Setting up HAProxy with systemctl process control

Learn how to set up HAProxy hosts with systemctl process control instead of Podman.

Setting up HAProxy for a hybrid HADR deployment

Deploy Netcool® Operations Insight® in a hybrid high-availability disaster recovery (HADR) configuration. Make sure that the HAProxy hosts are correctly set up. For more information, see Setting up high availability disaster recovery in a hybrid deployment.

Use the following formats for the haproxy.cfg files for the primary and backup clusters.

Primary haproxy.cfg file example
global
    log stdout local0
    # The following is the location for valid certificates for HA Proxy endpoint and the value is given by the PROXY_HOST.
    ca-base <location_of_proxy_certs_directory>
    # For example: ca-base /usr/local/etc/ca-certs

    # PROXY_HOST – will only work with port 443
    # This file configures the east HAProxy
    presetenv PROXY_HOST "<primary_proxy_host>"
    # Use the following line on the west HAProxy
    #presetenv PROXY_HOST "netcool.west.example.com"


    # This is the NOI OCP route endpoint for the PRIMARY Deployment
    setenv NETCOOL_OCP_HOST_PRIMARY "<primary_cluster_netcool_route_address>"

# e.g.     setenv NETCOOL_OCP_HOST_PRIMARY "netcool-hybrid-476.apps.primary-cluster01.cp.xyz.com"

    # This is the NOI OCP route endpoint for the BACKUP Deployment
    setenv NETCOOL_OCP_HOST_BACKUP "<backup_cluster_netcool_route_address>"

defaults
    mode http
    log global
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    option httplog

frontend http-in
# This is the server certificate for the proxy frontend hostname, PROXY_HOST. This is usually generated by the Corporation Signing Certificate authority (CA). proxy.pem is the file we created in step 7
    bind *:443 ssl crt / <location_of_proxy_certs_directory>/proxy.pem
    # For example: bind *:443 ssl crt /usr/local/etc/keys/proxy.pem
    use_backend http-out-primary  if { srv_is_up(http-out-primary/noi-primary) }
    use_backend http-out-backup  if { srv_is_up(http-out-backup/noi-backup) }

backend http-out-primary
    option httpchk
    http-check send meth GET uri /coordinator/operationalState hdr Host <primary_cluster_netcool_route_address> hdr Authorization  'Basic YXBpX3VzZXJuYW1lOmFwaV9wYXNzd29yZA=='
#  the basic auth string here is the DR coordinator user:password string coded in base64 (e.g. echo api-username:api-password|base64)
 
#    default-server inter 3s fall 3 rise 2
    # The ca-file refers to the signing certificate of the NETCOOL_OCP_HOST_PRIMARY route endpoint.
    server noi-primary "${NETCOOL_OCP_HOST_PRIMARY}":443 ssl verify none check
    http-request set-header X-NOI-HAProxy-Host %[req.hdr(Host)]
    http-request set-header x-noi-haproxy-host %[req.hdr(Host)]

    acl auth1 res.hdr(Location) -m beg https://<primary_haproxy_full_host_name>/users/api/authprovider/v1/authorize
    # If redirecting to NOI, change base to point to the proxy
    http-request set-header Host "${NETCOOL_OCP_HOST_PRIMARY}"

    http-response replace-value location ^([^:]*://)"${NETCOOL_OCP_HOST_PRIMARY}"(.*)$ \1"${PROXY_HOST}"\2
    # If redirect has a return URI within NOI, change that as well
    http-response replace-value location ^(.*redirect_uri=[^&]*)"${NETCOOL_OCP_HOST_PRIMARY}"(.*)$ \1"${PROXY_HOST}"\2

backend http-out-backup
    option httpchk
    http-check send meth GET uri /coordinator/operationalState hdr Host <backup cluster netcool route address> hdr Authorization  'Basic YXBpX3VzZXJuYW1lOmFwaV9wYXNzd29yZA=='

#  the basic auth string here is the DR coordinator user:password string coded in base64 (e.g. echo api-username:api-password|base64)

#    default-server inter 3s fall 3 rise 2
    server noi-backup "${NETCOOL_OCP_HOST_BACKUP}":443 ssl verify none check
#    server noi-backup "${NETCOOL_OCP_HOST_BACKUP}" addr "${NETCOOL_OCP_HOST_BACKUP}" port 443 ssl verify none check
    acl auth1 res.hdr(Location) -m beg https:// <primary_haproxy_full_host_name>/users/api/authprovider/v1/authorize

    http-request set-header X-NOI-HAProxy-Host %[req.hdr(Host)]
    http-request set-header Host "${NETCOOL_OCP_HOST_BACKUP}"

    # If redirecting to NOI, change base to point to the proxy
    http-response replace-value location ^([^:]*://)"${NETCOOL_OCP_HOST_BACKUP}"(.*)$ \1"${PROXY_HOST}"\2
    # If redirect has a return URI within NOI, change that as well
    http-response replace-value location ^(.*redirect_uri=[^&]*[^\.])"${NETCOOL_OCP_HOST_BACKUP}"(.*)$ \1"${PROXY_HOST}"\2
Backup haproxy.cfg file example
global
    log stdout local0
    # The following is the location for valid certificates for HA Proxy endpoint and the value is given by the PROXY_HOST.
    ca-base /<location_of_proxy_certs_directory>/
    # For example: ca-base /usr/local/etc/ca-certs

    # PROXY_HOST – will only work with port 443
    # This file configures the east HAProxy
    presetenv PROXY_HOST "<backup_proxy_host_address>"
    # Use the following line on the west HAProxy
    #presetenv PROXY_HOST "netcool.west.example.com"


    # This is the NOI OCP route endpoint for the PRIMARY Deployment
    setenv NETCOOL_OCP_HOST_PRIMARY "<primary_cluster_netcool_route_address>"

    # This is the NOI OCP route endpoint for the BACKUP Deployment
    setenv NETCOOL_OCP_HOST_BACKUP "<backup_cluster_netcool_route_address>"

defaults
    mode http
    log global
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    option httplog

frontend http-in
# This is the server certificate for the proxy frontend hostname, PROXY_HOST. This is usually generated by the Corporation Signing Certificate authority (CA). proxy.pem is the file we created in step 7
    bind *:443 ssl crt /<location_of_proxy_certs_directory>/proxy.pem
    # For example: bind *:443 ssl crt /usr/local/etc/keys/proxy.pem
    use_backend http-out-primary  if { srv_is_up(http-out-primary/noi-primary) }
    use_backend http-out-backup  if { srv_is_up(http-out-backup/noi-backup) }

backend http-out-primary
    option httpchk
    http-check send meth GET uri /coordinator/operationalState hdr Host primary_cluster_netcool_route_address hdr Authorization  'Basic YXBpX3VzZXJuYW1lOmFwaV9wYXNzd29yZA=='
# the authorisation key is the dr coordinator  user:spassword string coded in base64
#    default-server inter 3s fall 3 rise 2
    # The ca-file refers to the signing certificate of the NETCOOL_OCP_HOST_PRIMARY route endpoint.
    server noi-primary "${NETCOOL_OCP_HOST_PRIMARY}":443 ssl verify none check
    http-request set-header X-NOI-HAProxy-Host %[req.hdr(Host)]
    http-request set-header x-noi-haproxy-host %[req.hdr(Host)]

    acl auth1 res.hdr(Location) -m beg https://<backup_proxy_host>/users/api/authprovider/v1/authorize
    # If redirecting to NOI, change base to point to the proxy
    http-request set-header Host "${NETCOOL_OCP_HOST_PRIMARY}"

    http-response replace-value location ^([^:]*://)"${NETCOOL_OCP_HOST_PRIMARY}"(.*)$ \1"${PROXY_HOST}"\2
    # If redirect has a return URI within NOI, change that as well
    http-response replace-value location ^(.*redirect_uri=[^&]*)"${NETCOOL_OCP_HOST_PRIMARY}"(.*)$ \1"${PROXY_HOST}"\2

backend http-out-backup
    option httpchk
    http-check send meth GET uri /coordinator/operationalState hdr Host <backup_cluster_netcool_route_address> hdr Authorization  'Basic YXBpX3VzZXJuYW1lOmFwaV9wYXNzd29yZA=='

# DR coordinator user:password string coded in base64
#    default-server inter 3s fall 3 rise 2
    server noi-backup "${NETCOOL_OCP_HOST_BACKUP}":443 ssl verify none check
#    server noi-backup "${NETCOOL_OCP_HOST_BACKUP}" addr "${NETCOOL_OCP_HOST_BACKUP}" port 443 ssl verify none check
    acl auth1 res.hdr(Location) -m beg https://<backup_proxy_host_address>/users/api/authprovider/v1/authorize

    http-request set-header X-NOI-HAProxy-Host %[req.hdr(Host)]
    http-request set-header Host "${NETCOOL_OCP_HOST_BACKUP}"

    # If redirecting to NOI, change base to point to the proxy
    http-response replace-value location ^([^:]*://)"${NETCOOL_OCP_HOST_BACKUP}"(.*)$ \1"${PROXY_HOST}"\2
    # If redirect has a return URI within NOI, change that as well
    http-response replace-value location ^(.*redirect_uri=[^&]*[^\.])"${NETCOOL_OCP_HOST_BACKUP}"(.*)$ \1"${PROXY_HOST}"\2
  1. Install and configure the HAProxy to run under systemctl control by creating a system service and updating the /usr/lib/systemd/system/haproxy.service file as required. For more information, see the Configuration Manual external link in the HAProxy documentation.
  2. Instead of running a Podman process for the HAProxy, update the /etc/haproxy/haproxy.cfg files with the Netcool Operations Insight hybrid HADR HAProxy configuration file details, as listed in the Primary haproxy.cfg file and Backup haproxy.cfg file examples.
  3. After the haproxy.cfg file is updated correctly in the /etc/haproxy directory, run or restart the HAProxy process with one of the following commands.
    systemctl start haproxy
    systemctl restart haproxy
    To view the output from the HAProxy process that runs in the background, use the following command.
    systemctl status haproxy
    Example output:
    [root@xyz-haproxy21 haproxy]# systemctl status haproxy
     haproxy.service - HAProxy Load Balancer
         Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset:>
         Active: active (running) since Mon 2024-04-22 05:23:19 PDT; 1min 9s ago
        Process: 63444 ExecStartPre=/usr/local/sbin/haproxy -f $CONFIG -c -q (code=>
       Main PID: 63446 (haproxy)
          Tasks: 3 (limit: 11048)
         Memory: 76.6M
            CPU: 458ms
         CGroup: /system.slice/haproxy.service
                 ├─63446 /usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p>
                 └─63448 /usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p>
    
    Apr 22 05:24:18 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:18>
    Apr 22 05:24:19 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:19>
    Apr 22 05:24:21 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:21>
    Apr 22 05:24:22 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:22>
    Apr 22 05:24:23 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:23>
    Apr 22 05:24:24 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:24>
    Apr 22 05:24:25 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:25>
    Apr 22 05:24:27 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:27>
    Apr 22 05:24:28 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:28>
    Apr 22 05:24:29 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:29>