Haproxy: Difference between revisions

From Bitpost wiki
No edit summary
No edit summary
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
[https://www.digitalocean.com/community/tutorials/an-introduction-to-haproxy-and-load-balancing-concepts Intro]
==== Most important: continuously check ssllabs ====


[https://www.digitalocean.com/community/tutorials/how-to-implement-ssl-termination-with-haproxy-on-ubuntu-14-04 SSL]
Most important: continuously check to ensure [https://www.ssllabs.com/ssltest ssllabs] gives A+ rating for all sites.


Two database design choices:
It's important to get a current [https://cipherli.st/ cipher configuration] right.
* Each server gets its own quotes and saves all its own data
** Need to read user id from each request and send each user to a predetermined server
** Need multiple Etrade accounts, one for each server, unless we get a deal with Etrade
* Switch to a distributed database with master-master replication
** A lot of work
** Might kill sub-second performance?  Might not. We already have delayed-write.


For the first 1000 paid users, we will NOT do load balancing.
==== SSL cert format ====


Instead, we will just use haproxy to redirect (bitpost.com IP) + port 8080 requests to abettertrader.com (all https).
Haproxy wants a combined PEM format, with crt and keys included.  Typical way:
cat STAR_equityshift_io.crt > manual_combined.pem
cat equityshift_io.key >> manual_combined.pem
 
==== Config ====
For working code to get an A+, work on the config, here:
  🌵 m@bitpost  [~/development/scripts/gentoo/bitpost/root] emacs haproxy.cfg
It contains a list of all my sites that are currently live.
 
After changing it, restart it:
sudo /etc/init.d/haproxy restart
2019-12-08 It was updated to use a new config format to prevent ssl less than TLS1.2.  It was also updated with an attempt to redirect www.* to *, but we need updated certificates with multiple names. certbot script was updated to add them, but it has not recreated certs yet.  Check back in February at the latest!
 
==== [https://www.digitalocean.com/community/tutorials/an-introduction-to-haproxy-and-load-balancing-concepts Intro] ====
 
==== [https://www.digitalocean.com/community/tutorials/how-to-implement-ssl-termination-with-haproxy-on-ubuntu-14-04 SSL] ====

Latest revision as of 16:56, 10 January 2020

Most important: continuously check ssllabs

Most important: continuously check to ensure ssllabs gives A+ rating for all sites.

It's important to get a current cipher configuration right.

SSL cert format

Haproxy wants a combined PEM format, with crt and keys included. Typical way:

cat STAR_equityshift_io.crt > manual_combined.pem 
cat equityshift_io.key >> manual_combined.pem 

Config

For working code to get an A+, work on the config, here:

 🌵 m@bitpost  [~/development/scripts/gentoo/bitpost/root] emacs haproxy.cfg 

It contains a list of all my sites that are currently live.

After changing it, restart it:

sudo /etc/init.d/haproxy restart

2019-12-08 It was updated to use a new config format to prevent ssl less than TLS1.2. It was also updated with an attempt to redirect www.* to *, but we need updated certificates with multiple names. certbot script was updated to add them, but it has not recreated certs yet. Check back in February at the latest!

Intro

SSL