Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HAProxyConf 2022 – Boost your web-app with HAProxy and Varnish

Jérémy Lecour
November 08, 2022
Technology
0
31

HAProxyConf 2022 – Boost your web-app with HAProxy and Varnish

In this presentation, Jeremy Lecour explores how to use HAProxy and Varnish to create a web accelerator with load balancing, caching and high-availability capabilities. Jeremy unpacks the architecture and global use cases, and dives into relevant configurations including: TLS, proxy protocol, health checks, and debugging headers.

While technical, the presentation will be accessible to anybody vaguely familiar with HAProxy, and will be interesting to anybody managing web applications. The presentation draws from the real experiences of a mature sysadmin team in an open-source oriented hosting/management company. There will be plenty of the time to answer questions during and after the presentation.

Jérémy Lecour

November 08, 2022
Tweet

More Decks by Jérémy Lecour

See All by Jérémy Lecour
Accélération web avec HAProxy et Varnish
jlecour
0
44
Let's Encrypt, le trublion du HTTPS
jlecour
0
75
La Suite ELK au service des développeurs et de la production
jlecour
0
440
Après 883 indices quotidiens, ça cherche encore et trouve sans cesse
jlecour
1
100
Test Driven (web) Configuration
jlecour
0
34
Elasticsearch - c'est plus que ça en a l'air
jlecour
0
510
Interacting with 3rd party services
jlecour
0
16
Processus et démons sous Unix/Linux
jlecour
0
23
D'une feuille blanche à une affaire rentable
jlecour
0
220

Other Decks in Technology

See All in Technology
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
3.3k
ローカルAITuber勢の現在地と未来
sr2mg4
0
130
応用から学ぶ強化学習
nearme_tech
0
220
フィンテックとは何か / What is FinTech?
ks91
PRO
0
130
MagicPod開発における テスト自動化とCI
nozomiito
0
150
これからのJavaのとっかかりを掴む
irof
0
3.2k
Microsoft Build 2023 Azure AI&ML 最新アップデート
shohei1029
1
260
複雑になったマイクロサービスを どう管理するか/how-to-manage-increasingly-complex-microservices
policemankh
0
270
NestJS をかじってみた / MIERUNE BBQ #01 / #mierune
tacck
0
310
Blueskyの「今」がわかる!Bot
lamrongol
0
160
GO TechTalk #19 タクシーアプリ『GO』事業成長を支えるデータ分析基盤の継続的改善!
mot_techtalk
2
1.1k
#47-48 “NSDI 2023 recap”
cafenero_777
0
110

Featured

See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
5
6.5k
A better future with KSS
kneath
230
16k
Fantastic passwords and where to find them - at NoRuKo
philnash
33
2k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
Music & Morning Musume
bryan
37
4.9k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
Faster Mobile Websites
deanohume
296
29k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.3k
Docker and Python
trallard
31
2.1k
Building an army of robots
kneath
300
41k
Large-scale JavaScript Application Architecture
addyosmani
500
110k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
183
15k

Transcript

  1. Boost your web-app
    with HAProxy and Varnish
    HAProxyConf 2022 Paris, France
    Jérémy Lecour
    @jlecour – CTO
    https://gitea.evolix.org/evolix/haproxyconf-2022

    View Slide

  2. &
    ● Free Libre Open Source Software
    ● Run on many platforms
    ● Resource efficient and stable
    ● Great documentation and communities
    ● Commercial support available

    View Slide

  3. HAProxy – overview

    View Slide

  4. Varnish – overview

    View Slide

  5. HAProxy + Varnish = “Boost” – a CDN-like service

    View Slide

  6. View Slide

  7. Let’s zoom in

    View Slide

  8. Multiple sites or apps
    frontend external
    acl example_com_domains hdr(host) -i example.com
    acl foo_bar_domains hdr(host) -i foo-bar.com foo-bar.org
    […]
    use_backend example_com if example_com_domains
    use_backend foo_bar if foo_bar_domains
    backend example_com
    […]
    server srv10-1 192.0.10.1:80
    backend foo_bar
    […]
    server srv20-1 192.0.20.1:80
    server srv20-2 192.0.20.2:80
    haproxy.cfg

    View Slide

  9. Pass the request to Varnish – cache or no cache, there is no 503
    frontend external
    # Is Varnish available?
    acl varnish_available nbsrv(varnish) gt 0
    # Pass the request to Varnish
    use_backend varnish if varnish_available
    # … or fall back to a direct backend
    default_backend direct_backend
    backend varnish
    option httpchk HEAD /varnishcheck
    server varnish_sock /run/varnish.sock check observe layer7 maxconn 3000 inter 1s send-proxy-v2
    haproxy.cfg
    sub vcl_recv {
    if (req.url == "/varnishcheck") {
    return (synth(200, "Hi HAProxy, I'm fine!"));
    }
    […]
    }
    varnish.vcl

    View Slide

  10. Pass the request to Varnish – should I stay or should I go?
    frontend external
    acl example_com_domains hdr(host) -i example.com
    […]
    use_backend varnish if !example_com_domains
    haproxy.cfg
    frontend external
    acl use_cache if hdr(host) -f /etc/haproxy/cached_domains
    […]
    use_backend varnish if use_cache
    haproxy.cfg
    frontend external
    acl varnish_http_verb method GET HEAD PURGE
    […]
    use_backend varnish if varnish_http_verb
    haproxy.cfg

    View Slide

  11. PROXY protocol – who is talking to me?
    X-Forwarded-For: 192.0.2.1,127.0.0.1,127.0.0.1,203.0.113.1

    View Slide

  12. PROXY protocol – who is talking to me?

    View Slide

  13. PROXY protocol – how are you doing?
    $ /usr/sbin/varnishd […] -a /run/varnish.sock,PROXY
    frontend internal
    bind /run/haproxy-frontend-default.sock user root mode 666 accept-proxy
    backend varnish
    server varnish_sock /run/varnish.sock check observe layer7 maxconn 3000 inter 1s send-proxy-v2
    backend example_com
    server example-hostname 1.2.3.4:443 check observe layer4 ssl verify none send-proxy-v2
    haproxy.cfg
    backend default {
    .path = "/run/haproxy-frontend-default.sock";
    .proxy_header = 1;
    }
    varnish.vcl
    init

    View Slide

  14. PROXY protocol – how are you doing?
    $ /usr/sbin/varnishd […] -a /run/varnish.sock,PROXY
    frontend internal
    bind /run/haproxy-frontend-default.sock user root mode 666 accept-proxy
    backend varnish
    server varnish_sock /run/varnish.sock check observe layer7 maxconn 3000 inter 1s send-proxy-v2
    backend example_com
    server example-hostname 1.2.3.4:443 check observe layer4 ssl verify none send-proxy-v2
    haproxy.cfg
    backend default {
    .path = "/run/haproxy-frontend-default.sock";
    .proxy_header = 1;
    }
    varnish.vcl
    init

    View Slide

  15. PROXY protocol – how are you doing?
    $ /usr/sbin/varnishd […] -a /run/varnish.sock,PROXY
    frontend internal
    bind /run/haproxy-frontend-default.sock user root mode 666 accept-proxy
    backend varnish
    server varnish_sock /run/varnish.sock check observe layer7 maxconn 3000 inter 1s send-proxy-v2
    backend example_com
    server example-hostname 1.2.3.4:443 check observe layer4 ssl verify none send-proxy-v2
    haproxy.cfg
    backend default {
    .path = "/run/haproxy-frontend-default.sock";
    .proxy_header = 1;
    }
    varnish.vcl
    init

    View Slide

  16. PROXY protocol – how are you doing?
    $ /usr/sbin/varnishd […] -a /run/varnish.sock,PROXY
    frontend internal
    bind /run/haproxy-frontend-default.sock user root mode 666 accept-proxy
    backend varnish
    server varnish_sock /run/varnish.sock check observe layer7 maxconn 3000 inter 1s send-proxy-v2
    backend example_com
    server example-hostname 1.2.3.4:443 check observe layer4 ssl verify none send-proxy-v2
    haproxy.cfg
    backend default {
    .path = "/run/haproxy-frontend-default.sock";
    .proxy_header = 1;
    }
    varnish.vcl
    init

    View Slide

  17. PROXY protocol – how are you doing?
    $ /usr/sbin/varnishd […] -a /run/varnish.sock,PROXY
    frontend internal
    bind /run/haproxy-frontend-default.sock user root mode 666 accept-proxy
    backend varnish
    server varnish_sock /run/varnish.sock check observe layer7 maxconn 3000 inter 1s send-proxy-v2
    backend example_com
    server example-hostname 1.2.3.4:443 check observe layer4 ssl verify none send-proxy-v2
    haproxy.cfg
    backend default {
    .path = "/run/haproxy-frontend-default.sock";
    .proxy_header = 1;
    }
    varnish.vcl
    init

    View Slide

  18. PROXY protocol – how are you doing?
    $ /usr/sbin/varnishd […] -a /run/varnish.sock,PROXY
    frontend internal
    bind /run/haproxy-frontend-default.sock user root mode 666 accept-proxy
    backend varnish
    server varnish_sock /run/varnish.sock check observe layer7 maxconn 3000 inter 1s send-proxy-v2
    backend example_com
    server example-hostname 1.2.3.4:443 check observe layer4 ssl verify none send-proxy-v2
    haproxy.cfg
    backend default {
    .path = "/run/haproxy-frontend-default.sock";
    .proxy_header = 1;
    }
    varnish.vcl
    init

    View Slide

  19. PROXY protocol – debug all the things
    $ /usr/sbin/varnishd […] -a 127.0.0.1:82 -a /run/varnish.sock,PROXY init
    $ curl --resolve www.example.com:82:127.0.0.1
    ⤷ --header "X-Forwarded-Proto: https"
    ⤷ http://www.example.com:82/foo/bar
    command line

    View Slide

  20. PROXY protocol – all the way down
    [email protected]|
    ⤷ GET /blog/ HTTP/1.1|
    ⤷ host:jeremy.lecour.fr|user-agent:curl/7.64.0|accept:*/*|x-varnish:65545|
    ⤷ x-forwarded-for:192.0.2.1,240.0.0.1|x-forwarded-port:443|x-forwarded-proto:https
    [email protected]
    forensic.log
    Pro-tip : Apache + ForensicLog
    If possible : use PROXY protocol to the final servers
    add a secondary non-PROXY interface

    View Slide

  21. HTTP tagging – standard and custom headers
    $ curl -sv https://jeremy.lecour.fr/blog/
    GET /blog/ HTTP/1.1
    Host: jeremy.lecour.fr
    User-Agent: curl/7.74.0
    Accept: */*
    HTTP/1.1 200 OK
    Date: Thu, 8 Nov 2022 09:32:30 GMT
    Server: Apache
    Last-Modified: Tue, 19 May 2020 16:59:15 GMT
    ETag: "23c8-5a603330a9ec0"
    Accept-Ranges: bytes
    Content-Type: text/html
    X-Frame-Options: DENY
    X-XSS-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    Content-Security-Policy: default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'
    Strict-Transport-Security: max-age=63072000
    command line

    View Slide

  22. HTTP tagging – X-Forwarded-*
    frontend external
    bind 0.0.0.0:80,:::80
    bind 0.0.0.0:443,:::443 ssl
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    haproxy.cfg

    View Slide

  23. HTTP tagging – X-Unique-ID
    frontend external
    # Add unique ID to each request
    http-request set-header X-Unique-ID %[uuid()] unless { hdr(X-Unique-ID) -m found }
    haproxy.cfg

    View Slide

  24. HTTP tagging – X-Boost-Step1
    frontend external
    # Tag the request for Step 1
    http-request add-header X-Boost-Step1 "haproxy-external"
    # Tag the response for Step 1
    http-response add-header X-Boost-Step1 "haproxy-external; ssl-frontend" if { ssl_fc }
    http-response add-header X-Boost-Step1 "haproxy-external; no-ssl-frontend" if !{ ssl_fc }
    http-response set-header X-Boost-Server my-hostname
    haproxy.cfg

    View Slide

  25. HTTP tagging – X-Boost-Step2
    sub vcl_recv {
    # Tag the request for Step 2
    set req.http.X-Boost-Step2 = "varnish";
    }
    varnish.vcl
    sub vcl_deliver {
    # Tag the response for Step 2
    if (resp.http.Set-Cookie && resp.http.Cache-Control) {
    set resp.http.X-Boost-Step2 = "varnish; set-cookie; cache-control";
    } elseif (resp.http.Set-Cookie) {
    set resp.http.X-Boost-Step2 = "varnish; set-cookie; no-cache-control";
    } elseif (resp.http.Cache-Control) {
    set resp.http.X-Boost-Step2 = "varnish; no-set-cookie; cache-control";
    } else {
    set resp.http.X-Boost-Step2 = "varnish; no-set-cookie; no-cache-control";
    }
    }
    varnish.vcl

    View Slide

  26. HTTP tagging – X-Boost-Step3
    frontend internal
    # Tag the request for Step 3
    http-request add-header X-Boost-Step3 "haproxy-internal"
    # Tag the response for Step 3
    http-response add-header X-Boost-Step3 "haproxy-internal; ssl-backend" if { ssl_bc }
    http-response add-header X-Boost-Step3 "haproxy-internal; no-ssl-backend" if !{ ssl_bc }
    haproxy.cfg

    View Slide

  27. HTTP tagging – Full HAProxy log
    Don’t do this in production
    frontend external
    […]
    http-response add-header X-Haproxy-Log-External "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta
    ⤷ %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
    frontend internal
    […]
    http-response add-header X-Haproxy-Log-Internal "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta
    ⤷ %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
    haproxy.cfg

    View Slide

  28. Filtering at HAProxy level
    frontend external
    […]
    # Reject the request at the TCP level if source is in the denylist
    tcp-request connection reject if { src -f /etc/haproxy/deny_ips }
    haproxy.cfg
    userlist vip_users
    user johndoe password $6$k6y3o.eP$JlKBx9za9667qe4(…)xHSwRv6J.C0/D7cV91
    frontend external
    […]
    http-request redirect scheme https code 301 if !{ ssl_fc }
    http-request redirect prefix https://example-to.org code 301 if { hdr(host) -i example-from.org }
    http-request auth realm "VIP Section" if !{ http_auth(vip_users) }
    haproxy.cfg

    View Slide

  29. Maintenance mode – global
    frontend external
    […]
    # List of IP that will not go the maintenance backend
    acl maintenance_ips src -f /etc/haproxy/maintenance_ips
    # Go to maintenance backend, unless your IP is whitelisted
    use_backend maintenance if !maintenance_ips
    backend maintenance
    http-request set-log-level silent
    # Custom 503 error page
    errorfile 503 /etc/haproxy/errors/maintenance.http
    # With no server defined, a 503 is returned for every request
    haproxy.cfg

    View Slide

  30. Maintenance mode – per site
    frontend external
    […]
    acl example_com_domains hdr(host) -i example.com
    acl maintenance_ips src -f /etc/haproxy/maintenance_ips
    acl example_com_maintenance_ips src -f /etc/haproxy/example_com/maintenance_ips
    use_backend example_com_maintenance if example_com_domains !example_com_maintenance_ips
    ⤷ !maintenance_ips
    haproxy.cfg

    View Slide

  31. PURGE – let’s make a blank slate
    sub vcl_recv {
    if (req.http.host == "example.com" && req.method == "PURGE") {
    if (client.ip == "198.51.100.4" || client.ip == "198.51.100.5") {
    if (req.url == "/_purge_all") {
    ban("req.http.host == " + req.http.host + " && req.url ~ .");
    return (synth(200, "ALL purge cache done"));
    } else {
    ban("req.http.host == "+req.http.host+" && req.url ~ "+req.url);
    return (synth(200, "purge cache done"));
    }
    } else {
    return (synth(403, "permission denied"));
    }
    […]
    varnish.vcl

    View Slide

  32. Local services
    frontend external
    # Is the request coming for the server itself (stats…)
    acl self hdr(host) -i my-hostname my-hostname.domain.tld
    acl munin hdr(host) -i munin
    # Detect Let's Encrypt challenge requests
    acl letsencrypt path_dir -i /.well-known/acme-challenge
    use_backend local if self
    use_backend local if munin
    use_backend letsencrypt if letsencrypt
    backend local
    option httpchk HEAD /haproxy-check
    server localhost 127.0.0.1:81 send-proxy-v2 maxconn 10
    backend letsencrypt
    # Use this if the challenge is managed locally
    server localhost 127.0.0.1:81 send-proxy-v2 maxconn 10
    # Use this if the challenge is managed remotely
    ### server my-certbot-challenge-manager 192.168.2.1:80 maxconn 10
    haproxy.cfg

    View Slide

  33. High availability – for the application

    View Slide

  34. High availability – for HAProxy and Varnish

    View Slide

  35. High availability – for HAProxy and Varnish – round-robin DNS

    View Slide

  36. High availability – for HAProxy and Varnish – active-active
    Image shamelessly stolen from HAProxy docs

    View Slide

  37. Questions & Answers

    View Slide

  38. View Slide

  39. Thank you
    https://gitea.evolix.org/evolix/haproxyconf-2022
    Jérémy Lecour
    @jlecour – CTO

    View Slide