306
mode tcp
default_backend database_backend

backend database_backend
mode tcp
balance roundrobin
server db01 web01.lab.sdnog.sd:3306 check
server db02 web02.lab.sdnog.sd:3306 check

listen stats
bind 0.0.0.0:8080
bind :::8080
mode http
stats uri /stats
stats realm HAProxy\ Statistics
stats auth admin:StrongPassword
stats admin if TRUE
timeout client 5000
timeout connect 4000
timeout server 30000
</pre>

== Step 6: SSL Certificate for HAProxy ==
Generate or copy your SSL certificate and key as `/home/sdnog/lab/cert.pem` (or another path if you adjust your config).

== Step 7: Restart and Enable HAProxy ==
<pre>
sudo systemctl restart haproxy
sudo systemctl enable haproxy
</pre>

== Step 8: Testing ==

=== Web Load Balancing ===
Test the round-robin backend selection:
<pre>
curl -I https://www.lab.sdnog.sd | grep SERVERID
</pre>
You should see alternating results like:
set-cookie: SERVERID=web01; path=/
set-cookie: SERVERID=web02; path=/

See for example output.

[[File:Web servrs test.png|thumb|center|Web test ]]

=== Database Load Balancing ===
Test DB backend switching:
<pre>
mysql -u sdnoguser -p -h db.lab.sdnog.sd -e "show variables like 'hostname';"
</pre>
You should see the hostname alternating between `db01.lab.sdnog.sd` and `db02.lab.sdnog.sd`

[[File:DB loadbalancer test.png|thumb|center|Layer 4 loadbalancing ]]

=== HAProxy Stats Page ===
Browse to: http://lb.lab.sdnog.sd:8080/stats
for an example:

[[File:Stats page.png|thumb|center]]

== HAProxy Log ==

=== How to Enable HAProxy Logging ===

To enable and view HAProxy logs, follow these steps:

# Edit your HAProxy configuration file (usually <code>/etc/haproxy/haproxy.cfg</code>) and add the following in the <code>global</code> and/or <code>defaults</code> sections:
<pre>
global
log 127.0.0.1 local0

defaults
log global
option httplog
option dontlognull
</pre>
* <code>log 127.0.0.1 local0</code>: Sends logs to the local syslog server.
* <code>option httplog</code>: Enables detailed HTTP log format.
* <code>option dontlognull</code>: Avoids logging empty connections.

# Configure your syslog service (such as <code>rsyslog</code>) to receive HAProxy logs:
* Add the following to <code>/etc/rsyslog.conf</code> or <code>/etc/rsyslog.d/haproxy.conf</code>:
<pre>
$ModLoad imudp
$UDPServerRun 514

local0.* /var/log/haproxy.log
</pre>
# Restart your syslog service:
<pre>
sudo systemctl restart rsyslog
</pre>

# Restart HAProxy:
<pre>
sudo systemctl restart haproxy
</pre>

# Check your HAProxy log output:
<pre>
sudo tail -f /var/log/haproxy.log
</pre>

----

=== Example Log Line ===

<pre>
2025-07-18T15:51:04+00:00 localhost haproxy[8400]: 102.117.90.22:57291 [18/Jul/2025:15:51:04.732] https-in~ www_back/nginx_server 0/0/1/1/2 200 210 - - --NI 1/1/0/0/0 0/0 "HEAD https://www.lab.sdnog.sd/ HTTP/2.0"
</pre>

=== Explanation of Fields ===

; '''Timestamp and Host'''
: <code>2025-07-18T15:51:04+00:00</code> — Date and time (ISO 8601 format)
: <code>localhost</code> — Hostname where HAProxy is running
: <code>haproxy[8400]</code> — Process name and PID

; '''Client Info'''
: <code>102.117.90.22:57291</code> — Source IP address and port of the client

; '''Accept Date'''
: <code>[18/Jul/2025:15:51:04.732]</code> — When HAProxy accepted the connection/request

; '''Frontend, Backend, Server'''
: <code>https-in~</code> — HAProxy frontend handling the request
: <code>www_back/nginx_server</code> — Backend and backend server that handled the request

; '''Timers (ms)'''
: <code>0/0/1/1/2</code>
* '''Tq''': Time spent waiting in queue
* '''Tw''': Time waiting for connection to backend server
* '''Tc''': Time to establish connection to backend
* '''Tr''': Time to get the full HTTP request from the client
* '''Tt''': Total time from accept to response

; '''HTTP Status and Bytes'''
: <code>200</code> — HTTP status code returned to the client (OK)
: <code>210</code> — Number of bytes sent to the client (response size)

; '''Captured Request/Response Cookies'''
: <code>- -</code> — (Dashes mean "not captured" or "not set")

; '''Termination State'''
: <code>--NI</code> — How/why the session ended (see [https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4 HAProxy documentation] for codes)

; '''Connections (ActConn/FeConn/BeConn/SrvConn/Retry)'''
: <code>1/1/0/0/0</code>
* '''ActConn''': Active connections on the frontend
* '''FeConn''': Connections on the frontend
* '''BeConn''': On the backend
* '''SrvConn''': On the server
* '''Retry''': Retries

; '''Queues (SrvQueue/BackendQueue)'''
: <code>0/0</code>
* '''SrvQueue''': Number of queued requests on the server
* '''BackendQueue''': Number of queued requests on the backend

; '''Request Line'''
: <code>"HEAD https://www.lab.sdnog.sd/ HTTP/2.0"</code> — The HTTP method, URL, and protocol

----

== Explanation ==

* Each line is a single request processed by HAProxy.
* The log shows: when it happened, who connected, what request they made, what server handled it, how long each step took, and what the result was.
* If you see different backends/servers (like <code>nginx_server</code> or <code>apache_server</code>), it means HAProxy is load balancing between them.
* '''Status codes''' like <code>200</code> mean “OK”. If you see <code>500</code>, <code>404</code>, etc., that means there was an error.
* '''Timings''' help you diagnose where delays are happening (queue, connection, etc.).
* '''Termination state''' (<code>--NI</code>) can show if the connection ended normally or with errors/timeouts.

----

== Quick Reference Table ==

{| class="wikitable"
! Field !! Example Value !! Meaning
|-
| Timestamp || 2025-07-18T15:51:04+00:00 || When the event happened
|-
| Client IP:Port || 102.117.90.22:57291 || Who made the request
|-
| Accept Date || [18/Jul/2025:15:51:04.732] || When HAProxy accepted the request
|-
| Frontend~ || https-in~ || Which frontend handled it
|-
| Backend/Server || www_back/nginx_server || Backend/server chosen
|-
| Timers || 0/0/1/1/2 || Time in each HAProxy phase
|-
| Status || 200 || HTTP status code
|-
| Bytes || 210 || Bytes sent to client
|-
| Term. State || --NI || How session ended
|-
| Connections || 1/1/0/0/0 || Conn. counts (frontend, backend, etc.)
|-
| Queues || 0/0 || Queued requests
|-
| Request || "HEAD ... HTTP/2.0" || HTTP Method, URL, Protocol
|}

----

'''Tip:''' For more details, see the [https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4 HAProxy log format documentation].

== Troubleshooting ==

=== Common Issues and Solutions ===

# '''HAProxy not starting:'''
#* Check the configuration file for syntax errors:
<pre>
haproxy -c -f /etc/haproxy/haproxy.cfg
</pre>
#* Verify that the ports HAProxy is trying to bind to are not already in use.

# '''Backend servers not responding:'''
#* Make sure Apache/Nginx/MySQL are running on their respective servers.
#* Check firewall rules (UFW, iptables, or cloud security groups) to allow traffic between HAProxy and backend nodes.
#* Confirm the correct backend IP addresses and ports in the HAProxy configuration.

# '''SSL certificate issues:'''
#* Double-check the certificate and private key path in your HAProxy config.
#* Ensure your `.pem` file has correct permissions and the combined format (cert + key).

# '''ACLs/routing not working as expected:'''
#* Verify that your local `/etc/hosts` or DNS is configured for the lab domains.
#* Use `tcpdump` or `wireshark` to inspect HTTP headers if needed.

# '''Stats page not accessible:'''
#* Confirm the `listen stats` block in your config.
#* Make sure port 8080 is open on the HAProxy machine and not blocked by a firewall.

# '''MySQL authentication errors:'''
#* Ensure user/password is the same on all DB nodes.
#* Make sure MySQL is listening on 0.0.0.0 or the correct interface.

== Performance Tuning ==

# '''Increase maximum connections:'''
#* Adjust the `maxconn` parameter in the `global` and `defaults` sections based on your hardware.
# '''Enable kernel TCP keepalive:'''
#* Add `option tcpka` in the `defaults` section if needed.
# '''Enable HTTP/2:'''
#* Update your SSL binding to:
<pre>
bind *:443 ssl crt /home/sdnog/lab/cert.pem alpn h2,http/1.1
</pre>
# '''Implement caching:'''
#* Consider using Varnish in front of HAProxy for static content.

== Troubleshooting ==

=== Common Issues and Solutions ===

# '''HAProxy not starting:'''
#* Check the configuration file for syntax errors:
haproxy -c -f /etc/haproxy/haproxy.cfg
#* Verify that the ports HAProxy is trying to bind to are not in use by other services.

# '''Backend servers not responding:'''
#* Ensure that Apache and Nginx are running on their respective VMs.
#* Check firewall rules to allow traffic between HAProxy and backend servers.
#* Verify the IP addresses and ports in the HAProxy configuration.

# '''SSL certificate issues:'''
#* Double-check the path to the SSL certificate and key in the HAProxy configuration.
#* Ensure the combined PEM file has the correct permissions.

# '''ACLs not working as expected:'''
#* Verify that your local hosts file is correctly configured.
#* Use `tcpdump` or `wireshark` to inspect the HTTP headers and ensure the correct `Host` header is being sent.

== Performance Tuning ==

=== Optimizing HAProxy ===

# '''Increase maximum connections:'''
#* Adjust the `maxconn` parameter in the `global` section based on your server's capacity.

# '''Enable kernel TCP splicing:'''
#* Add `option tcpka` to the `defaults` section for keep-alive connections.

# '''Use HTTP/2:'''
#* Update your SSL binding to support HTTP/2:
bind *:443 ssl crt /etc/ssl/certs/haproxy.pem alpn h2,http/1.1

# '''Implement caching:'''
#* Consider adding a caching layer with Varnish in front of HAProxy for static content.

=== Optimal Configuration Options for Web-Based Frontends ===
It's crucial to customize the following according to your application's specific requirements.
'''
frontend http-in
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/cert.pem no-sslv3
mode http
option httplog
log global

# Redirect HTTP to HTTPS (enforce HTTPS for all traffic)
http-request redirect scheme https code 301 if !{ ssl_fc }

# Set default security headers for responses
# Enforce HSTS for HTTPS (1 year, include subdomains, preload)
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# Clickjacking protection, allow only the same origin to embed this site
http-response set-header X-Frame-Options "SAMEORIGIN"

# XSS filtering enabled in browsers, block if an attack is detected
http-response set-header X-XSS-Protection "1; mode=block"

# Prevent MIME type sniffing (force browser to honor content type declared by the server)
http-response set-header X-Content-Type-Options "nosniff"

# Add Content Security Policy to mitigate XSS and data injection attacks
http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'"

# Disable referrer information leakage when navigating to a different origin
http-response set-header Referrer-Policy "no-referrer-when-downgrade"

# Prevent browsers and proxies from caching sensitive data
http-response set-header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"

# Set secure cookies (only for HTTPS, HttpOnly, and prevent cross-site requests)
acl secure_cookie hdr_sub(cookie) Secure
http-response set-header Set-Cookie %[res.hdr(Set-Cookie)] if secure_cookie
http-response set-header Set-Cookie Secure; HttpOnly; SameSite=Strict if secure_cookie

# Forward client's original IP in X-Forwarded-For header
http-request add-header X-Forwarded-For %[src]

# Forward the protocol used by the client (HTTP/HTTPS) in X-Forwarded-Proto header
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request add-header X-Forwarded-Proto http if !{ ssl_fc }

# Preserve the original Host header
http-request add-header X-Forwarded-Host %[req.hdr(host)]

default_backend servers
'''

== Appendix: Useful Commands ==

* Check HAProxy config: <pre>haproxy -c -f /etc/haproxy/haproxy.cfg</pre>
* Restart HAProxy: <pre>sudo systemctl restart haproxy</pre>
* View HAProxy logs: <pre>sudo tail -f /var/log/haproxy.log</pre>
* Test backend health: <pre>curl http://web01.lab.sdnog.sd</pre>

== Appendix: High Availability Cluster with Pacemaker, Chronyd ==

== Author ==
* '''Author''': [[User:Manhal.Mohamed|Manhal Mohamed]] , SdNOG Team

----
''This guide is based on practical deployment, tested with Ubuntu 22.04+. For additional features and advanced security, consult the [https://www.haproxy.org/ HAProxy documentation].''

HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition)

2025-07-18T16:11:25Z

Manhal.Mohamed: /* HAProxy Log Explanation */

= HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition) =

== Overview ==
This guide documents the setup of HAProxy on Ubuntu servers for load balancing web (HTTP/HTTPS) and MySQL database traffic, using the `sdnog.sd` lab domain. The environment includes multiple backend nodes and complete instructions for configuration, testing, and troubleshooting.

== Prerequisites ==
* 3+ Ubuntu servers/VMs: 1 for HAProxy (load balancer), at least 2 for web/database backends.
* Domain names:
* `lb.lab.sdnog.sd` (HAProxy/load balancer)
* `www.lab.sdnog.sd`, `db.lab.sdnog.sd`, `lb.lab.sdnog.sd` (all pointing to the HAProxy IP)
* Backends: `web01.lab.sdnog.sd`, `web02.lab.sdnog.sd`
* Sudo/root access on all nodes.
* Ability to update `/etc/hosts` or your DNS zone for lab domains.

== Local Hosts or DNS Configuration ==
Set the following entries on your local hosts file or DNS server, pointing to your HAProxy IP (`X.X.X.X`):

X.X.X.X lb.lab.sdnog.sd
X.X.X.X www.lab.sdnog.sd
X.X.X.X db.lab.sdnog.sd

Backends (`web01.lab.sdnog.sd`, `web02.lab.sdnog.sd`) should resolve to their actual server IPs.

== Step 1: Install HAProxy on Ubuntu ==
<pre>
sudo apt update
sudo apt install haproxy
</pre>

== Step 2: Install Web Servers on Backends ==
On `web01.lab.sdnog.sd` and `web02.lab.sdnog.sd`, install Nginx on one and Apache on another:
<pre>
# Nginx (on web01)
sudo apt install nginx
echo "This is web01.lab.sdnog.sd" | sudo tee /var/www/html/index.html

# Apache (on web02)
sudo apt install apache2
echo "This is web02.lab.sdnog.sd" | sudo tee /var/www/html/index.html
</pre>

== Step 3: Install MySQL on Backends ==
On both `web01.lab.sdnog.sd` and `web02.lab.sdnog.sd`:
<pre>
sudo apt install mysql-server
</pre>

== Step 4: Configure MySQL User for HAProxy ==
On both DB nodes (MySQL prompt):
<pre>
CREATE USER 'sdnoguser'@'%' IDENTIFIED BY 'StrongPassword';
GRANT ALL PRIVILEGES ON *.* TO 'sdnoguser'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
</pre>

== Step 5: HAProxy Configuration for Web & Database Load Balancing ==
Edit `/etc/haproxy/haproxy.cfg` on the HAProxy server:

<pre>
global
log 127.0.0.1:514 local1 info
maxconn 4000
user haproxy
group haproxy

defaults
mode http
log global
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option http-server-close
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend https-in
bind *:443 ssl crt /home/sdnog/lab/cert.pem
mode http
acl host_lab_sdnog hdr(host) -i www.lab.sdnog.sd
use_backend www_back if host_lab_sdnog
default_backend www_back

frontend http-in
bind *:80
redirect scheme https code 301 if !{ ssl_fc }

backend www_back
balance roundrobin
cookie SERVERID insert indirect nocache
server nginx_server web01.lab.sdnog.sd:80 check cookie web01
server apache_server web02.lab.sdnog.sd:80 check cookie web02

frontend database_frontend
bind *:3306
mode tcp
default_backend database_backend

backend database_backend
mode tcp
balance roundrobin
server db01 web01.lab.sdnog.sd:3306 check
server db02 web02.lab.sdnog.sd:3306 check

listen stats
bind 0.0.0.0:8080
bind :::8080
mode http
stats uri /stats
stats realm HAProxy\ Statistics
stats auth admin:StrongPassword
stats admin if TRUE
timeout client 5000
timeout connect 4000
timeout server 30000
</pre>

== Step 6: SSL Certificate for HAProxy ==
Generate or copy your SSL certificate and key as `/home/sdnog/lab/cert.pem` (or another path if you adjust your config).

== Step 7: Restart and Enable HAProxy ==
<pre>
sudo systemctl restart haproxy
sudo systemctl enable haproxy
</pre>

== Step 8: Testing ==

=== Web Load Balancing ===
Test the round-robin backend selection:
<pre>
curl -I https://www.lab.sdnog.sd | grep SERVERID
</pre>
You should see alternating results like:
set-cookie: SERVERID=web01; path=/
set-cookie: SERVERID=web02; path=/

See for example output.

[[File:Web servrs test.png|thumb|center|Web test ]]

=== Database Load Balancing ===
Test DB backend switching:
<pre>
mysql -u sdnoguser -p -h db.lab.sdnog.sd -e "show variables like 'hostname';"
</pre>
You should see the hostname alternating between `db01.lab.sdnog.sd` and `db02.lab.sdnog.sd`

[[File:DB loadbalancer test.png|thumb|center|Layer 4 loadbalancing ]]

=== HAProxy Stats Page ===
Browse to: http://lb.lab.sdnog.sd:8080/stats
for an example:

[[File:Stats page.png|thumb|center]]

== HAProxy Log ==

=== How to Enable HAProxy Logging ===

To enable and view HAProxy logs, follow these steps:

# Edit your HAProxy configuration file (usually <code>/etc/haproxy/haproxy.cfg</code>) and add the following in the <code>global</code> and/or <code>defaults</code> sections:
<pre>
global
log 127.0.0.1 local0

defaults
log global
option httplog
option dontlognull
</pre>
* <code>log 127.0.0.1 local0</code>: Sends logs to the local syslog server.
* <code>option httplog</code>: Enables detailed HTTP log format.
* <code>option dontlognull</code>: Avoids logging empty connections.

# Configure your syslog service (such as <code>rsyslog</code>) to receive HAProxy logs:
* Add the following to <code>/etc/rsyslog.conf</code> or <code>/etc/rsyslog.d/haproxy.conf</code>:
<pre>
$ModLoad imudp
$UDPServerRun 514

local0.* /var/log/haproxy.log
</pre>
# Restart your syslog service:
<pre>
sudo systemctl restart rsyslog
</pre>

# Restart HAProxy:
<pre>
sudo systemctl restart haproxy
</pre>

# Check your HAProxy log output:
<pre>
sudo tail -f /var/log/haproxy.log
</pre>

----

=== Example Log Line ===

<pre>
2025-07-18T15:51:04+00:00 localhost haproxy[8400]: 102.117.90.22:57291 [18/Jul/2025:15:51:04.732] https-in~ www_back/nginx_server 0/0/1/1/2 200 210 - - --NI 1/1/0/0/0 0/0 "HEAD https://www.lab.sdnog.sd/ HTTP/2.0"
</pre>

=== Explanation of Fields ===

; '''Timestamp and Host'''
: <code>2025-07-18T15:51:04+00:00</code> — Date and time (ISO 8601 format)
: <code>localhost</code> — Hostname where HAProxy is running
: <code>haproxy[8400]</code> — Process name and PID

; '''Client Info'''
: <code>102.117.90.22:57291</code> — Source IP address and port of the client

; '''Accept Date'''
: <code>[18/Jul/2025:15:51:04.732]</code> — When HAProxy accepted the connection/request

; '''Frontend, Backend, Server'''
: <code>https-in~</code> — HAProxy frontend handling the request
: <code>www_back/nginx_server</code> — Backend and backend server that handled the request

; '''Timers (ms)'''
: <code>0/0/1/1/2</code>
* '''Tq''': Time spent waiting in queue
* '''Tw''': Time waiting for connection to backend server
* '''Tc''': Time to establish connection to backend
* '''Tr''': Time to get the full HTTP request from the client
* '''Tt''': Total time from accept to response

; '''HTTP Status and Bytes'''
: <code>200</code> — HTTP status code returned to the client (OK)
: <code>210</code> — Number of bytes sent to the client (response size)

; '''Captured Request/Response Cookies'''
: <code>- -</code> — (Dashes mean "not captured" or "not set")

; '''Termination State'''
: <code>--NI</code> — How/why the session ended (see [https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4 HAProxy documentation] for codes)

; '''Connections (ActConn/FeConn/BeConn/SrvConn/Retry)'''
: <code>1/1/0/0/0</code>
* '''ActConn''': Active connections on the frontend
* '''FeConn''': Connections on the frontend
* '''BeConn''': On the backend
* '''SrvConn''': On the server
* '''Retry''': Retries

; '''Queues (SrvQueue/BackendQueue)'''
: <code>0/0</code>
* '''SrvQueue''': Number of queued requests on the server
* '''BackendQueue''': Number of queued requests on the backend

; '''Request Line'''
: <code>"HEAD https://www.lab.sdnog.sd/ HTTP/2.0"</code> — The HTTP method, URL, and protocol

----

== Explanation ==

* Each line is a single request processed by HAProxy.
* The log shows: when it happened, who connected, what request they made, what server handled it, how long each step took, and what the result was.
* If you see different backends/servers (like <code>nginx_server</code> or <code>apache_server</code>), it means HAProxy is load balancing between them.
* '''Status codes''' like <code>200</code> mean “OK”. If you see <code>500</code>, <code>404</code>, etc., that means there was an error.
* '''Timings''' help you diagnose where delays are happening (queue, connection, etc.).
* '''Termination state''' (<code>--NI</code>) can show if the connection ended normally or with errors/timeouts.

----

== Quick Reference Table ==

{| class="wikitable"
! Field !! Example Value !! Meaning
|-
| Timestamp || 2025-07-18T15:51:04+00:00 || When the event happened
|-
| Client IP:Port || 102.117.90.22:57291 || Who made the request
|-
| Accept Date || [18/Jul/2025:15:51:04.732] || When HAProxy accepted the request
|-
| Frontend~ || https-in~ || Which frontend handled it
|-
| Backend/Server || www_back/nginx_server || Backend/server chosen
|-
| Timers || 0/0/1/1/2 || Time in each HAProxy phase
|-
| Status || 200 || HTTP status code
|-
| Bytes || 210 || Bytes sent to client
|-
| Term. State || --NI || How session ended
|-
| Connections || 1/1/0/0/0 || Conn. counts (frontend, backend, etc.)
|-
| Queues || 0/0 || Queued requests
|-
| Request || "HEAD ... HTTP/2.0" || HTTP Method, URL, Protocol
|}

----

'''Tip:''' For more details, see the [https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4 HAProxy log format documentation].

== Troubleshooting ==

=== Common Issues and Solutions ===

# '''HAProxy not starting:'''
#* Check the configuration file for syntax errors:
<pre>
haproxy -c -f /etc/haproxy/haproxy.cfg
</pre>
#* Verify that the ports HAProxy is trying to bind to are not already in use.

# '''Backend servers not responding:'''
#* Make sure Apache/Nginx/MySQL are running on their respective servers.
#* Check firewall rules (UFW, iptables, or cloud security groups) to allow traffic between HAProxy and backend nodes.
#* Confirm the correct backend IP addresses and ports in the HAProxy configuration.

# '''SSL certificate issues:'''
#* Double-check the certificate and private key path in your HAProxy config.
#* Ensure your `.pem` file has correct permissions and the combined format (cert + key).

# '''ACLs/routing not working as expected:'''
#* Verify that your local `/etc/hosts` or DNS is configured for the lab domains.
#* Use `tcpdump` or `wireshark` to inspect HTTP headers if needed.

# '''Stats page not accessible:'''
#* Confirm the `listen stats` block in your config.
#* Make sure port 8080 is open on the HAProxy machine and not blocked by a firewall.

# '''MySQL authentication errors:'''
#* Ensure user/password is the same on all DB nodes.
#* Make sure MySQL is listening on 0.0.0.0 or the correct interface.

== Performance Tuning ==

# '''Increase maximum connections:'''
#* Adjust the `maxconn` parameter in the `global` and `defaults` sections based on your hardware.
# '''Enable kernel TCP keepalive:'''
#* Add `option tcpka` in the `defaults` section if needed.
# '''Enable HTTP/2:'''
#* Update your SSL binding to:
<pre>
bind *:443 ssl crt /home/sdnog/lab/cert.pem alpn h2,http/1.1
</pre>
# '''Implement caching:'''
#* Consider using Varnish in front of HAProxy for static content.

== Troubleshooting ==

=== Common Issues and Solutions ===

# '''HAProxy not starting:'''
#* Check the configuration file for syntax errors:
haproxy -c -f /etc/haproxy/haproxy.cfg
#* Verify that the ports HAProxy is trying to bind to are not in use by other services.

# '''Backend servers not responding:'''
#* Ensure that Apache and Nginx are running on their respective VMs.
#* Check firewall rules to allow traffic between HAProxy and backend servers.
#* Verify the IP addresses and ports in the HAProxy configuration.

# '''SSL certificate issues:'''
#* Double-check the path to the SSL certificate and key in the HAProxy configuration.
#* Ensure the combined PEM file has the correct permissions.

# '''ACLs not working as expected:'''
#* Verify that your local hosts file is correctly configured.
#* Use `tcpdump` or `wireshark` to inspect the HTTP headers and ensure the correct `Host` header is being sent.

== Performance Tuning ==

=== Optimizing HAProxy ===

# '''Increase maximum connections:'''
#* Adjust the `maxconn` parameter in the `global` section based on your server's capacity.

# '''Enable kernel TCP splicing:'''
#* Add `option tcpka` to the `defaults` section for keep-alive connections.

# '''Use HTTP/2:'''
#* Update your SSL binding to support HTTP/2:
bind *:443 ssl crt /etc/ssl/certs/haproxy.pem alpn h2,http/1.1

# '''Implement caching:'''
#* Consider adding a caching layer with Varnish in front of HAProxy for static content.

=== Optimal Configuration Options for Web-Based Frontends ===
It's crucial to customize the following according to your application's specific requirements.
'''
frontend http-in
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/cert.pem no-sslv3
mode http
option httplog
log global

# Redirect HTTP to HTTPS (enforce HTTPS for all traffic)
http-request redirect scheme https code 301 if !{ ssl_fc }

# Set default security headers for responses
# Enforce HSTS for HTTPS (1 year, include subdomains, preload)
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# Clickjacking protection, allow only the same origin to embed this site
http-response set-header X-Frame-Options "SAMEORIGIN"

# XSS filtering enabled in browsers, block if an attack is detected
http-response set-header X-XSS-Protection "1; mode=block"

# Prevent MIME type sniffing (force browser to honor content type declared by the server)
http-response set-header X-Content-Type-Options "nosniff"

# Add Content Security Policy to mitigate XSS and data injection attacks
http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'"

# Disable referrer information leakage when navigating to a different origin
http-response set-header Referrer-Policy "no-referrer-when-downgrade"

# Prevent browsers and proxies from caching sensitive data
http-response set-header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"

# Set secure cookies (only for HTTPS, HttpOnly, and prevent cross-site requests)
acl secure_cookie hdr_sub(cookie) Secure
http-response set-header Set-Cookie %[res.hdr(Set-Cookie)] if secure_cookie
http-response set-header Set-Cookie Secure; HttpOnly; SameSite=Strict if secure_cookie

# Forward client's original IP in X-Forwarded-For header
http-request add-header X-Forwarded-For %[src]

# Forward the protocol used by the client (HTTP/HTTPS) in X-Forwarded-Proto header
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request add-header X-Forwarded-Proto http if !{ ssl_fc }

# Preserve the original Host header
http-request add-header X-Forwarded-Host %[req.hdr(host)]

default_backend servers
'''

== Appendix: Useful Commands ==

* Check HAProxy config: <pre>haproxy -c -f /etc/haproxy/haproxy.cfg</pre>
* Restart HAProxy: <pre>sudo systemctl restart haproxy</pre>
* View HAProxy logs: <pre>sudo tail -f /var/log/haproxy.log</pre>
* Test backend health: <pre>curl http://web01.lab.sdnog.sd</pre>

== Author ==
* '''Author''': [[User:Manhal.Mohamed|Manhal Mohamed]] , SdNOG Team

----
''This guide is based on practical deployment, tested with Ubuntu 22.04+. For additional features and advanced security, consult the [https://www.haproxy.org/ HAProxy documentation].''

HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition)

2025-07-18T15:59:28Z

Manhal.Mohamed:

= HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition) =

== Overview ==
This guide documents the setup of HAProxy on Ubuntu servers for load balancing web (HTTP/HTTPS) and MySQL database traffic, using the `sdnog.sd` lab domain. The environment includes multiple backend nodes and complete instructions for configuration, testing, and troubleshooting.

== Prerequisites ==
* 3+ Ubuntu servers/VMs: 1 for HAProxy (load balancer), at least 2 for web/database backends.
* Domain names:
* `lb.lab.sdnog.sd` (HAProxy/load balancer)
* `www.lab.sdnog.sd`, `db.lab.sdnog.sd`, `lb.lab.sdnog.sd` (all pointing to the HAProxy IP)
* Backends: `web01.lab.sdnog.sd`, `web02.lab.sdnog.sd`
* Sudo/root access on all nodes.
* Ability to update `/etc/hosts` or your DNS zone for lab domains.

== Local Hosts or DNS Configuration ==
Set the following entries on your local hosts file or DNS server, pointing to your HAProxy IP (`X.X.X.X`):

X.X.X.X lb.lab.sdnog.sd
X.X.X.X www.lab.sdnog.sd
X.X.X.X db.lab.sdnog.sd

Backends (`web01.lab.sdnog.sd`, `web02.lab.sdnog.sd`) should resolve to their actual server IPs.

== Step 1: Install HAProxy on Ubuntu ==
<pre>
sudo apt update
sudo apt install haproxy
</pre>

== Step 2: Install Web Servers on Backends ==
On `web01.lab.sdnog.sd` and `web02.lab.sdnog.sd`, install Nginx on one and Apache on another:
<pre>
# Nginx (on web01)
sudo apt install nginx
echo "This is web01.lab.sdnog.sd" | sudo tee /var/www/html/index.html

# Apache (on web02)
sudo apt install apache2
echo "This is web02.lab.sdnog.sd" | sudo tee /var/www/html/index.html
</pre>

== Step 3: Install MySQL on Backends ==
On both `web01.lab.sdnog.sd` and `web02.lab.sdnog.sd`:
<pre>
sudo apt install mysql-server
</pre>

== Step 4: Configure MySQL User for HAProxy ==
On both DB nodes (MySQL prompt):
<pre>
CREATE USER 'sdnoguser'@'%' IDENTIFIED BY 'StrongPassword';
GRANT ALL PRIVILEGES ON *.* TO 'sdnoguser'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
</pre>

== Step 5: HAProxy Configuration for Web & Database Load Balancing ==
Edit `/etc/haproxy/haproxy.cfg` on the HAProxy server:

<pre>
global
log 127.0.0.1:514 local1 info
maxconn 4000
user haproxy
group haproxy

defaults
mode http
log global
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option http-server-close
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend https-in
bind *:443 ssl crt /home/sdnog/lab/cert.pem
mode http
acl host_lab_sdnog hdr(host) -i www.lab.sdnog.sd
use_backend www_back if host_lab_sdnog
default_backend www_back

frontend http-in
bind *:80
redirect scheme https code 301 if !{ ssl_fc }

backend www_back
balance roundrobin
cookie SERVERID insert indirect nocache
server nginx_server web01.lab.sdnog.sd:80 check cookie web01
server apache_server web02.lab.sdnog.sd:80 check cookie web02

frontend database_frontend
bind *:3306
mode tcp
default_backend database_backend

backend database_backend
mode tcp
balance roundrobin
server db01 web01.lab.sdnog.sd:3306 check
server db02 web02.lab.sdnog.sd:3306 check

listen stats
bind 0.0.0.0:8080
bind :::8080
mode http
stats uri /stats
stats realm HAProxy\ Statistics
stats auth admin:StrongPassword
stats admin if TRUE
timeout client 5000
timeout connect 4000
timeout server 30000
</pre>

== Step 6: SSL Certificate for HAProxy ==
Generate or copy your SSL certificate and key as `/home/sdnog/lab/cert.pem` (or another path if you adjust your config).

== Step 7: Restart and Enable HAProxy ==
<pre>
sudo systemctl restart haproxy
sudo systemctl enable haproxy
</pre>

== Step 8: Testing ==

=== Web Load Balancing ===
Test the round-robin backend selection:
<pre>
curl -I https://www.lab.sdnog.sd | grep SERVERID
</pre>
You should see alternating results like:
set-cookie: SERVERID=web01; path=/
set-cookie: SERVERID=web02; path=/

See for example output.

[[File:Web servrs test.png|thumb|center|Web test ]]

=== Database Load Balancing ===
Test DB backend switching:
<pre>
mysql -u sdnoguser -p -h db.lab.sdnog.sd -e "show variables like 'hostname';"
</pre>
You should see the hostname alternating between `db01.lab.sdnog.sd` and `db02.lab.sdnog.sd`

[[File:DB loadbalancer test.png|thumb|center|Layer 4 loadbalancing ]]

=== HAProxy Stats Page ===
Browse to: http://lb.lab.sdnog.sd:8080/stats
for an example:

[[File:Stats page.png|thumb|center]]

== HAProxy Log Explanation ==

=== Example Log Line ===

<pre>
2025-07-18T15:51:04+00:00 localhost haproxy[8400]: 102.117.90.22:57291 [18/Jul/2025:15:51:04.732] https-in~ www_back/nginx_server 0/0/1/1/2 200 210 - - --NI 1/1/0/0/0 0/0 "HEAD https://www.lab.sdnog.sd/ HTTP/2.0"
</pre>

=== Explanation of Fields ===

; '''Timestamp and Host'''
: <code>2025-07-18T15:51:04+00:00</code> — Date and time (ISO 8601 format)
: <code>localhost</code> — Hostname where HAProxy is running
: <code>haproxy[8400]</code> — Process name and PID

; '''Client Info'''
: <code>102.117.90.22:57291</code> — Source IP address and port of the client

; '''Accept Date'''
: <code>[18/Jul/2025:15:51:04.732]</code> — When HAProxy accepted the connection/request

; '''Frontend, Backend, Server'''
: <code>https-in~</code> — HAProxy frontend handling the request
: <code>www_back/nginx_server</code> — Backend and backend server that handled the request

; '''Timers (ms)'''
: <code>0/0/1/1/2</code>
* '''Tq''': Time spent waiting in queue
* '''Tw''': Time waiting for connection to backend server
* '''Tc''': Time to establish connection to backend
* '''Tr''': Time to get the full HTTP request from the client
* '''Tt''': Total time from accept to response

; '''HTTP Status and Bytes'''
: <code>200</code> — HTTP status code returned to the client (OK)
: <code>210</code> — Number of bytes sent to the client (response size)

; '''Captured Request/Response Cookies'''
: <code>- -</code> — (Dashes mean "not captured" or "not set")

; '''Termination State'''
: <code>--NI</code> — How/why the session ended (see [https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4 HAProxy documentation] for codes)

; '''Connections (ActConn/FeConn/BeConn/SrvConn/Retry)'''
: <code>1/1/0/0/0</code>
* '''ActConn''': Active connections on the frontend
* '''FeConn''': Connections on the frontend
* '''BeConn''': On the backend
* '''SrvConn''': On the server
* '''Retry''': Retries

; '''Queues (SrvQueue/BackendQueue)'''
: <code>0/0</code>
* '''SrvQueue''': Number of queued requests on the server
* '''BackendQueue''': Number of queued requests on the backend

; '''Request Line'''
: <code>"HEAD https://www.lab.sdnog.sd/ HTTP/2.0"</code> — The HTTP method, URL, and protocol

----

== Explanation ==

* Each line is a single request processed by HAProxy.
* The log shows: when it happened, who connected, what request they made, what server handled it, how long each step took, and what the result was.
* If you see different backends/servers (like <code>nginx_server</code> or <code>apache_server</code>), it means HAProxy is load balancing between them.
* '''Status codes''' like <code>200</code> mean “OK”. If you see <code>500</code>, <code>404</code>, etc., that means there was an error.
* '''Timings''' help you diagnose where delays are happening (queue, connection, etc.).
* '''Termination state''' (<code>--NI</code>) can show if the connection ended normally or with errors/timeouts.

----

== Quick Reference Table ==

{| class="wikitable"
! Field !! Example Value !! Meaning
|-
| Timestamp || 2025-07-18T15:51:04+00:00 || When the event happened
|-
| Client IP:Port || 102.117.90.22:57291 || Who made the request
|-
| Accept Date || [18/Jul/2025:15:51:04.732] || When HAProxy accepted the request
|-
| Frontend~ || https-in~ || Which frontend handled it
|-
| Backend/Server || www_back/nginx_server || Backend/server chosen
|-
| Timers || 0/0/1/1/2 || Time in each HAProxy phase
|-
| Status || 200 || HTTP status code
|-
| Bytes || 210 || Bytes sent to client
|-
| Term. State || --NI || How session ended
|-
| Connections || 1/1/0/0/0 || Conn. counts (frontend, backend, etc.)
|-
| Queues || 0/0 || Queued requests
|-
| Request || "HEAD ... HTTP/2.0" || HTTP Method, URL, Protocol
|}

----

'''Tip:''' For more details, see the [https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4 HAProxy log format documentation].

== Troubleshooting ==

=== Common Issues and Solutions ===

# '''HAProxy not starting:'''
#* Check the configuration file for syntax errors:
<pre>
haproxy -c -f /etc/haproxy/haproxy.cfg
</pre>
#* Verify that the ports HAProxy is trying to bind to are not already in use.

# '''Backend servers not responding:'''
#* Make sure Apache/Nginx/MySQL are running on their respective servers.
#* Check firewall rules (UFW, iptables, or cloud security groups) to allow traffic between HAProxy and backend nodes.
#* Confirm the correct backend IP addresses and ports in the HAProxy configuration.

# '''SSL certificate issues:'''
#* Double-check the certificate and private key path in your HAProxy config.
#* Ensure your `.pem` file has correct permissions and the combined format (cert + key).

# '''ACLs/routing not working as expected:'''
#* Verify that your local `/etc/hosts` or DNS is configured for the lab domains.
#* Use `tcpdump` or `wireshark` to inspect HTTP headers if needed.

# '''Stats page not accessible:'''
#* Confirm the `listen stats` block in your config.
#* Make sure port 8080 is open on the HAProxy machine and not blocked by a firewall.

# '''MySQL authentication errors:'''
#* Ensure user/password is the same on all DB nodes.
#* Make sure MySQL is listening on 0.0.0.0 or the correct interface.

== Performance Tuning ==

# '''Increase maximum connections:'''
#* Adjust the `maxconn` parameter in the `global` and `defaults` sections based on your hardware.
# '''Enable kernel TCP keepalive:'''
#* Add `option tcpka` in the `defaults` section if needed.
# '''Enable HTTP/2:'''
#* Update your SSL binding to:
<pre>
bind *:443 ssl crt /home/sdnog/lab/cert.pem alpn h2,http/1.1
</pre>
# '''Implement caching:'''
#* Consider using Varnish in front of HAProxy for static content.

== Troubleshooting ==

=== Common Issues and Solutions ===

# '''HAProxy not starting:'''
#* Check the configuration file for syntax errors:
haproxy -c -f /etc/haproxy/haproxy.cfg
#* Verify that the ports HAProxy is trying to bind to are not in use by other services.

# '''Backend servers not responding:'''
#* Ensure that Apache and Nginx are running on their respective VMs.
#* Check firewall rules to allow traffic between HAProxy and backend servers.
#* Verify the IP addresses and ports in the HAProxy configuration.

# '''SSL certificate issues:'''
#* Double-check the path to the SSL certificate and key in the HAProxy configuration.
#* Ensure the combined PEM file has the correct permissions.

# '''ACLs not working as expected:'''
#* Verify that your local hosts file is correctly configured.
#* Use `tcpdump` or `wireshark` to inspect the HTTP headers and ensure the correct `Host` header is being sent.

== Performance Tuning ==

=== Optimizing HAProxy ===

# '''Increase maximum connections:'''
#* Adjust the `maxconn` parameter in the `global` section based on your server's capacity.

# '''Enable kernel TCP splicing:'''
#* Add `option tcpka` to the `defaults` section for keep-alive connections.

# '''Use HTTP/2:'''
#* Update your SSL binding to support HTTP/2:
bind *:443 ssl crt /etc/ssl/certs/haproxy.pem alpn h2,http/1.1

# '''Implement caching:'''
#* Consider adding a caching layer with Varnish in front of HAProxy for static content.

=== Optimal Configuration Options for Web-Based Frontends ===
It's crucial to customize the following according to your application's specific requirements.
'''
frontend http-in
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/cert.pem no-sslv3
mode http
option httplog
log global

# Redirect HTTP to HTTPS (enforce HTTPS for all traffic)
http-request redirect scheme https code 301 if !{ ssl_fc }

# Set default security headers for responses
# Enforce HSTS for HTTPS (1 year, include subdomains, preload)
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# Clickjacking protection, allow only the same origin to embed this site
http-response set-header X-Frame-Options "SAMEORIGIN"

# XSS filtering enabled in browsers, block if an attack is detected
http-response set-header X-XSS-Protection "1; mode=block"

# Prevent MIME type sniffing (force browser to honor content type declared by the server)
http-response set-header X-Content-Type-Options "nosniff"

# Add Content Security Policy to mitigate XSS and data injection attacks
http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'"

# Disable referrer information leakage when navigating to a different origin
http-response set-header Referrer-Policy "no-referrer-when-downgrade"

# Prevent browsers and proxies from caching sensitive data
http-response set-header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"

# Set secure cookies (only for HTTPS, HttpOnly, and prevent cross-site requests)
acl secure_cookie hdr_sub(cookie) Secure
http-response set-header Set-Cookie %[res.hdr(Set-Cookie)] if secure_cookie
http-response set-header Set-Cookie Secure; HttpOnly; SameSite=Strict if secure_cookie

# Forward client's original IP in X-Forwarded-For header
http-request add-header X-Forwarded-For %[src]

# Forward the protocol used by the client (HTTP/HTTPS) in X-Forwarded-Proto header
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request add-header X-Forwarded-Proto http if !{ ssl_fc }

# Preserve the original Host header
http-request add-header X-Forwarded-Host %[req.hdr(host)]

default_backend servers
'''

== Appendix: Useful Commands ==

* Check HAProxy config: <pre>haproxy -c -f /etc/haproxy/haproxy.cfg</pre>
* Restart HAProxy: <pre>sudo systemctl restart haproxy</pre>
* View HAProxy logs: <pre>sudo tail -f /var/log/haproxy.log</pre>
* Test backend health: <pre>curl http://web01.lab.sdnog.sd</pre>

== Author ==
* '''Author''': [[User:Manhal.Mohamed|Manhal Mohamed]] , SdNOG Team

----
''This guide is based on practical deployment, tested with Ubuntu 22.04+. For additional features and advanced security, consult the [https://www.haproxy.org/ HAProxy documentation].''

HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition)

2025-07-18T15:28:32Z

Manhal.Mohamed:

HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition)

2025-07-18T15:27:19Z

Manhal.Mohamed: /* Security Considerations */

HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition)

2025-07-18T15:25:01Z

Manhal.Mohamed: /* Database Load Balancing */

HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition)

2025-07-18T15:24:01Z

Manhal.Mohamed: /* Database Load Balancing */

HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition)

2025-07-18T15:21:12Z

Manhal.Mohamed: /* Web Load Balancing */

File:Web servrs test.png

2025-07-18T15:21:00Z

Manhal.Mohamed:

Web servers test

HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition)

2025-07-18T15:19:11Z

Manhal.Mohamed:

File:Stats page.png

2025-07-18T15:18:56Z

Manhal.Mohamed:

stats page

File:DB loadbalancer test.png

2025-07-18T15:17:08Z

Manhal.Mohamed:

DB test

HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition)

2025-07-18T15:16:12Z

Manhal.Mohamed: Created page with "= HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition) = == Overview == This guide documents the setup of HAProxy on Ubuntu servers for load balancing we..."

Workshops schedule

2025-07-18T15:15:12Z

Manhal.Mohamed:

[[Category: SdNOG]]
[[Category: Events]]
[[Category: Workshops]]
Here is a list of completed [[SdNOG Workshops]] per year:
{| class="wikitable"
! colspan="3" style="text-align: center;" | '''2015'''
|-
| [[Network Management and Monitoring Workshop|Network Management and Monitoring]]
| 22-24 Dec. 2015
| -
|-
! colspan="3" style="text-align: center;" | '''2016'''
|-
|-
| Network Security Workshop
| 04-05 June 2016
| -
|-
! colspan="3" style="text-align: center;" | '''2017'''
|-
| Virtualization Technology
| 11 Feb. 2017
| [https://drive.google.com/file/d/0BwP3tk9ZXn81bVZiWUhuYUZfX3M/view?usp=sharing Workshop Report]
|-
| [[UNIX Boot Camp|Unix Boot Camp]] Group1
| 25 Feb. 2017
| [https://drive.google.com/file/d/0BwP3tk9ZXn81MTlOOHpPbGNuOHc/view?usp=sharing Workshop Report]
|-
| [[UNIX Boot Camp|Unix Boot Camp]] Group2
| 04 March 2017
| [https://drive.google.com/file/d/0BwP3tk9ZXn81bDhsZHJBdnUyZ0k/view?usp=sharing Workshop Report]
|-
| [[UNIX Boot Camp|Unix Boot Camp]] Group3
| 11 March 2017
| [https://drive.google.com/file/d/0BwP3tk9ZXn81QUdaTjhGTktMWDA/view?usp=sharing Workshop Report]
|-
| [[UNIX Boot Camp|Unix Boot Camp]] Group4
| 18 March 2017
| [https://drive.google.com/file/d/0BwP3tk9ZXn81NXhUS01zSHdzZjA/view?usp=sharing Workshop Report]
|-
| [[Networks Fundamental Workshop|Network Fundamental]] Group1
| 25 March 2017
| [https://drive.google.com/file/d/0BwP3tk9ZXn81dFhhZUF4bk9KdFU/view?usp=sharing Workshop Report]
|-
| [[Networks Fundamental Workshop|Network Fundamental]] Group2
| 01 April 2017
| [https://drive.google.com/file/d/0BwP3tk9ZXn81cGVwTXVBQ04ybDA/view?usp=sharing Workshop Report]
|-
| [[Networks Fundamental Workshop|Network Fundamental]] Group3
| 08 April 2017
| [https://drive.google.com/file/d/0BwP3tk9ZXn81M1lmRC1CN1lSX1k/view?usp=sharing Workshop Report]
|-
| [[Networks Fundamental Workshop|Network Fundamental]] Group4
| 15 April 2017
| [https://drive.google.com/file/d/0BwP3tk9ZXn81QlVtX3FHcTlfZGc/view?usp=sharing Workshop Report]
|-
| [[Networks Fundamental Workshop|Network Fundamental]] Group5
| 22 April 2017
| [https://drive.google.com/file/d/0BwP3tk9ZXn81Ni00T05odXdEcms/view?usp=sharing Workshop Report]
|-
| [[Ethical Hacking Workshop|Ethical Hacking]] Group1
| 06 May 2017
| [https://drive.google.com/open?id=0BwP3tk9ZXn81Mm9scFJSOXNrQnc Workshop Report]
|-
| [[Ethical Hacking Workshop|Ethical Hacking]] Group2
| 13 May 2017
| [https://drive.google.com/open?id=0BwP3tk9ZXn81Mm9scFJSOXNrQnc Workshop Report]
|-
| [[DNS Workshop|DNS workshop]] Group1
| 09 December 2017
| [https://drive.google.com/open?id=19uO-jfSmf0alVjF2z1jpsFvSSRk8uHGz Workshop Report]
|-
| [[DNS Workshop|DNS workshop]] Group2
| 16 December 2017
| [https://drive.google.com/open?id=1U-XsMVY4ZaKYWXGlQLcKqS_ZjBOmJsHN Workshop Report]
|-
| [[High Availability in LAMP Stack workshop|High Availability in LAMP Stack]]
| 23 December 2017
| [https://drive.google.com/open?id=1eWoUOrKOFPQfwWILhivbGOBWst2r15Nu Workshop Report]
|-
|-
! colspan="3" style="text-align: center;" | '''2018'''
|-
|-
| [[Internet Governance Forum]]
| 03 March 2018
| [https://drive.google.com/file/d/1WXnEuS3MCgHAKtTXkSyk7aZWkYU9Hqx5/view?usp=sharing Workshop Report]
|-
| [[IPv6 Fundamentals Workshop]]
| 17 March 2018
| [https://drive.google.com/open?id=1bK3CixvWexA1GA9cMN1XUAXH1v7GY_7O Workshop Report]
|-
| [[DNS Workshop]]
| 31 March 2018
| [https://drive.google.com/open?id=1hcod4W6EinTuTRVzknQI69MNohLwI_tw Workshop Report]
|-
| [[UNIX Boot Camp]]
| 07 April 2018
| [https://drive.google.com/open?id=1ySRjiyAOdPPzgo4qGrZZnKhGsDSfZPKe Workshop Report]
|-
| [[UNIX Boot Camp]]
| 21 April 2018
| [https://drive.google.com/open?id=1-4mmxe8dymJ2OSGR_KYqDPXZBx0Bjk8W Workshop Report]
|-
| [[Internet Ecosystem]] - International Girls in ICT Day
| 22 April 2018
| -
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group01
| 27 May to 17 June 2018
| [https://drive.google.com/open?id=1VWQ9UOIPvlpQmxmfVoRxABW6Xl2bZUkj Workshop Report]
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group02
| 24 June to 17 July 2018
| [https://drive.google.com/open?id=16ihUwNp69e7CfzWKvwjEt57wmICUmERx Workshop Report]
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group03
| 28 August to 17 September 2018
| [https://drive.google.com/file/d/1giQZH_QzL_K0NVE-v0NvTVnObpzXAHf9/view?usp=sharing Workshop Report]
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group04
| 14 October to 4 November 2018
| [https://drive.google.com/file/d/11NBFeg3jVNecIOn9F7ZhNwmeOrx5IuD-/view?usp=sharing Workshop Report]
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group05
| 21 October to 11 November 2018
| [https://drive.google.com/open?id=1dFrj9fThHgwPpYqEFEHDFR6aMIPeuRJN Workshop Report]
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group06
| 16 December 2018 to 6 January 2019
| [https://drive.google.com/open?id=1N8fsSLGmVlwbDZPLM6pYu-mf5FvTRp5H Workshop Report]
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group07
| 16 December 2018 to 6 January 2019
| [https://drive.google.com/open?id=1HzeZ7WqGRoMwKW6o__LI7W1ZxeDD6Le8 Workshop Report]
|-
|-
! colspan="3" style="text-align: center;" | '''2019'''
|-
| [[Network Services and Monitoring Online Course]] Group01
| 22 February to 16 March 2019
| [https://drive.google.com/file/d/1ovI7W4vjSTVQ_mTL5vAcEt52HaQkBNYQ/view?usp=sharing Workshop Report]
|-
| [[UNIX/Linux, Networking and DNS Online Course]] SudREN Group
| 11 March 2019 to 18 March 2019
| [https://drive.google.com/open?id=1hF7RSDhiSUsoJR8LagBjGPM2f2p9V9R_ Workshop Report]
|-
| [[OpenStack Workshop]]
| 23 March 2019
| [https://drive.google.com/open?id=14WyxWDMmt7VsTcS_5u8alew5ioF83Yzk Workshop Report]
|-
| [[Network Services and Monitoring Online Course]] SudREN Group
| 25 March 2019 to 4 April 2019
| [https://drive.google.com/open?id=10UEjGLTAszkPY3_3p9lugXZwLvFJPPDs Workshop Report]
|-
| [[Network Services and Monitoring Online Course]] Group02
| 30 March 2019 to 20 April 2019
| [https://drive.google.com/open?id=1o1vfN_zPHM157ydhChPE2NJHQOWJc_rc Workshop Report]
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group08
| 30 March 2019 to 20 April 2019
| [https://drive.google.com/open?id=1dbICp6mm8yX1OrCtLNJDo48A6WwoFWZy Workshop Report]
|-
| [[Network Services and Monitoring Online Course]] Group03
| 26 July 2019 to 16 August 2019
| [https://drive.google.com/open?id=17tBEPgmiBhByTxHKcAD5gIQ3usQwQ9sC Workshop Report]
|-
| [[Network Services and Monitoring Online Course]] Group04
| 26 July 2019 to 16 August 2019
| [https://drive.google.com/open?id=1im37vEXm25x8Jmcq-MiPO7veyHXBc0XM Workshop Report]
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group09
| 8 to 29 October 2019
| [https://drive.google.com/open?id=1xjQWQTX7xzWb5GgVVHf70ungw9w9Nfyq Workshop Report]
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group10
| 8 to 29 October 2019
| [https://drive.google.com/open?id=1n-lhZcAQhTc775We67kLUXbZJIY2dU19 Workshop Report]
|-
| [[Layer 2 Security Workshop]]
| 28 December 2019
| [https://drive.google.com/open?id=1halDJoBT-dXcTF-HPuWg-tKebA2-bUor Workshop Report]
|-
! colspan="3" style="text-align: center;" | '''2020'''
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group11
| 12 January to 2 February 2020
| [https://drive.google.com/file/d/1IIvUopcgZsRnVipFZfC87ocVkxddQmoQ/view?usp=sharing Workshop Report]
|-
| [[Build your own e-mail Server]] Workshop
| 15 February 2020
| [https://drive.google.com/file/d/1r9LJIPQMooGMYFKhJEQYurVass4UG6jp/view?usp=sharing Workshop Report]
|-
| [[Introduction to Git Workshop]]
| 22 February 2020
| [https://drive.google.com/open?id=165cH70zkDTiEfZX3Iq87sIW1ZT45Bc5v Workshop Report]
|-
| [[DNS Workshop|DNS workshop]]
| 29 February 2020
| [https://drive.google.com/open?id=1Q5aV0vDauByNxl5BE8pJ9nv5HBlk6Z0N Workshop Report]
|-
| [[Automation with Ansible]] Workshop
| 14 March 2020
| [https://drive.google.com/file/d/10FaXKUeUMXJbn_XlB18BtilhewwhBGpe/view?usp=sharing Workshop Report]
|-
| [[Network Services and Monitoring Online Course]] Group05
| 23 March to 16 April 2020
| [https://drive.google.com/file/d/1jlOF5M0H7RkY3wxNvF0neyCIYyFiiTCH/view?usp=sharing Workshop Report]
|-
| [[Automation with Ansible - Online]] Workshop
| 11 - 21 April 2020
| [https://drive.google.com/file/d/1CAx8Gaiar1nV3hUECsORWOYkgkPYxXYG/view?usp=sharing Workshop Report]
|-
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group12
| 12 - 30 September 2020
| Workshop Report
|-
! colspan="3" style="text-align: center;" | '''2021'''
|-
| [[ICANN DNS Workshop]]
| 16 to 18 February 2021
| Workshop Report
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group13
| 15 to 30 May 2021
| Workshop Report
|-
| [[Automation with Ansible - Online]] Workshop
| 20 to 30 May 2021
| [https://drive.google.com/file/d/1m4v8GThZ3JYzFDaYy6Wl443TUTbLceN3/view?usp=sharing Workshop Report]
|-
| [[UNIX/Linux, Networking and DNS Online Course]] Group14
| 27 May to 10 June 2021
| Workshop Report
|-
| [[HAProxy Lab Setup Guide – Ubuntu-Based Multi-Node Setup (sdnog Edition)]]
| 19 July May 2025
| Workshop Report
|-
|}

Using Algo VPN to Access SDNOG Infrastructure

2025-04-23T05:57:06Z

Manhal.Mohamed: /* 8. Access SDNOG Infrastructure */

[[Category:sdnog]]
[[Category:SdNOG_KnowBase]]

== Setup and Using Algo VPN to Access SDNOG Infrastructure ==
=== Introduction ===
Algo VPN is a tool that simplifies the process of setting up a secure VPN server on various platforms. This guide will walk you through the steps to install and configure Algo VPN on a local Ubuntu server to access SDNOG infrastructure.

=== Prerequisites ===

* An Ubuntu server (18.04 or later)
* Sudo privileges on the server
* Basic knowledge of command-line operations
=== Step-by-Step Guide ===

==== 1. Update Your System ====
Before installing Algo VPN, ensure that your system is up-to-date. Open a terminal and run the following commands:
<pre>
sudo apt update
sudo apt upgrade -y
</pre>
==== 2. Install Dependencies ====
Algo VPN requires certain dependencies to be installed. Use the following commands to install them:
<pre>
apt-get install git apparmor build-essential python3-dev python3-pip python3-setuptools python3-virtualenv libffi-dev libssl-dev -y
</pre>
==== 3. Clone the Algo VPN Repository ====
Clone the Algo VPN repository from GitHub to your local server:
<pre>
git clone https://github.com/trailofbits/algo.git
cd algo
</pre>
==== 4. Create and Activate a Python Virtual Environment ====
Create a Python virtual environment and activate it:
<pre>
cd algo
python3 -m virtualenv --python=/usr/bin/python3 .env
source .env/bin/activate

</pre>

==== 5. Install Algo VPN ====
Install Algo VPN and its dependencies using pip:
<pre>
python3 -m pip install -U pip virtualenv
python3 -m pip install -r requirements.txt
</pre>

==== 6. Configure Algo VPN ====
Run the Algo VPN setup script to create a configuration file:
<pre>
./algo
</pre>
Follow the prompts to configure your VPN. You will need to provide details such as:

The VPN server's public IP address or domain name
Your preferred VPN protocol (e.g., WireGuard or IPsec)
User accounts for VPN access

==== 7. Deploy Algo VPN ====

Once the configuration is complete, deploy Algo VPN with the following command:
<pre>
./algo
</pre>
The deployment process will set up the VPN server according to the configuration you provided.
<pre>
TASK [Set required ansible version as a fact] *************************************************************************************************
ok: [localhost] => (item=ansible==2.9.7)

TASK [Verify Python meets Algo VPN requirements] **********************************************************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}

TASK [Verify Ansible meets Algo VPN requirements] *********************************************************************************************
ok: [localhost] => {
"changed": false,
"msg": "All assertions passed"
}
[WARNING]: Found variable using reserved name: no_log

PLAY [Ask user for the input] *****************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************
ok: [localhost]
[Cloud prompt]
What provider would you like to use?
1. DigitalOcean
2. Amazon Lightsail
3. Amazon EC2
4. Microsoft Azure
5. Google Compute Engine
6. Hetzner Cloud
7. Vultr
8. Scaleway
9. OpenStack (DreamCompute optimised)
10. CloudStack (Exoscale optimised)
11. Linode
12. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)

Enter the number of your desired provider
:
12

Type 12 and hit Enter to setup Algo VPN on Ubuntu 20.04 server. You will be asked for several questions as shown below:

TASK [Set facts based on the input] ***************************************************************************************************************************************************************************************
ok: [localhost]
[Cellular On Demand prompt]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to cellular networks?
[y/N]
:y

TASK [Cellular On Demand prompt] ******************************************************************************************************************************************************************************************
ok: [localhost]
[Wi-Fi On Demand prompt]
Do you want macOS/iOS IPsec clients to enable "Connect On Demand" when connected to Wi-Fi?
[y/N]
:y

TASK [Wi-Fi On Demand prompt] *********************************************************************************************************************************************************************************************
ok: [localhost]
[Trusted Wi-Fi networks prompt]
List the names of any trusted Wi-Fi networks where macOS/iOS IPsec clients should not use "Connect On Demand"
(e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
:HomeNet

TASK [Trusted Wi-Fi networks prompt] **************************************************************************************************************************************************************************************
ok: [localhost]
[Compatible ciphers prompt]
Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure)
[y/N]
:y

TASK [Compatible ciphers prompt] ******************************************************************************************************************************************************************************************
ok: [localhost]
[Retain the CA key prompt]
Do you want to retain the CA key? (required to add users in the future, but less secure)
[y/N]
:y

TASK [Retain the CA key prompt] *******************************************************************************************************************************************************************************************
ok: [localhost]
[DNS adblocking prompt]
Do you want to install an ad blocking DNS resolver on this VPN server?
[y/N]
:y

TASK [DNS adblocking prompt] **********************************************************************************************************************************************************************************************
ok: [localhost]
[SSH tunneling prompt]
Do you want each user to have their own account for SSH tunneling?
[y/N]
:N
Enter the IP address of your server: (or use localhost for local installation):
[localhost]
:
localhost
TASK [local : pause] **************************************************************************************************************************
ok: [localhost]

TASK [local : Set the facts] ******************************************************************************************************************
ok: [localhost]
[local : pause]
What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost)
[root]
:
root

Enter the public IP address or domain name of your server: (IMPORTANT! This is used to verify the certificate)
vpn.jnb.sdnog.sd
</pre>

==== 8. Access SDNOG Infrastructure ====
Once the installation has been completed successfully, you should get the following output:
<pre>
TASK [debug] **********************************************************************************************************************************
ok: [localhost] => {
"msg": [
[
"\"# Congratulations! #\"",
"\"# Your Algo server is running. #\"",
"\"# Config files and certificates are in the ./configs/ directory. #\"",
"\"# Go to https://whoer.net/ after connecting #\"",
"\"# and ensure that all your traffic passes through the VPN. #\"",
"\"# Local DNS resolver 172.18.7.104 #\"",
""
],
" \"# The p12 and SSH keys password for new users is SomePassword #\"\n",
" \"# The CA key password is SomePassword@4AN #\"\n",
" "
]
}

PLAY RECAP ************************************************************************************************************************************
localhost : ok=125 changed=39 unreachable=0 failed=0 skipped=53 rescued=0 ignored=0
</pre>

After the installation, you should see the configuration file for each VPN profile using the following command:
<pre>
ls configs/your-server-ip/wireguard/
</pre>

You should see all the profile in the following output:
<pre>
apple desktop.conf desktop.png laptop.conf laptop.png phone.conf phone.png user1.conf user1.png
</pre>

You can use any of the above files on your client device to connect to the Algo VPN server.

To access SDNOG infrastructure via the VPN, you need to configure your local machine to connect to the VPN server. Download the VPN client configuration files from the Algo VPN setup and import them into your VPN client.

For WireGuard, you can use the wg-quick tool to connect:
<pre>
sudo wg-quick up /path/to/your/configuration.conf
</pre>
For IPsec, follow the instructions specific to your operating system to import the configuration and connect.

==== 9. Adding new VPN users ====
* Update the users list in your config.cfg.
<pre>
vim config.cfg
users:
- laptop
- desktop
- sdnog
- Sara
- Nishal
- Manhal
- Hafiz

</pre>
* Open a terminal, cd to the algo directory, and activate the virtual environment with :
<pre>
source .env/bin/activate
</pre>
Run the command and it will require password , us the output password from step 8
<pre>
./algo update-user
</pre>
After this process completes, the Algo VPN server will contain only the users listed in the config.cfg file.

=== Troubleshooting ===
* If you encounter issues during installation or configuration:
<pre>
cd algo/
sudo rm -rf /etc/wireguard/*
rm -rf configs/*
</pre>
Then immediately re-run ./algo.

* Check the Algo VPN documentation for troubleshooting tips.
* Ensure that your firewall rules allow VPN traffic.
* Verify that your VPN client is correctly configured.

=== Conclusion ===
By following these steps, you should have a functioning Algo VPN setup on your local Ubuntu server, providing secure access to the SDNOG infrastructure. For more advanced configurations and additional features, refer to the Algo VPN GitHub repository.

== Author ==
* '''Author''': [[User:Manhal.Mohamed|Manhal Mohamed]]'' , SdNOG Team

HAProxy Lab Setup Guide - Multi-OS Installation

2024-10-16T04:18:27Z

Manhal.Mohamed:

= HAProxy Lab Setup Guide - Multi-OS Installation =

== Prerequisites ==
* 3 VMs (or use VirtualBox/VMware Workstation to create them)
* Web browser access (for those using AFNOG infrastructure)

== VM Setup ==
# '''VM1:''' HAProxy
#* IP: 192.168.1.X
# '''VM2:''' Apache Server
#* IP: 192.168.1.Y
# '''VM3:''' Nginx Server
#* IP: 192.168.1.Z

== Local Hosts File Configuration ==
Add the following entries to your local hosts file, pointing them all to the HAProxy IP (192.168.1.X):

192.168.1.X lb.lab.afnog.org
192.168.1.X www.lab.afnog.org
192.168.1.X nginx.lab.afnog.org
192.168.1.X apache.lab.afnog.org

== Step 1: Install and Configure HAProxy (VM1) ==

=== Red Hat-based systems (CentOS, Fedora) ===
sudo yum update
sudo yum install haproxy

=== Debian-based systems (Ubuntu, Debian) ===
sudo apt update
sudo apt install haproxy

=== FreeBSD ===
sudo pkg update
sudo pkg install haproxy

== Step 2: Install and Configure Apache (VM2) ==

=== Red Hat-based systems ===
sudo yum update
sudo yum install httpd
sudo systemctl start httpd
sudo systemctl enable httpd

=== Debian-based systems ===
sudo apt update
sudo apt install apache2

=== FreeBSD ===
sudo pkg update
sudo pkg install apache24
sudo sysrc apache24_enable="YES"
sudo service apache24 start

==== Create a custom index.html: ====
<code> echo "This is the Apache Server" | tee /var/www/html/index.html </code>

On FreeBSD:

<code> echo "This is the Apache Server" | tee /usr/local/www/apache24/data/index.html </code>

== Step 3: Install and Configure Nginx (VM3) ==

=== Red Hat-based systems ===
sudo yum update
sudo yum install nginx
sudo systemctl start nginx
sudo systemctl enable nginx

=== Debian-based systems ===
sudo apt update
sudo apt install nginx

=== FreeBSD ===
sudo pkg update
sudo pkg install nginx
sudo sysrc nginx_enable="YES"
sudo service nginx start

==== Create a custom index.html: ====
'''
echo "This is the Nginx Server" | tee /var/www/html/index.html </code>
# For FreeBSD:
echo "This is the Nginx Server" | tee /usr/local/www/nginx/index.html </code>
'''

== HAProxy Configuration ==

=== Step 1: Basic Frontend and Backend Setup (Round-Robin) ===

==== HAProxy Configuration: ====

==== Edit the HAProxy configuration file: ====
* '''Red Hat and Debian:''' /etc/haproxy/haproxy.cfg
* '''FreeBSD:''' /usr/local/etc/haproxy.conf

==== Add the following configuration: ====
'''
global
log 127.0.0.1:514 local1 info
chroot /var/empty
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend http-in
bind *:80
default_backend www_back

backend www_back
balance roundrobin
server nginx_server vm1.log.afnog.org:80 check
server apache_server vm2.lab.afnog.org:80 check
'''
==== Restart HAProxy: ====
''' systemctl restart haproxy '''

=== Step 2: Advanced Configuration with ACLs (Access Control Lists) ===

==== Updated HAProxy Configuration: ====

Modify the existing HAProxy configuration to include the following:
'''
frontend http_front
bind *:80
acl url_nginx hdr(host) -i nginx.lab.afnog.org
acl url_apache hdr(host) -i apache.lab.afnog.org
use_backend nginx_back if url_nginx
use_backend apache_back if url_apache
default_backend www_back

backend www_back
balance roundrobin
server nginx_server 192.168.1.Z:80 check
server apache_server 192.168.1.Y:80 check

backend nginx_back
server nginx_server 192.168.1.Z:80 check

backend apache_back
server apache_server 192.168.1.Y:80 check
'''

To set up an active-passive configuration for your backend node, adjust the existing HAProxy configuration to include the following:
'''
backend www_back
balance roundrobin
server nginx_server 192.168.1.Z:80 check
server apache_server 192.168.1.Y:80 check backup
'''

this setup will make node apache_server as a passive node and will not recive traffic unless node nginx_server is down

==== Restart HAProxy: ====
''' sudo systemctl restart haproxy '''

=== Step 3: Adding a Status Page ===

==== Final HAProxy Configuration: ====

Add the following configuration for the status page:
'''
listen stats
bind *:8404
stats enable
stats uri /
stats refresh 5s
'''
==== Restart HAProxy: ====
''' sudo systemctl restart haproxy '''

==== Testing the Status Page: ====

You can access the status page by navigating to http://192.168.1.X:8404/ in your web browser.

== SSL Termination on HAProxy ==

=== Generate a Self-Signed Certificate: ===
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/haproxy.key -out /etc/ssl/certs/haproxy.crt

=== Combine the Certificate and Key: ===
cat /etc/ssl/certs/haproxy.crt /etc/ssl/private/haproxy.key | tee /etc/ssl/certs/haproxy.pem

'''Note:''' For development SSL certificates, you can use the repository at https://github.com/BenMorel/dev-certificates

=== Update HAProxy Configuration to Use SSL: ===

Add the following to the `frontend http_front` section:

bind *:443 ssl crt /etc/ssl/certs/haproxy.pem
redirect scheme https if !{ ssl_fc }

=== Restart HAProxy: ===
sudo systemctl restart haproxy
=== Example for Layer 4 Load balancing , DB port : ===
'''
frontend mysql
mode tcp
bind :3306
default_backend mysql_servers

backend mysql_servers
mode tcp
balance leastconn
server s1 192.168.0.10:3306 check
server s2 192.168.0.11:3306 check
'''

=== Configure Syslog for HAProxy Logging ===

# Open the syslog configuration file for editing:
vi /etc/syslog.conf

# Add the following lines to configure logging:
*.err;kern.warning;auth.notice;mail.crit /dev/console
local1.* /var/log/haproxy.log
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages

# Create the HAProxy log file:
touch /var/log/haproxy.log

# Set the appropriate ownership for the log file:
chown haproxy:haproxy /var/log/haproxy.log

# Update the syslogd flags to bind to localhost and run in compatibility mode:
sysrc syslogd_flags="-b localhost -C"

# Restart the syslog service to apply changes:
service syslogd restart

== Testing ==

=== Using `web browser`: ===

# Test round-robin for `www.lab.afnog.org`:
# Repeat the command several times to see alternating responses from Nginx and Apache.

# Test Nginx backend:
nginx.lab.afnog.org
# This should consistently return the Nginx server response.

# Test Apache backend:
apache.lab.afnog.org
# This should consistently return the Apache server response.

# Test SSL termination:
https://www.lab.afnog.org
# This should return responses over HTTPS, with round-robin load balancing between Nginx and Apache.

== Troubleshooting ==

=== Common Issues and Solutions ===

# '''HAProxy not starting:'''
#* Check the configuration file for syntax errors:
haproxy -c -f /etc/haproxy/haproxy.cfg
#* Verify that the ports HAProxy is trying to bind to are not in use by other services.

# '''Backend servers not responding:'''
#* Ensure that Apache and Nginx are running on their respective VMs.
#* Check firewall rules to allow traffic between HAProxy and backend servers.
#* Verify the IP addresses and ports in the HAProxy configuration.

# '''SSL certificate issues:'''
#* Double-check the path to the SSL certificate and key in the HAProxy configuration.
#* Ensure the combined PEM file has the correct permissions.

# '''ACLs not working as expected:'''
#* Verify that your local hosts file is correctly configured.
#* Use `tcpdump` or `wireshark` to inspect the HTTP headers and ensure the correct `Host` header is being sent.

== Performance Tuning ==

=== Optimizing HAProxy ===

# '''Increase maximum connections:'''
#* Adjust the `maxconn` parameter in the `global` section based on your server's capacity.

# '''Enable kernel TCP splicing:'''
#* Add `option tcpka` to the `defaults` section for keep-alive connections.

# '''Use HTTP/2:'''
#* Update your SSL binding to support HTTP/2:
bind *:443 ssl crt /etc/ssl/certs/haproxy.pem alpn h2,http/1.1

# '''Implement caching:'''
#* Consider adding a caching layer with Varnish in front of HAProxy for static content.

=== Optimal Configuration Options for Web-Based Frontends ===
It's crucial to customize the following according to your application's specific requirements.
'''
frontend http-in
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/cert.pem no-sslv3
mode http
option httplog
log global

# Redirect HTTP to HTTPS (enforce HTTPS for all traffic)
http-request redirect scheme https code 301 if !{ ssl_fc }

# Set default security headers for responses
# Enforce HSTS for HTTPS (1 year, include subdomains, preload)
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# Clickjacking protection, allow only the same origin to embed this site
http-response set-header X-Frame-Options "SAMEORIGIN"

# XSS filtering enabled in browsers, block if an attack is detected
http-response set-header X-XSS-Protection "1; mode=block"

# Prevent MIME type sniffing (force browser to honor content type declared by the server)
http-response set-header X-Content-Type-Options "nosniff"

# Add Content Security Policy to mitigate XSS and data injection attacks
http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'"

# Disable referrer information leakage when navigating to a different origin
http-response set-header Referrer-Policy "no-referrer-when-downgrade"

# Prevent browsers and proxies from caching sensitive data
http-response set-header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"

# Set secure cookies (only for HTTPS, HttpOnly, and prevent cross-site requests)
acl secure_cookie hdr_sub(cookie) Secure
http-response set-header Set-Cookie %[res.hdr(Set-Cookie)] if secure_cookie
http-response set-header Set-Cookie Secure; HttpOnly; SameSite=Strict if secure_cookie

# Forward client's original IP in X-Forwarded-For header
http-request add-header X-Forwarded-For %[src]

# Forward the protocol used by the client (HTTP/HTTPS) in X-Forwarded-Proto header
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request add-header X-Forwarded-Proto http if !{ ssl_fc }

# Preserve the original Host header
http-request add-header X-Forwarded-Host %[req.hdr(host)]

default_backend servers
'''

== Security Considerations ==

# '''Regularly update HAProxy and backend servers'''
# '''Implement strong SSL/TLS configurations'''
# '''Use IP whitelisting for the HAProxy stats page'''
# '''Consider implementing Web Application Firewall (WAF) rules in HAProxy'''
# '''Regularly audit your HAProxy configurations and access logs'''

This guide provides a comprehensive setup process for HAProxy, starting from a basic configuration and progressing to more advanced setups with ACLs, SSL termination, and performance optimization. Always ensure to test thoroughly in a staging environment before applying changes to production systems.

== Author ==
* '''Author''': [[User:Manhal.Mohamed|Manhal Mohamed]]'' , SdNOG Team

SdNOG Workshops

2024-10-15T20:04:01Z

Manhal.Mohamed:

[[Category:SdNOG]]
[[Category:Events]]
[[Category:Workshops]]

<div style="background-color: #F8F9FA; border: 1px solid #A2A9B1; padding: 15px; margin-bottom: 20px;">
SdNOG Workshops on Network Technology aim to offer advanced training to people who are in the process of developing and enhancing an Internet-connected network in Sudan. The target audience includes senior and mid-level technical staff in IT field, Internet service providers (ISPs), academic networks, government networks, or NGO networks.

SdNOG has scheduled many workshops before. To know more, '''check our [[Workshops schedule]] page.'''🗓
</div>

== Workshops List ==

{| class="wikitable sortable" style="width: 100%; border-collapse: collapse;"
! style="background-color: #C41617; color: white; padding: 10px;" | Workshop Name
! style="background-color: #C41617; color: white; padding: 10px;" | Note
|-
| [[IPv6 Fundamentals Workshop]] || Weekly workshop
|-
| [[DNS Workshop]] || Weekly workshop
|-
| [[DNSSEC Workshop]] || [[SdNOG-2]] Meeting
|-
| [[Ethical Hacking Workshop]] || Weekly workshop
|-
| [[Hardening a web-server for the modern internet]] || [[SdNOG-4]] Meeting
|-
| [[High Availability in LAMP Stack workshop]] || Weekly workshop
|-
| [[How to Secure your Network Workshop]] || [[SdNOG-3]] Meeting
|-
| [[Internet Governance Forum]] || Weekly workshop
|-
| [[IPv6 Workshop]] || [[SdNOG-4]] Meeting
|-
| [[IXP Best Practices]] || [[SdNOG-2]] Meeting
|-
| [[Networks Fundamental Workshop]] || Weekly workshop
|-
| [[Network Management and Monitoring Workshop]] || [[SdNOG-3]] Meeting
|-
| [[Networking Best Practices Workshop]] || [[SdNOG-2]] Meeting
|-
| [[UNIX Boot Camp]] || Weekly workshop
|-
| [[UNIX/Linux, Networking and DNS Online Course]] || [https://www.internetsociety.org/ ISOC] Online Course
|-
| [[Automation Tool: Ansible]] || [[SdNOG-5]] Meeting
|-
| [[IPv6 for Services]] || [[SdNOG-5]] Meeting
|-
| [[Network Services and Monitoring Online Course]] || [https://www.internetsociety.org/ ISOC] Online Course
|-
| [[OpenStack Workshop]] || Weekly workshop
|-
| [[Ansible for DevOps Workshop]] || [[SdNOG-6]] Meeting
|-
| [[Network Monitoring Workshop]] || [[SdNOG-6]] Meeting
|-
| [[Security Workshop - Ethical Hacking]] || [[SdNOG-6]] Meeting
|-
| [[Layer 2 Security Workshop]] || Weekly workshop
|-
| [[Build your own e-mail Server]] || Weekly workshop
|-
| [[Introduction to Git Workshop]] || Weekly workshop
|-
| [[Automation with Ansible]] || Weekly workshop
|-
| [[Automation with Ansible - Online]] || Online workshop
|-
| [[ICANN DNS Workshop]] || Online workshop
|-
| [[BGP Resource Management Workshop]] || Online workshop
|-
| [[Load Balancing Strategies: From Theory to Practice with HAProxy]] || [https://internetsummit.africa/ Africa Internet Summit - AIS 2024]
|}

<div style="background-color: #F8F9FA; border: 1px solid #A2A9B1; padding: 15px; margin-top: 20px;">
'''Note:''' This list is regularly updated. Please check back for new workshops or visit our [[Workshops schedule]] page for the most current information.
</div>

SdNOG Workshops

2024-10-15T20:03:41Z

Manhal.Mohamed: /* SdNOG Workshops */

[[Category:SdNOG]]
[[Category:Events]]
[[Category:Workshops]]

=<div style="background-color: #F8F9FA; border: 1px solid #A2A9B1; padding: 15px; margin-bottom: 20px;">
SdNOG Workshops on Network Technology aim to offer advanced training to people who are in the process of developing and enhancing an Internet-connected network in Sudan. The target audience includes senior and mid-level technical staff in IT field, Internet service providers (ISPs), academic networks, government networks, or NGO networks.

SdNOG has scheduled many workshops before. To know more, '''check our [[Workshops schedule]] page.'''🗓
</div>

== Workshops List ==

{| class="wikitable sortable" style="width: 100%; border-collapse: collapse;"
! style="background-color: #C41617; color: white; padding: 10px;" | Workshop Name
! style="background-color: #C41617; color: white; padding: 10px;" | Note
|-
| [[IPv6 Fundamentals Workshop]] || Weekly workshop
|-
| [[DNS Workshop]] || Weekly workshop
|-
| [[DNSSEC Workshop]] || [[SdNOG-2]] Meeting
|-
| [[Ethical Hacking Workshop]] || Weekly workshop
|-
| [[Hardening a web-server for the modern internet]] || [[SdNOG-4]] Meeting
|-
| [[High Availability in LAMP Stack workshop]] || Weekly workshop
|-
| [[How to Secure your Network Workshop]] || [[SdNOG-3]] Meeting
|-
| [[Internet Governance Forum]] || Weekly workshop
|-
| [[IPv6 Workshop]] || [[SdNOG-4]] Meeting
|-
| [[IXP Best Practices]] || [[SdNOG-2]] Meeting
|-
| [[Networks Fundamental Workshop]] || Weekly workshop
|-
| [[Network Management and Monitoring Workshop]] || [[SdNOG-3]] Meeting
|-
| [[Networking Best Practices Workshop]] || [[SdNOG-2]] Meeting
|-
| [[UNIX Boot Camp]] || Weekly workshop
|-
| [[UNIX/Linux, Networking and DNS Online Course]] || [https://www.internetsociety.org/ ISOC] Online Course
|-
| [[Automation Tool: Ansible]] || [[SdNOG-5]] Meeting
|-
| [[IPv6 for Services]] || [[SdNOG-5]] Meeting
|-
| [[Network Services and Monitoring Online Course]] || [https://www.internetsociety.org/ ISOC] Online Course
|-
| [[OpenStack Workshop]] || Weekly workshop
|-
| [[Ansible for DevOps Workshop]] || [[SdNOG-6]] Meeting
|-
| [[Network Monitoring Workshop]] || [[SdNOG-6]] Meeting
|-
| [[Security Workshop - Ethical Hacking]] || [[SdNOG-6]] Meeting
|-
| [[Layer 2 Security Workshop]] || Weekly workshop
|-
| [[Build your own e-mail Server]] || Weekly workshop
|-
| [[Introduction to Git Workshop]] || Weekly workshop
|-
| [[Automation with Ansible]] || Weekly workshop
|-
| [[Automation with Ansible - Online]] || Online workshop
|-
| [[ICANN DNS Workshop]] || Online workshop
|-
| [[BGP Resource Management Workshop]] || Online workshop
|-
| [[Load Balancing Strategies: From Theory to Practice with HAProxy]] || [https://internetsummit.africa/ Africa Internet Summit - AIS 2024]
|}

<div style="background-color: #F8F9FA; border: 1px solid #A2A9B1; padding: 15px; margin-top: 20px;">
'''Note:''' This list is regularly updated. Please check back for new workshops or visit our [[Workshops schedule]] page for the most current information.
</div>

SdNOG Workshops

2024-10-15T20:03:14Z

Manhal.Mohamed:

[[Category:SdNOG]]
[[Category:Events]]
[[Category:Workshops]]

= SdNOG Workshops =

<div style="background-color: #F8F9FA; border: 1px solid #A2A9B1; padding: 15px; margin-bottom: 20px;">
SdNOG Workshops on Network Technology aim to offer advanced training to people who are in the process of developing and enhancing an Internet-connected network in Sudan. The target audience includes senior and mid-level technical staff in IT field, Internet service providers (ISPs), academic networks, government networks, or NGO networks.

SdNOG has scheduled many workshops before. To know more, '''check our [[Workshops schedule]] page.'''🗓
</div>

== Workshops List ==

{| class="wikitable sortable" style="width: 100%; border-collapse: collapse;"
! style="background-color: #C41617; color: white; padding: 10px;" | Workshop Name
! style="background-color: #C41617; color: white; padding: 10px;" | Note
|-
| [[IPv6 Fundamentals Workshop]] || Weekly workshop
|-
| [[DNS Workshop]] || Weekly workshop
|-
| [[DNSSEC Workshop]] || [[SdNOG-2]] Meeting
|-
| [[Ethical Hacking Workshop]] || Weekly workshop
|-
| [[Hardening a web-server for the modern internet]] || [[SdNOG-4]] Meeting
|-
| [[High Availability in LAMP Stack workshop]] || Weekly workshop
|-
| [[How to Secure your Network Workshop]] || [[SdNOG-3]] Meeting
|-
| [[Internet Governance Forum]] || Weekly workshop
|-
| [[IPv6 Workshop]] || [[SdNOG-4]] Meeting
|-
| [[IXP Best Practices]] || [[SdNOG-2]] Meeting
|-
| [[Networks Fundamental Workshop]] || Weekly workshop
|-
| [[Network Management and Monitoring Workshop]] || [[SdNOG-3]] Meeting
|-
| [[Networking Best Practices Workshop]] || [[SdNOG-2]] Meeting
|-
| [[UNIX Boot Camp]] || Weekly workshop
|-
| [[UNIX/Linux, Networking and DNS Online Course]] || [https://www.internetsociety.org/ ISOC] Online Course
|-
| [[Automation Tool: Ansible]] || [[SdNOG-5]] Meeting
|-
| [[IPv6 for Services]] || [[SdNOG-5]] Meeting
|-
| [[Network Services and Monitoring Online Course]] || [https://www.internetsociety.org/ ISOC] Online Course
|-
| [[OpenStack Workshop]] || Weekly workshop
|-
| [[Ansible for DevOps Workshop]] || [[SdNOG-6]] Meeting
|-
| [[Network Monitoring Workshop]] || [[SdNOG-6]] Meeting
|-
| [[Security Workshop - Ethical Hacking]] || [[SdNOG-6]] Meeting
|-
| [[Layer 2 Security Workshop]] || Weekly workshop
|-
| [[Build your own e-mail Server]] || Weekly workshop
|-
| [[Introduction to Git Workshop]] || Weekly workshop
|-
| [[Automation with Ansible]] || Weekly workshop
|-
| [[Automation with Ansible - Online]] || Online workshop
|-
| [[ICANN DNS Workshop]] || Online workshop
|-
| [[BGP Resource Management Workshop]] || Online workshop
|-
| [[Load Balancing Strategies: From Theory to Practice with HAProxy]] || [https://internetsummit.africa/ Africa Internet Summit - AIS 2024]
|}

<div style="background-color: #F8F9FA; border: 1px solid #A2A9B1; padding: 15px; margin-top: 20px;">
'''Note:''' This list is regularly updated. Please check back for new workshops or visit our [[Workshops schedule]] page for the most current information.
</div>

Business Model Canvas for SDNOG

2024-10-15T19:44:26Z

Manhal.Mohamed: /* SDNOG Business Model Canvas */

{| class="wikitable" style="width: 100%; border-collapse: collapse;"
|-
! style="width: 33%; background-color: #C41617; color: white; padding: 10px;" | Key Partners
! style="width: 33%; background-color: #C41617; color: white; padding: 10px;" | Key Activities
! style="width: 33%; background-color: #C41617; color: white; padding: 10px;" | Key Resources
|-
| style="vertical-align: top; padding: 10px;" |
* Internet Service Providers in Sudan
* Technology companies
* Educational institutions
* Government agencies related to telecommunications
* International network operator groups
| style="vertical-align: top; padding: 10px;" |
* Organizing forums and events for knowledge exchange
* Providing network education and training
* Facilitating technical collaboration
* Promoting open-source technologies
* Conducting research on network technologies
| style="vertical-align: top; padding: 10px;" |
* Volunteer network engineers and experts
* Technical knowledge and expertise
* Community of network professionals
* Online platforms for communication and collaboration
|-
! style="background-color: #C41617; color: white; padding: 10px;" | Value Propositions
! style="background-color: #C41617; color: white; padding: 10px;" | Customer Relationships
! style="background-color: #C41617; color: white; padding: 10px;" | Channels
|-
| style="vertical-align: top; padding: 10px;" |
* Open platform for knowledge exchange in networking
* Capacity building in network engineering
* Enhancing the quality of Internet services in Sudan
* Promoting collaboration among network professionals
* Access to cutting-edge network technologies and practices
| style="vertical-align: top; padding: 10px;" |
* Community-based interactions
* Peer-to-peer learning and support
* Long-term engagement through regular events and forums
| style="vertical-align: top; padding: 10px;" |
* Online forums and discussion boards
* Physical events and meetups
* Workshops and training sessions
* Social media platforms
* Website and email newsletters
|-
! style="background-color: #C41617; color: white; padding: 10px;" | Customer Segments
! style="background-color: #C41617; color: white; padding: 10px;" | Cost Structure
! style="background-color: #C41617; color: white; padding: 10px;" | Revenue Streams
|-
| style="vertical-align: top; padding: 10px;" |
* Network engineers in Sudan
* Internet Service Providers
* Technology companies
* Students and researchers in networking fields
* Government agencies involved in telecommunications
| style="vertical-align: top; padding: 10px;" |
* Event organization expenses
* Online platform maintenance
* Educational materials development
* Volunteer coordination costs
* Marketing and outreach expenses
| style="vertical-align: top; padding: 10px;" |
* Membership fees (if applicable)
* Sponsorships from technology companies
* Grants from educational or research institutions
* Donations from community members
* Fees for specialized workshops or training sessions
|}

Business Model Canvas for SDNOG

2024-10-15T19:44:13Z

Manhal.Mohamed:

= SDNOG Business Model Canvas =

{| class="wikitable" style="width: 100%; border-collapse: collapse;"
|-
! style="width: 33%; background-color: #C41617; color: white; padding: 10px;" | Key Partners
! style="width: 33%; background-color: #C41617; color: white; padding: 10px;" | Key Activities
! style="width: 33%; background-color: #C41617; color: white; padding: 10px;" | Key Resources
|-
| style="vertical-align: top; padding: 10px;" |
* Internet Service Providers in Sudan
* Technology companies
* Educational institutions
* Government agencies related to telecommunications
* International network operator groups
| style="vertical-align: top; padding: 10px;" |
* Organizing forums and events for knowledge exchange
* Providing network education and training
* Facilitating technical collaboration
* Promoting open-source technologies
* Conducting research on network technologies
| style="vertical-align: top; padding: 10px;" |
* Volunteer network engineers and experts
* Technical knowledge and expertise
* Community of network professionals
* Online platforms for communication and collaboration
|-
! style="background-color: #C41617; color: white; padding: 10px;" | Value Propositions
! style="background-color: #C41617; color: white; padding: 10px;" | Customer Relationships
! style="background-color: #C41617; color: white; padding: 10px;" | Channels
|-
| style="vertical-align: top; padding: 10px;" |
* Open platform for knowledge exchange in networking
* Capacity building in network engineering
* Enhancing the quality of Internet services in Sudan
* Promoting collaboration among network professionals
* Access to cutting-edge network technologies and practices
| style="vertical-align: top; padding: 10px;" |
* Community-based interactions
* Peer-to-peer learning and support
* Long-term engagement through regular events and forums
| style="vertical-align: top; padding: 10px;" |
* Online forums and discussion boards
* Physical events and meetups
* Workshops and training sessions
* Social media platforms
* Website and email newsletters
|-
! style="background-color: #C41617; color: white; padding: 10px;" | Customer Segments
! style="background-color: #C41617; color: white; padding: 10px;" | Cost Structure
! style="background-color: #C41617; color: white; padding: 10px;" | Revenue Streams
|-
| style="vertical-align: top; padding: 10px;" |
* Network engineers in Sudan
* Internet Service Providers
* Technology companies
* Students and researchers in networking fields
* Government agencies involved in telecommunications
| style="vertical-align: top; padding: 10px;" |
* Event organization expenses
* Online platform maintenance
* Educational materials development
* Volunteer coordination costs
* Marketing and outreach expenses
| style="vertical-align: top; padding: 10px;" |
* Membership fees (if applicable)
* Sponsorships from technology companies
* Grants from educational or research institutions
* Donations from community members
* Fees for specialized workshops or training sessions
|}

Business Model Canvas for SDNOG

2024-10-15T19:42:14Z

Manhal.Mohamed:

{| class="wikitable" style="width: 100%; border-collapse: collapse;"
|-
! style="width: 33%; background-color: #C41617; padding: 10px;" | Key Partners
! style="width: 33%; background-color: #C41617; padding: 10px;" | Key Activities
! style="width: 33%; background-color: #C41617; padding: 10px;" | Key Resources
|-
| style="vertical-align: top; padding: 10px;" |
* Internet Service Providers in Sudan
* Technology companies
* Educational institutions
* Government agencies related to telecommunications
* International network operator groups
| style="vertical-align: top; padding: 10px;" |
* Organizing forums and events for knowledge exchange
* Providing network education and training
* Facilitating technical collaboration
* Promoting open-source technologies
* Conducting research on network technologies
| style="vertical-align: top; padding: 10px;" |
* Volunteer network engineers and experts
* Technical knowledge and expertise
* Community of network professionals
* Online platforms for communication and collaboration
|-
! style="background-color: #e6f2ff; padding: 10px;" | Value Propositions
! style="background-color: #e6f2ff; padding: 10px;" | Customer Relationships
! style="background-color: #e6f2ff; padding: 10px;" | Channels
|-
| style="vertical-align: top; padding: 10px;" |
* Open platform for knowledge exchange in networking
* Capacity building in network engineering
* Enhancing the quality of Internet services in Sudan
* Promoting collaboration among network professionals
* Access to cutting-edge network technologies and practices
| style="vertical-align: top; padding: 10px;" |
* Community-based interactions
* Peer-to-peer learning and support
* Long-term engagement through regular events and forums
| style="vertical-align: top; padding: 10px;" |
* Online forums and discussion boards
* Physical events and meetups
* Workshops and training sessions
* Social media platforms
* Website and email newsletters
|-
! style="background-color: #e6f2ff; padding: 10px;" | Customer Segments
! style="background-color: #e6f2ff; padding: 10px;" | Cost Structure
! style="background-color: #e6f2ff; padding: 10px;" | Revenue Streams
|-
| style="vertical-align: top; padding: 10px;" |
* Network engineers in Sudan
* Internet Service Providers
* Technology companies
* Students and researchers in networking fields
* Government agencies involved in telecommunications
| style="vertical-align: top; padding: 10px;" |
* Event organization expenses
* Online platform maintenance
* Educational materials development
* Volunteer coordination costs
* Marketing and outreach expenses
| style="vertical-align: top; padding: 10px;" |
* Membership fees (if applicable)
* Sponsorships from technology companies
* Grants from educational or research institutions
* Donations from community members
* Fees for specialized workshops or training sessions
|}

Business Model Canvas for SDNOG

2024-10-15T19:40:22Z

Manhal.Mohamed: /* SDNOG Business Model Canvas */

{| class="wikitable" style="width: 100%; border-collapse: collapse;"
|-
! style="width: 33%; background-color: #e6f2ff; padding: 10px;" | Key Partners
! style="width: 33%; background-color: #e6f2ff; padding: 10px;" | Key Activities
! style="width: 33%; background-color: #e6f2ff; padding: 10px;" | Key Resources
|-
| style="vertical-align: top; padding: 10px;" |
* Internet Service Providers in Sudan
* Technology companies
* Educational institutions
* Government agencies related to telecommunications
* International network operator groups
| style="vertical-align: top; padding: 10px;" |
* Organizing forums and events for knowledge exchange
* Providing network education and training
* Facilitating technical collaboration
* Promoting open-source technologies
* Conducting research on network technologies
| style="vertical-align: top; padding: 10px;" |
* Volunteer network engineers and experts
* Technical knowledge and expertise
* Community of network professionals
* Online platforms for communication and collaboration
|-
! style="background-color: #e6f2ff; padding: 10px;" | Value Propositions
! style="background-color: #e6f2ff; padding: 10px;" | Customer Relationships
! style="background-color: #e6f2ff; padding: 10px;" | Channels
|-
| style="vertical-align: top; padding: 10px;" |
* Open platform for knowledge exchange in networking
* Capacity building in network engineering
* Enhancing the quality of Internet services in Sudan
* Promoting collaboration among network professionals
* Access to cutting-edge network technologies and practices
| style="vertical-align: top; padding: 10px;" |
* Community-based interactions
* Peer-to-peer learning and support
* Long-term engagement through regular events and forums
| style="vertical-align: top; padding: 10px;" |
* Online forums and discussion boards
* Physical events and meetups
* Workshops and training sessions
* Social media platforms
* Website and email newsletters
|-
! style="background-color: #e6f2ff; padding: 10px;" | Customer Segments
! style="background-color: #e6f2ff; padding: 10px;" | Cost Structure
! style="background-color: #e6f2ff; padding: 10px;" | Revenue Streams
|-
| style="vertical-align: top; padding: 10px;" |
* Network engineers in Sudan
* Internet Service Providers
* Technology companies
* Students and researchers in networking fields
* Government agencies involved in telecommunications
| style="vertical-align: top; padding: 10px;" |
* Event organization expenses
* Online platform maintenance
* Educational materials development
* Volunteer coordination costs
* Marketing and outreach expenses
| style="vertical-align: top; padding: 10px;" |
* Membership fees (if applicable)
* Sponsorships from technology companies
* Grants from educational or research institutions
* Donations from community members
* Fees for specialized workshops or training sessions
|}

Business Model Canvas for SDNOG

2024-10-15T19:39:59Z

Manhal.Mohamed: Created page with "= SDNOG Business Model Canvas = {| class="wikitable" style="width: 100%; border-collapse: collapse;" |- ! style="width: 33%; background-color: #e6f2ff; padding: 10px;" | Key..."

= SDNOG Business Model Canvas =

{| class="wikitable" style="width: 100%; border-collapse: collapse;"
|-
! style="width: 33%; background-color: #e6f2ff; padding: 10px;" | Key Partners
! style="width: 33%; background-color: #e6f2ff; padding: 10px;" | Key Activities
! style="width: 33%; background-color: #e6f2ff; padding: 10px;" | Key Resources
|-
| style="vertical-align: top; padding: 10px;" |
* Internet Service Providers in Sudan
* Technology companies
* Educational institutions
* Government agencies related to telecommunications
* International network operator groups
| style="vertical-align: top; padding: 10px;" |
* Organizing forums and events for knowledge exchange
* Providing network education and training
* Facilitating technical collaboration
* Promoting open-source technologies
* Conducting research on network technologies
| style="vertical-align: top; padding: 10px;" |
* Volunteer network engineers and experts
* Technical knowledge and expertise
* Community of network professionals
* Online platforms for communication and collaboration
|-
! style="background-color: #e6f2ff; padding: 10px;" | Value Propositions
! style="background-color: #e6f2ff; padding: 10px;" | Customer Relationships
! style="background-color: #e6f2ff; padding: 10px;" | Channels
|-
| style="vertical-align: top; padding: 10px;" |
* Open platform for knowledge exchange in networking
* Capacity building in network engineering
* Enhancing the quality of Internet services in Sudan
* Promoting collaboration among network professionals
* Access to cutting-edge network technologies and practices
| style="vertical-align: top; padding: 10px;" |
* Community-based interactions
* Peer-to-peer learning and support
* Long-term engagement through regular events and forums
| style="vertical-align: top; padding: 10px;" |
* Online forums and discussion boards
* Physical events and meetups
* Workshops and training sessions
* Social media platforms
* Website and email newsletters
|-
! style="background-color: #e6f2ff; padding: 10px;" | Customer Segments
! style="background-color: #e6f2ff; padding: 10px;" | Cost Structure
! style="background-color: #e6f2ff; padding: 10px;" | Revenue Streams
|-
| style="vertical-align: top; padding: 10px;" |
* Network engineers in Sudan
* Internet Service Providers
* Technology companies
* Students and researchers in networking fields
* Government agencies involved in telecommunications
| style="vertical-align: top; padding: 10px;" |
* Event organization expenses
* Online platform maintenance
* Educational materials development
* Volunteer coordination costs
* Marketing and outreach expenses
| style="vertical-align: top; padding: 10px;" |
* Membership fees (if applicable)
* Sponsorships from technology companies
* Grants from educational or research institutions
* Donations from community members
* Fees for specialized workshops or training sessions
|}

Documentations

2024-10-15T19:33:43Z

Manhal.Mohamed: /* Pages */

Load Balancing Strategies: From Theory to Practice with HAProxy

2024-09-05T13:06:48Z

Manhal.Mohamed: /* Lead Instructor */

= HAProxy Workshop: Load Balancing and Advanced Configuration =

== Date & Time ==
* **Event**: [https://internetsummit.africa/ Africa Internet Summit - AIS 2024]
* **Date**: September 5, 2024
* **Time**: 13:00 - 15:30

== Intended Audience ==
This workshop is specifically designed for **Senior Systems Engineers** who are looking to deepen their understanding of load balancing and HAProxy configuration.

== Description ==
This workshop is a comprehensive 2-hour session that includes both theoretical concepts and practical hands-on labs, with a short break. The session covers the following topics:

=== Introduction (5 minutes) ===
* Brief overview of load balancing concepts
* Importance of load balancing in modern infrastructure

=== Load Balancing Fundamentals (15 minutes) ===
* Types of load balancers:
* Layer 4 (L4) vs. Layer 7 (L7)
* Common load balancing algorithms:
* Round Robin
* Least Connections
* IP Hash
* Health checks and failure handling

=== Introduction to HAProxy (10 minutes) ===
* Overview of HAProxy and its key features
* Architecture and components of HAProxy

=== HAProxy Configuration Basics (20 minutes) ===
* Structure of the HAProxy configuration file
* Key sections:
* Frontend
* Backend
* Access Control Lists (ACLs) and `use_backend` rules

=== Advanced HAProxy Features (20 minutes) ===
* SSL termination
* Sticky sessions
* HTTP rewriting and redirection
* Logging and monitoring

=== Live Demo: Setting up HAProxy (30 minutes) ===
* Installing HAProxy
* Configuring a basic load balancer
* Testing and verifying the setup
* Demonstration of advanced features
=== Best Practices and Performance Tuning (10 minutes) ===
* Optimization of HAProxy configuration
* Security considerations
* Scaling HAProxy

== Session Hands-On ==
* Slides [https://drive.google.com/file/d/1FkagbjrE2u-B5TVzihiZ7idzuJ78iMP-/view?usp=sharing "click here"]
* [[HAProxy Lab Setup Guide - Multi-OS Installation ]]

== Lead Instructor ==
* '''[https://www.linkedin.com/in/manhalmohammed/ Manhal M. Mokhtar]'''

Load Balancing Strategies: From Theory to Practice with HAProxy

2024-09-05T13:06:01Z

Manhal.Mohamed: /* Lead Instructor */

SdNOG Workshops

2024-09-05T13:04:17Z

Manhal.Mohamed:

[[Category: SdNOG]]
[[Category: Events]]
[[Category: Workshops]]

sdnog Workshops on Network Technology aim to offer advanced training to people who are in the process of developing and enhancing an Internet-connected network in Sudan, The target audience includes senior and mid-level technical staff in IT field, Internet service providers (ISPs), academic networks, government networks, or NGO networks.<br>

SdNOG has scheduled many workshops before, to know more '''check our [[Workshops schedule]] page.'''🗓

{| class="wikitable sortable"
|-
! Workshop name !! Note
|-
| [[IPv6 Fundamentals Workshop]] || weekly workshop
|-
| [[DNS Workshop]] || weekly workshop
|-
| [[DNSSEC Workshop]] || [[SdNOG-2]] Meeting
|-
| [[Ethical Hacking Workshop]] || weekly workshop
|-
| [[Hardening a web-server for the modern internet]] || [[SdNOG-4]] Meeting
|-
| [[High Availability in LAMP Stack workshop]] || weekly workshop
|-
| [[How to Secure your Network Workshop]] || [[SdNOG-3]] Meeting
|-
| [[Internet Governance Forum]]|| weekly workshop
|-
| [[IPv6 Workshop]] || [[SdNOG-4]] Meeting
|-
| [[IXP Best Practices]] || [[SdNOG-2]] Meeting
|-
| [[Networks Fundamental Workshop ]]|| weekly workshop
|-
| [[Network Management and Monitoring Workshop]]|| [[SdNOG-3]] Meeting
|-
| [[Networking Best Practices Workshop]] || [[SdNOG-2]] Meeting
|-
| [[UNIX Boot Camp]]|| weekly workshop
|-
| [[UNIX/Linux, Networking and DNS Online Course]] || [https://www.internetsociety.org/ ISOC] Online Course
|-
|[[Automation Tool: Ansible]] || [[SdNOG-5]] Meeting
|-
|[[IPv6 for Services]]||[[SdNOG-5]] Meeting
|-
| [[Network Services and Monitoring Online Course]] || [https://www.internetsociety.org/ ISOC] Online Course
|-
| [[OpenStack Workshop]]|| weekly workshop
|-
| [[Ansible for DevOPs Workshop]] || [[SdNOG-6]] Meeting
|-
| [[Network Monitoring Workshop]] || [[SdNOG-6]] Meeting
|-
| [[Security Workshop - Ethical Hacking]] || [[SdNOG-6]] Meeting
|-
| [[Layer 2 Security Workshop]]|| weekly workshop
|-
| [[Build your own e-mail Server]] || weekly workshop
|-
| [[Introduction to Git Workshop]] || weekly workshop
|-
| [[Automation with Ansible]] || weekly workshop
|-
| [[Automation with Ansible - Online ]] || Online workshop
|-
| [[ICANN DNS Workshop]] - Online || Online workshop
|-
| [[BGP Resource Management Workshop]] - Online || Online workshop
|-
| [[Load Balancing Strategies: From Theory to Practice with HAProxy]] - Online || [https://internetsummit.africa/ Africa Internet Summit - AIS 2024]
|-
|}

HAProxy Lab Setup Guide - Multi-OS Installation

2024-09-05T13:01:32Z

Manhal.Mohamed: /* Optimal Configuration Options for Web-Based Frontends */

HAProxy Lab Setup Guide - Multi-OS Installation

2024-09-05T12:55:52Z

Manhal.Mohamed: /* Updated HAProxy Configuration: */

= HAProxy Lab Setup Guide - Multi-OS Installation =

== Prerequisites ==
* 3 VMs (or use VirtualBox/VMware Workstation to create them)
* Web browser access (for those using AFNOG infrastructure)

== VM Setup ==
# '''VM1:''' HAProxy
#* IP: 192.168.1.X
# '''VM2:''' Apache Server
#* IP: 192.168.1.Y
# '''VM3:''' Nginx Server
#* IP: 192.168.1.Z

== Local Hosts File Configuration ==
Add the following entries to your local hosts file, pointing them all to the HAProxy IP (192.168.1.X):

192.168.1.X lb.lab.afnog.org
192.168.1.X www.lab.afnog.org
192.168.1.X nginx.lab.afnog.org
192.168.1.X apache.lab.afnog.org

== Step 1: Install and Configure HAProxy (VM1) ==

=== Red Hat-based systems (CentOS, Fedora) ===
sudo yum update
sudo yum install haproxy

=== Debian-based systems (Ubuntu, Debian) ===
sudo apt update
sudo apt install haproxy

=== FreeBSD ===
sudo pkg update
sudo pkg install haproxy

== Step 2: Install and Configure Apache (VM2) ==

=== Red Hat-based systems ===
sudo yum update
sudo yum install httpd
sudo systemctl start httpd
sudo systemctl enable httpd

=== Debian-based systems ===
sudo apt update
sudo apt install apache2

=== FreeBSD ===
sudo pkg update
sudo pkg install apache24
sudo sysrc apache24_enable="YES"
sudo service apache24 start

==== Create a custom index.html: ====
<code> echo "This is the Apache Server" | tee /var/www/html/index.html </code>

On FreeBSD:

<code> echo "This is the Apache Server" | tee /usr/local/www/apache24/data/index.html </code>

== Step 3: Install and Configure Nginx (VM3) ==

=== Red Hat-based systems ===
sudo yum update
sudo yum install nginx
sudo systemctl start nginx
sudo systemctl enable nginx

=== Debian-based systems ===
sudo apt update
sudo apt install nginx

=== FreeBSD ===
sudo pkg update
sudo pkg install nginx
sudo sysrc nginx_enable="YES"
sudo service nginx start

==== Create a custom index.html: ====
'''
echo "This is the Nginx Server" | tee /var/www/html/index.html </code>
# For FreeBSD:
echo "This is the Nginx Server" | tee /usr/local/www/nginx/index.html </code>
'''

== HAProxy Configuration ==

=== Step 1: Basic Frontend and Backend Setup (Round-Robin) ===

==== HAProxy Configuration: ====

==== Edit the HAProxy configuration file: ====
* '''Red Hat and Debian:''' /etc/haproxy/haproxy.cfg
* '''FreeBSD:''' /usr/local/etc/haproxy.conf

==== Add the following configuration: ====
'''
global
log 127.0.0.1:514 local1 info
chroot /var/empty
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend http-in
bind *:80
default_backend www_back

backend www_back
balance roundrobin
server nginx_server vm1.log.afnog.org:80 check
server apache_server vm2.lab.afnog.org:80 check
'''
==== Restart HAProxy: ====
''' systemctl restart haproxy '''

=== Step 2: Advanced Configuration with ACLs (Access Control Lists) ===

==== Updated HAProxy Configuration: ====

Modify the existing HAProxy configuration to include the following:
'''
frontend http_front
bind *:80
acl url_nginx hdr(host) -i nginx.lab.afnog.org
acl url_apache hdr(host) -i apache.lab.afnog.org
use_backend nginx_back if url_nginx
use_backend apache_back if url_apache
default_backend www_back

backend www_back
balance roundrobin
server nginx_server 192.168.1.Z:80 check
server apache_server 192.168.1.Y:80 check

backend nginx_back
server nginx_server 192.168.1.Z:80 check

backend apache_back
server apache_server 192.168.1.Y:80 check
'''

To set up an active-passive configuration for your backend node, adjust the existing HAProxy configuration to include the following:
'''
backend www_back
balance roundrobin
server nginx_server 192.168.1.Z:80 check
server apache_server 192.168.1.Y:80 check backup
'''

this setup will make node apache_server as a passive node and will not recive traffic unless node nginx_server is down

==== Restart HAProxy: ====
''' sudo systemctl restart haproxy '''

=== Step 3: Adding a Status Page ===

==== Final HAProxy Configuration: ====

Add the following configuration for the status page:
'''
listen stats
bind *:8404
stats enable
stats uri /
stats refresh 5s
'''
==== Restart HAProxy: ====
''' sudo systemctl restart haproxy '''

==== Testing the Status Page: ====

You can access the status page by navigating to http://192.168.1.X:8404/ in your web browser.

== SSL Termination on HAProxy ==

=== Generate a Self-Signed Certificate: ===
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/haproxy.key -out /etc/ssl/certs/haproxy.crt

=== Combine the Certificate and Key: ===
cat /etc/ssl/certs/haproxy.crt /etc/ssl/private/haproxy.key | tee /etc/ssl/certs/haproxy.pem

'''Note:''' For development SSL certificates, you can use the repository at https://github.com/BenMorel/dev-certificates

=== Update HAProxy Configuration to Use SSL: ===

Add the following to the `frontend http_front` section:

bind *:443 ssl crt /etc/ssl/certs/haproxy.pem
redirect scheme https if !{ ssl_fc }

=== Restart HAProxy: ===
sudo systemctl restart haproxy
=== Example for Layer 4 Load balancing , DB port : ===
'''
frontend mysql
mode tcp
bind :3306
default_backend mysql_servers

backend mysql_servers
mode tcp
balance leastconn
server s1 192.168.0.10:3306 check
server s2 192.168.0.11:3306 check
'''

=== Configure Syslog for HAProxy Logging ===

# Open the syslog configuration file for editing:
vi /etc/syslog.conf

# Add the following lines to configure logging:
*.err;kern.warning;auth.notice;mail.crit /dev/console
local1.* /var/log/haproxy.log
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages

# Create the HAProxy log file:
touch /var/log/haproxy.log

# Set the appropriate ownership for the log file:
chown haproxy:haproxy /var/log/haproxy.log

# Update the syslogd flags to bind to localhost and run in compatibility mode:
sysrc syslogd_flags="-b localhost -C"

# Restart the syslog service to apply changes:
service syslogd restart

== Testing ==

=== Using `web browser`: ===

# Test round-robin for `www.lab.afnog.org`:
# Repeat the command several times to see alternating responses from Nginx and Apache.

# Test Nginx backend:
nginx.lab.afnog.org
# This should consistently return the Nginx server response.

# Test Apache backend:
apache.lab.afnog.org
# This should consistently return the Apache server response.

# Test SSL termination:
https://www.lab.afnog.org
# This should return responses over HTTPS, with round-robin load balancing between Nginx and Apache.

== Troubleshooting ==

=== Common Issues and Solutions ===

# '''HAProxy not starting:'''
#* Check the configuration file for syntax errors:
haproxy -c -f /etc/haproxy/haproxy.cfg
#* Verify that the ports HAProxy is trying to bind to are not in use by other services.

# '''Backend servers not responding:'''
#* Ensure that Apache and Nginx are running on their respective VMs.
#* Check firewall rules to allow traffic between HAProxy and backend servers.
#* Verify the IP addresses and ports in the HAProxy configuration.

# '''SSL certificate issues:'''
#* Double-check the path to the SSL certificate and key in the HAProxy configuration.
#* Ensure the combined PEM file has the correct permissions.

# '''ACLs not working as expected:'''
#* Verify that your local hosts file is correctly configured.
#* Use `tcpdump` or `wireshark` to inspect the HTTP headers and ensure the correct `Host` header is being sent.

== Performance Tuning ==

=== Optimizing HAProxy ===

# '''Increase maximum connections:'''
#* Adjust the `maxconn` parameter in the `global` section based on your server's capacity.

# '''Enable kernel TCP splicing:'''
#* Add `option tcpka` to the `defaults` section for keep-alive connections.

# '''Use HTTP/2:'''
#* Update your SSL binding to support HTTP/2:
bind *:443 ssl crt /etc/ssl/certs/haproxy.pem alpn h2,http/1.1

# '''Implement caching:'''
#* Consider adding a caching layer with Varnish in front of HAProxy for static content.

== Optimal Configuration Options for Web-Based Frontends ==
It's crucial to customize the following according to your application's specific requirements.
'''
frontend http-in
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/cert.pem no-sslv3
mode http
option httplog
log global

# Redirect HTTP to HTTPS (enforce HTTPS for all traffic)
http-request redirect scheme https code 301 if !{ ssl_fc }

# Set default security headers for responses
# Enforce HSTS for HTTPS (1 year, include subdomains, preload)
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# Clickjacking protection, allow only the same origin to embed this site
http-response set-header X-Frame-Options "SAMEORIGIN"

# XSS filtering enabled in browsers, block if an attack is detected
http-response set-header X-XSS-Protection "1; mode=block"

# Prevent MIME type sniffing (force browser to honor content type declared by the server)
http-response set-header X-Content-Type-Options "nosniff"

# Add Content Security Policy to mitigate XSS and data injection attacks
http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'"

# Disable referrer information leakage when navigating to a different origin
http-response set-header Referrer-Policy "no-referrer-when-downgrade"

# Prevent browsers and proxies from caching sensitive data
http-response set-header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"

# Set secure cookies (only for HTTPS, HttpOnly, and prevent cross-site requests)
acl secure_cookie hdr_sub(cookie) Secure
http-response set-header Set-Cookie %[res.hdr(Set-Cookie)] if secure_cookie
http-response set-header Set-Cookie Secure; HttpOnly; SameSite=Strict if secure_cookie

# Forward client's original IP in X-Forwarded-For header
http-request add-header X-Forwarded-For %[src]

# Forward the protocol used by the client (HTTP/HTTPS) in X-Forwarded-Proto header
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request add-header X-Forwarded-Proto http if !{ ssl_fc }

# Preserve the original Host header
http-request add-header X-Forwarded-Host %[req.hdr(host)]

default_backend servers
'''

== Security Considerations ==

# '''Regularly update HAProxy and backend servers'''
# '''Implement strong SSL/TLS configurations'''
# '''Use IP whitelisting for the HAProxy stats page'''
# '''Consider implementing Web Application Firewall (WAF) rules in HAProxy'''
# '''Regularly audit your HAProxy configurations and access logs'''

This guide provides a comprehensive setup process for HAProxy, starting from a basic configuration and progressing to more advanced setups with ACLs, SSL termination, and performance optimization. Always ensure to test thoroughly in a staging environment before applying changes to production systems.

HAProxy Lab Setup Guide - Multi-OS Installation

2024-09-05T12:37:29Z

Manhal.Mohamed: /* Create a custom index.html: */

= HAProxy Lab Setup Guide - Multi-OS Installation =

== Prerequisites ==
* 3 VMs (or use VirtualBox/VMware Workstation to create them)
* Web browser access (for those using AFNOG infrastructure)

== VM Setup ==
# '''VM1:''' HAProxy
#* IP: 192.168.1.X
# '''VM2:''' Apache Server
#* IP: 192.168.1.Y
# '''VM3:''' Nginx Server
#* IP: 192.168.1.Z

== Local Hosts File Configuration ==
Add the following entries to your local hosts file, pointing them all to the HAProxy IP (192.168.1.X):

192.168.1.X lb.lab.afnog.org
192.168.1.X www.lab.afnog.org
192.168.1.X nginx.lab.afnog.org
192.168.1.X apache.lab.afnog.org

== Step 1: Install and Configure HAProxy (VM1) ==

=== Red Hat-based systems (CentOS, Fedora) ===
sudo yum update
sudo yum install haproxy

=== Debian-based systems (Ubuntu, Debian) ===
sudo apt update
sudo apt install haproxy

=== FreeBSD ===
sudo pkg update
sudo pkg install haproxy

== Step 2: Install and Configure Apache (VM2) ==

=== Red Hat-based systems ===
sudo yum update
sudo yum install httpd
sudo systemctl start httpd
sudo systemctl enable httpd

=== Debian-based systems ===
sudo apt update
sudo apt install apache2

=== FreeBSD ===
sudo pkg update
sudo pkg install apache24
sudo sysrc apache24_enable="YES"
sudo service apache24 start

==== Create a custom index.html: ====
<code> echo "This is the Apache Server" | tee /var/www/html/index.html </code>

On FreeBSD:

<code> echo "This is the Apache Server" | tee /usr/local/www/apache24/data/index.html </code>

== Step 3: Install and Configure Nginx (VM3) ==

=== Red Hat-based systems ===
sudo yum update
sudo yum install nginx
sudo systemctl start nginx
sudo systemctl enable nginx

=== Debian-based systems ===
sudo apt update
sudo apt install nginx

=== FreeBSD ===
sudo pkg update
sudo pkg install nginx
sudo sysrc nginx_enable="YES"
sudo service nginx start

==== Create a custom index.html: ====
'''
echo "This is the Nginx Server" | tee /var/www/html/index.html </code>
# For FreeBSD:
echo "This is the Nginx Server" | tee /usr/local/www/nginx/index.html </code>
'''

== HAProxy Configuration ==

=== Step 1: Basic Frontend and Backend Setup (Round-Robin) ===

==== HAProxy Configuration: ====

==== Edit the HAProxy configuration file: ====
* '''Red Hat and Debian:''' /etc/haproxy/haproxy.cfg
* '''FreeBSD:''' /usr/local/etc/haproxy.conf

==== Add the following configuration: ====
'''
global
log 127.0.0.1:514 local1 info
chroot /var/empty
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend http-in
bind *:80
default_backend www_back

backend www_back
balance roundrobin
server nginx_server vm1.log.afnog.org:80 check
server apache_server vm2.lab.afnog.org:80 check
'''
==== Restart HAProxy: ====
''' systemctl restart haproxy '''

=== Step 2: Advanced Configuration with ACLs (Access Control Lists) ===

==== Updated HAProxy Configuration: ====

Modify the existing HAProxy configuration to include the following:
'''
frontend http_front
bind *:80
acl url_nginx hdr(host) -i nginx.lab.afnog.org
acl url_apache hdr(host) -i apache.lab.afnog.org
use_backend nginx_back if url_nginx
use_backend apache_back if url_apache
default_backend www_back

backend www_back
balance roundrobin
server nginx_server 192.168.1.Z:80 check
server apache_server 192.168.1.Y:80 check

backend nginx_back
server nginx_server 192.168.1.Z:80 check

backend apache_back
server apache_server 192.168.1.Y:80 check
'''
==== Restart HAProxy: ====
''' sudo systemctl restart haproxy '''

=== Step 3: Adding a Status Page ===

==== Final HAProxy Configuration: ====

Add the following configuration for the status page:
'''
listen stats
bind *:8404
stats enable
stats uri /
stats refresh 5s
'''
==== Restart HAProxy: ====
''' sudo systemctl restart haproxy '''

==== Testing the Status Page: ====

You can access the status page by navigating to http://192.168.1.X:8404/ in your web browser.

== SSL Termination on HAProxy ==

=== Generate a Self-Signed Certificate: ===
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/haproxy.key -out /etc/ssl/certs/haproxy.crt

=== Combine the Certificate and Key: ===
cat /etc/ssl/certs/haproxy.crt /etc/ssl/private/haproxy.key | tee /etc/ssl/certs/haproxy.pem

'''Note:''' For development SSL certificates, you can use the repository at https://github.com/BenMorel/dev-certificates

=== Update HAProxy Configuration to Use SSL: ===

Add the following to the `frontend http_front` section:

bind *:443 ssl crt /etc/ssl/certs/haproxy.pem
redirect scheme https if !{ ssl_fc }

=== Restart HAProxy: ===
sudo systemctl restart haproxy
=== Example for Layer 4 Load balancing , DB port : ===
'''
frontend mysql
mode tcp
bind :3306
default_backend mysql_servers

backend mysql_servers
mode tcp
balance leastconn
server s1 192.168.0.10:3306 check
server s2 192.168.0.11:3306 check
'''

=== Configure Syslog for HAProxy Logging ===

# Open the syslog configuration file for editing:
vi /etc/syslog.conf

# Add the following lines to configure logging:
*.err;kern.warning;auth.notice;mail.crit /dev/console
local1.* /var/log/haproxy.log
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages

# Create the HAProxy log file:
touch /var/log/haproxy.log

# Set the appropriate ownership for the log file:
chown haproxy:haproxy /var/log/haproxy.log

# Update the syslogd flags to bind to localhost and run in compatibility mode:
sysrc syslogd_flags="-b localhost -C"

# Restart the syslog service to apply changes:
service syslogd restart

== Testing ==

=== Using `web browser`: ===

# Test round-robin for `www.lab.afnog.org`:
# Repeat the command several times to see alternating responses from Nginx and Apache.

# Test Nginx backend:
nginx.lab.afnog.org
# This should consistently return the Nginx server response.

# Test Apache backend:
apache.lab.afnog.org
# This should consistently return the Apache server response.

# Test SSL termination:
https://www.lab.afnog.org
# This should return responses over HTTPS, with round-robin load balancing between Nginx and Apache.

== Troubleshooting ==

=== Common Issues and Solutions ===

# '''HAProxy not starting:'''
#* Check the configuration file for syntax errors:
haproxy -c -f /etc/haproxy/haproxy.cfg
#* Verify that the ports HAProxy is trying to bind to are not in use by other services.

# '''Backend servers not responding:'''
#* Ensure that Apache and Nginx are running on their respective VMs.
#* Check firewall rules to allow traffic between HAProxy and backend servers.
#* Verify the IP addresses and ports in the HAProxy configuration.

# '''SSL certificate issues:'''
#* Double-check the path to the SSL certificate and key in the HAProxy configuration.
#* Ensure the combined PEM file has the correct permissions.

# '''ACLs not working as expected:'''
#* Verify that your local hosts file is correctly configured.
#* Use `tcpdump` or `wireshark` to inspect the HTTP headers and ensure the correct `Host` header is being sent.

== Performance Tuning ==

=== Optimizing HAProxy ===

# '''Increase maximum connections:'''
#* Adjust the `maxconn` parameter in the `global` section based on your server's capacity.

# '''Enable kernel TCP splicing:'''
#* Add `option tcpka` to the `defaults` section for keep-alive connections.

# '''Use HTTP/2:'''
#* Update your SSL binding to support HTTP/2:
bind *:443 ssl crt /etc/ssl/certs/haproxy.pem alpn h2,http/1.1

# '''Implement caching:'''
#* Consider adding a caching layer with Varnish in front of HAProxy for static content.

== Optimal Configuration Options for Web-Based Frontends ==
It's crucial to customize the following according to your application's specific requirements.
'''
frontend http-in
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/cert.pem no-sslv3
mode http
option httplog
log global

# Redirect HTTP to HTTPS (enforce HTTPS for all traffic)
http-request redirect scheme https code 301 if !{ ssl_fc }

# Set default security headers for responses
# Enforce HSTS for HTTPS (1 year, include subdomains, preload)
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# Clickjacking protection, allow only the same origin to embed this site
http-response set-header X-Frame-Options "SAMEORIGIN"

# XSS filtering enabled in browsers, block if an attack is detected
http-response set-header X-XSS-Protection "1; mode=block"

# Prevent MIME type sniffing (force browser to honor content type declared by the server)
http-response set-header X-Content-Type-Options "nosniff"

# Add Content Security Policy to mitigate XSS and data injection attacks
http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'"

# Disable referrer information leakage when navigating to a different origin
http-response set-header Referrer-Policy "no-referrer-when-downgrade"

# Prevent browsers and proxies from caching sensitive data
http-response set-header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"

# Set secure cookies (only for HTTPS, HttpOnly, and prevent cross-site requests)
acl secure_cookie hdr_sub(cookie) Secure
http-response set-header Set-Cookie %[res.hdr(Set-Cookie)] if secure_cookie
http-response set-header Set-Cookie Secure; HttpOnly; SameSite=Strict if secure_cookie

# Forward client's original IP in X-Forwarded-For header
http-request add-header X-Forwarded-For %[src]

# Forward the protocol used by the client (HTTP/HTTPS) in X-Forwarded-Proto header
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request add-header X-Forwarded-Proto http if !{ ssl_fc }

# Preserve the original Host header
http-request add-header X-Forwarded-Host %[req.hdr(host)]

default_backend servers
'''

== Security Considerations ==

# '''Regularly update HAProxy and backend servers'''
# '''Implement strong SSL/TLS configurations'''
# '''Use IP whitelisting for the HAProxy stats page'''
# '''Consider implementing Web Application Firewall (WAF) rules in HAProxy'''
# '''Regularly audit your HAProxy configurations and access logs'''

This guide provides a comprehensive setup process for HAProxy, starting from a basic configuration and progressing to more advanced setups with ACLs, SSL termination, and performance optimization. Always ensure to test thoroughly in a staging environment before applying changes to production systems.

HAProxy Lab Setup Guide - Multi-OS Installation

2024-09-05T12:36:45Z

Manhal.Mohamed: /* Testing */

= HAProxy Lab Setup Guide - Multi-OS Installation =

== Prerequisites ==
* 3 VMs (or use VirtualBox/VMware Workstation to create them)
* Web browser access (for those using AFNOG infrastructure)

== VM Setup ==
# '''VM1:''' HAProxy
#* IP: 192.168.1.X
# '''VM2:''' Apache Server
#* IP: 192.168.1.Y
# '''VM3:''' Nginx Server
#* IP: 192.168.1.Z

== Local Hosts File Configuration ==
Add the following entries to your local hosts file, pointing them all to the HAProxy IP (192.168.1.X):

192.168.1.X lb.lab.afnog.org
192.168.1.X www.lab.afnog.org
192.168.1.X nginx.lab.afnog.org
192.168.1.X apache.lab.afnog.org

== Step 1: Install and Configure HAProxy (VM1) ==

=== Red Hat-based systems (CentOS, Fedora) ===
sudo yum update
sudo yum install haproxy

=== Debian-based systems (Ubuntu, Debian) ===
sudo apt update
sudo apt install haproxy

=== FreeBSD ===
sudo pkg update
sudo pkg install haproxy

== Step 2: Install and Configure Apache (VM2) ==

=== Red Hat-based systems ===
sudo yum update
sudo yum install httpd
sudo systemctl start httpd
sudo systemctl enable httpd

=== Debian-based systems ===
sudo apt update
sudo apt install apache2

=== FreeBSD ===
sudo pkg update
sudo pkg install apache24
sudo sysrc apache24_enable="YES"
sudo service apache24 start

==== Create a custom index.html: ====
<code> echo "This is the Apache Server" | tee /var/www/html/index.html </code>

On FreeBSD:

<code> echo "This is the Apache Server" | tee /usr/local/www/apache24/data/index.html </code>

== Step 3: Install and Configure Nginx (VM3) ==

=== Red Hat-based systems ===
sudo yum update
sudo yum install nginx
sudo systemctl start nginx
sudo systemctl enable nginx

=== Debian-based systems ===
sudo apt update
sudo apt install nginx

=== FreeBSD ===
sudo pkg update
sudo pkg install nginx
sudo sysrc nginx_enable="YES"
sudo service nginx start

==== Create a custom index.html: ====
<code> echo "This is the Nginx Server" | tee /var/www/html/index.html </code>
<code> # For FreeBSD:
echo "This is the Nginx Server" | tee /usr/local/www/nginx/index.html </code>

== HAProxy Configuration ==

=== Step 1: Basic Frontend and Backend Setup (Round-Robin) ===

==== HAProxy Configuration: ====

==== Edit the HAProxy configuration file: ====
* '''Red Hat and Debian:''' /etc/haproxy/haproxy.cfg
* '''FreeBSD:''' /usr/local/etc/haproxy.conf

==== Add the following configuration: ====
'''
global
log 127.0.0.1:514 local1 info
chroot /var/empty
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend http-in
bind *:80
default_backend www_back

backend www_back
balance roundrobin
server nginx_server vm1.log.afnog.org:80 check
server apache_server vm2.lab.afnog.org:80 check
'''
==== Restart HAProxy: ====
''' systemctl restart haproxy '''

=== Step 2: Advanced Configuration with ACLs (Access Control Lists) ===

==== Updated HAProxy Configuration: ====

Modify the existing HAProxy configuration to include the following:
'''
frontend http_front
bind *:80
acl url_nginx hdr(host) -i nginx.lab.afnog.org
acl url_apache hdr(host) -i apache.lab.afnog.org
use_backend nginx_back if url_nginx
use_backend apache_back if url_apache
default_backend www_back

backend www_back
balance roundrobin
server nginx_server 192.168.1.Z:80 check
server apache_server 192.168.1.Y:80 check

backend nginx_back
server nginx_server 192.168.1.Z:80 check

backend apache_back
server apache_server 192.168.1.Y:80 check
'''
==== Restart HAProxy: ====
''' sudo systemctl restart haproxy '''

=== Step 3: Adding a Status Page ===

==== Final HAProxy Configuration: ====

Add the following configuration for the status page:
'''
listen stats
bind *:8404
stats enable
stats uri /
stats refresh 5s
'''
==== Restart HAProxy: ====
''' sudo systemctl restart haproxy '''

==== Testing the Status Page: ====

You can access the status page by navigating to http://192.168.1.X:8404/ in your web browser.

== SSL Termination on HAProxy ==

=== Generate a Self-Signed Certificate: ===
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/haproxy.key -out /etc/ssl/certs/haproxy.crt

=== Combine the Certificate and Key: ===
cat /etc/ssl/certs/haproxy.crt /etc/ssl/private/haproxy.key | tee /etc/ssl/certs/haproxy.pem

'''Note:''' For development SSL certificates, you can use the repository at https://github.com/BenMorel/dev-certificates

=== Update HAProxy Configuration to Use SSL: ===

Add the following to the `frontend http_front` section:

bind *:443 ssl crt /etc/ssl/certs/haproxy.pem
redirect scheme https if !{ ssl_fc }

=== Restart HAProxy: ===
sudo systemctl restart haproxy
=== Example for Layer 4 Load balancing , DB port : ===
'''
frontend mysql
mode tcp
bind :3306
default_backend mysql_servers

backend mysql_servers
mode tcp
balance leastconn
server s1 192.168.0.10:3306 check
server s2 192.168.0.11:3306 check
'''

=== Configure Syslog for HAProxy Logging ===

# Open the syslog configuration file for editing:
vi /etc/syslog.conf

# Add the following lines to configure logging:
*.err;kern.warning;auth.notice;mail.crit /dev/console
local1.* /var/log/haproxy.log
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages

# Create the HAProxy log file:
touch /var/log/haproxy.log

# Set the appropriate ownership for the log file:
chown haproxy:haproxy /var/log/haproxy.log

# Update the syslogd flags to bind to localhost and run in compatibility mode:
sysrc syslogd_flags="-b localhost -C"

# Restart the syslog service to apply changes:
service syslogd restart

== Testing ==

=== Using `web browser`: ===

# Test round-robin for `www.lab.afnog.org`:
# Repeat the command several times to see alternating responses from Nginx and Apache.

# Test Nginx backend:
nginx.lab.afnog.org
# This should consistently return the Nginx server response.

# Test Apache backend:
apache.lab.afnog.org
# This should consistently return the Apache server response.

# Test SSL termination:
https://www.lab.afnog.org
# This should return responses over HTTPS, with round-robin load balancing between Nginx and Apache.

== Troubleshooting ==

=== Common Issues and Solutions ===

# '''HAProxy not starting:'''
#* Check the configuration file for syntax errors:
haproxy -c -f /etc/haproxy/haproxy.cfg
#* Verify that the ports HAProxy is trying to bind to are not in use by other services.

# '''Backend servers not responding:'''
#* Ensure that Apache and Nginx are running on their respective VMs.
#* Check firewall rules to allow traffic between HAProxy and backend servers.
#* Verify the IP addresses and ports in the HAProxy configuration.

# '''SSL certificate issues:'''
#* Double-check the path to the SSL certificate and key in the HAProxy configuration.
#* Ensure the combined PEM file has the correct permissions.

# '''ACLs not working as expected:'''
#* Verify that your local hosts file is correctly configured.
#* Use `tcpdump` or `wireshark` to inspect the HTTP headers and ensure the correct `Host` header is being sent.

== Performance Tuning ==

=== Optimizing HAProxy ===

# '''Increase maximum connections:'''
#* Adjust the `maxconn` parameter in the `global` section based on your server's capacity.

# '''Enable kernel TCP splicing:'''
#* Add `option tcpka` to the `defaults` section for keep-alive connections.

# '''Use HTTP/2:'''
#* Update your SSL binding to support HTTP/2:
bind *:443 ssl crt /etc/ssl/certs/haproxy.pem alpn h2,http/1.1

# '''Implement caching:'''
#* Consider adding a caching layer with Varnish in front of HAProxy for static content.

== Optimal Configuration Options for Web-Based Frontends ==
It's crucial to customize the following according to your application's specific requirements.
'''
frontend http-in
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/cert.pem no-sslv3
mode http
option httplog
log global

# Redirect HTTP to HTTPS (enforce HTTPS for all traffic)
http-request redirect scheme https code 301 if !{ ssl_fc }

# Set default security headers for responses
# Enforce HSTS for HTTPS (1 year, include subdomains, preload)
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# Clickjacking protection, allow only the same origin to embed this site
http-response set-header X-Frame-Options "SAMEORIGIN"

# XSS filtering enabled in browsers, block if an attack is detected
http-response set-header X-XSS-Protection "1; mode=block"

# Prevent MIME type sniffing (force browser to honor content type declared by the server)
http-response set-header X-Content-Type-Options "nosniff"

# Add Content Security Policy to mitigate XSS and data injection attacks
http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'"

# Disable referrer information leakage when navigating to a different origin
http-response set-header Referrer-Policy "no-referrer-when-downgrade"

# Prevent browsers and proxies from caching sensitive data
http-response set-header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"

# Set secure cookies (only for HTTPS, HttpOnly, and prevent cross-site requests)
acl secure_cookie hdr_sub(cookie) Secure
http-response set-header Set-Cookie %[res.hdr(Set-Cookie)] if secure_cookie
http-response set-header Set-Cookie Secure; HttpOnly; SameSite=Strict if secure_cookie

# Forward client's original IP in X-Forwarded-For header
http-request add-header X-Forwarded-For %[src]

# Forward the protocol used by the client (HTTP/HTTPS) in X-Forwarded-Proto header
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request add-header X-Forwarded-Proto http if !{ ssl_fc }

# Preserve the original Host header
http-request add-header X-Forwarded-Host %[req.hdr(host)]

default_backend servers
'''

== Security Considerations ==

# '''Regularly update HAProxy and backend servers'''
# '''Implement strong SSL/TLS configurations'''
# '''Use IP whitelisting for the HAProxy stats page'''
# '''Consider implementing Web Application Firewall (WAF) rules in HAProxy'''
# '''Regularly audit your HAProxy configurations and access logs'''

This guide provides a comprehensive setup process for HAProxy, starting from a basic configuration and progressing to more advanced setups with ACLs, SSL termination, and performance optimization. Always ensure to test thoroughly in a staging environment before applying changes to production systems.

HAProxy Lab Setup Guide - Multi-OS Installation

2024-09-05T12:35:18Z