These are some useful information about HAProxy, load balancing and Keepalived.
Notes
- Configure your web servers to not respond to request from any clients other than your load balancers. If you allow direct outside traffic, they could "spoof" their true information and hurt web servers.
Assuming that your web server's IP is 192.168.50.10
and load balancer's IP is 192.168.50.30
. If you add code block inside your virtual host file, only load balancer can consume your web server. Direct access request will get 403 Forbidden
error.
# /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
...
<Directory /var/www/html/>
Order allow,deny
Allow from 192.168.50.30
Allow from 127.0.0.1
</Directory>
...
</VirtualHost>
- The load balancer is the single point of contact for clients so the web servers and all the other internal network always hide behind it which increases the security.
- Security defence mechanism should start from load balancer.
- Load balancers are configured to accept request from certain protocols such as http, https, tcp, ssl.
- It shares workload between web servers to prevent hammering.
- Load balancer decides which request gets diverted to which web server.
- Layer 4 transport layer model handles requests randomly and diverts them to all the web servers it knows.
- Layer 7 application layer model handles requests based on the request headers, url so on. and diverts them to relevant web servers.
- Default HAProxy system outage error message
503
can be overridden with it’s config file.
- HAProxy can be used to block access to a specific server
server webserver 192.168.1.202:80 check disabled
for security or maintenance purposes.
- HAProxy can be used to block IP addresses from accessing to our services for security purposes.
Assuming that the IP address 192.168.50.1
belongs to an attacker so we want to block it. This will produce 403 Forbidden
error.
# /etc/haproxy/haproxy.cfg
frontend http-in
....
acl nasty-man src 192.168.50.1
http-request deny if nasty-man
....
- Central Session Storage option should be preferred over Sticky Sessions/Session Affinity and Cookie-based Sessions options for session management.
- HAProxy servers ping web servers every two seconds (could be changed in config file) so Apache
access.log
will get bloated if /etc/apache2/apache2.conf
and etc/apache2/sites-enabled/000-default.conf
files are not configured to stop logging these ping requests.
- Keepalived creates virtual IP and assigns it to actively running appropriate HAProxy servers. This virtual IP then used by clients to send requests to.
- Keepalived decides which HAProxy server should be the "master" load balancer by looking at the
priority
value in it’s config file /etc/keepalived/keepalived.conf
. Higher priority represents "master" and the lower represents "backup".
- Keepalived virtual IP switching logs can be found in
/var/log/haproxy.log
log file.
Security readings
Application layer protection handled by HAProxy (Web Application Firewall - WAF) for attacks like DOS, DDOS, TCP attacks, SYN flood attacks, slow POST attacks, slowloris attacks etc. Network level protection is handled by physical firewall devices.