Adding HAproxy with SSL certificates (optional)

Blue Planet HAproxy is a high availability component that provides load balancing and recovery. Blue Planet HA manages multiple hardware instances (a cluster) as a single site.

This section describes the following:

Deploying HAproxy SSL certificates (optional)

To deploy HAproxy:

  • You must use an odd number of nodes to form a cluster.

  • Each node in the cluster must have a logical IP address to assign to any other node.

By default, HAProxy has a self-signed SSL certificate. Ciena recommends that you replace the default certificate with one signed by a trusted authority. The SSL configuration directory is volume-mounted from the host machine into the Docker container. Once you store your keys in the proper location on the host, the HAProxy container uses them to direct user requests to the appropriate application instance in the cluster.

To update the HAProxy SSL certificates, run these steps from inside the haproxy container:

  1. Create a /etc/bp2/haproxy/ssl directory on the host. Skip this step if the directory already exists.

    $ mkdir /etc/bp2/haproxy/ssl

  2. Copy the trusted SSL keys found on Blue Planet to a temporary folder.

    1. Create a temporary folder.

      $ mkdir ~/temp

    2. Copy the existing trusted SSL key to the temporary folder.

      $ cp /etc/bp2/haproxy/ssl/server.key ~/temp/server.key.org

  3. Generate a PEM file for the newly created certificate.

    $ cat <domain>.crt <domain>.key > server.pem

  4. Go to the SSL directory, /etc/bp2/haproxy/ssl, and remove (delete) default SSL certificates.

  5. Move the newly created server.pem file to the /ssl directory.

    $ mv server.pem /etc/bp2/haproxy/ssl/.

  6. Set file permissions for server.pem.

    $ chmod 600 /etc/bp2/haproxy/ssl/server.pem

  7. For a multi-host HA cluster, synchronize the HAProxy config across all hosts that are on multi-host sites. Skip this step if you are configuring a single-host site.

    $ bp2-site sync-site-config

  8. For a multi-host HA cluster, verify the synchronization. Skip this step if you are configuring a single-host site.

    $ bp2-site diff-site-config

  9. Start Solution Manager as a root user. Solution Manager is active when you see the (Cmd) prompt.

    $ sudo -s
# solman
(Cmd)

  10. Restart the HAProxy containers from the Solution Manager prompt.

    		 The software versions listed in this procedure are examples. To view the version numbers of your software, enter the docker images command with the grep option from the Linux command prompt. The syntax is docker images | grep solution-platform.

    • For a single-host:

      (Cmd) solution_app_restart bpdr.io.blueplanet.platform:17.01.02 haproxy

    • For multiple hosts:

      (Cmd) solution_app_restart bpdr.io.blueplanet.platform:ha-17.01.02 haproxy

  11. (Optional) Follow these two steps to customize the global SSL default bind and cipher values.

    1. Create a file named ssl_default_bind_options containing the values to use in the global HAProxy configuration section. This example disables SSL v3 and tls v1.0.

      echo 'no-sslv3 no-tlsv10' > /etc/bp2/haproxy/ssl_default_bind_options

    2. Create a file named ssl_default_bind_cipher containing the values to use in the global HAProxy configuration section. This example sets the following ciphers: ECDH+AESGCM:DH+AESGCM:ECDH+AES256.

      echo 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256' > /etc/bp2/haproxy/ ssl_default_bind_ciphers

      The directory, /usr/share/haproxy, contains default values for SSL default bind options within the HAProxy container. For example, defaults.tmpl.eg. You can use the *.eg files as a starting point for config files in /etc/bp2/haproxy.

HAproxy behavior

Users connect to the HAproxy leader using the site IP address for the BP server that contains the HA proxy leader. Application instances in the cluster register with HA proxy.

HA proxy uses a leader/standby redundancy method. One HA proxy instance is chosen to be the leader and the other two HA proxy instances act as standbys. The HA proxy leader handles all user requests.

For applications that follow a leader/standby redundancy method, HA proxy forwards user requests to the leader application instance.

For applications that follow a peer-to-peer redundancy method, HA proxy load-balances user requests across all application instances in a round-robin manner.

If the user connected to the HA proxy on the leader server and that fails, the site IP address uses a floating address to share that same address with its standby server that takes over after the failure.

results matching ""

    No results matching ""