Setting up HAProxy with systemctl process control
Learn how to set up HAProxy hosts with systemctl process control instead of Podman.
Setting up HAProxy for a hybrid HADR deployment
Deploy Netcool® Operations Insight® in a hybrid high-availability disaster recovery (HADR) configuration. Make sure that the HAProxy hosts are correctly set up. For more information, see Setting up high availability disaster recovery in a hybrid deployment.
Use the following formats for the haproxy.cfg files for the primary and backup clusters.
Primary haproxy.cfg file
example
global
log stdout local0
# The following is the location for valid certificates for HA Proxy endpoint and the value is given by the PROXY_HOST.
ca-base <location_of_proxy_certs_directory>
# For example: ca-base /usr/local/etc/ca-certs
# PROXY_HOST – will only work with port 443
# This file configures the east HAProxy
presetenv PROXY_HOST "<primary_proxy_host>"
# Use the following line on the west HAProxy
#presetenv PROXY_HOST "netcool.west.example.com"
# This is the NOI OCP route endpoint for the PRIMARY Deployment
setenv NETCOOL_OCP_HOST_PRIMARY "<primary_cluster_netcool_route_address>"
# e.g. setenv NETCOOL_OCP_HOST_PRIMARY "netcool-hybrid-476.apps.primary-cluster01.cp.xyz.com"
# This is the NOI OCP route endpoint for the BACKUP Deployment
setenv NETCOOL_OCP_HOST_BACKUP "<backup_cluster_netcool_route_address>"
defaults
mode http
log global
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
option httplog
frontend http-in
# This is the server certificate for the proxy frontend hostname, PROXY_HOST. This is usually generated by the Corporation Signing Certificate authority (CA). proxy.pem is the file we created in step 7
bind *:443 ssl crt / <location_of_proxy_certs_directory>/proxy.pem
# For example: bind *:443 ssl crt /usr/local/etc/keys/proxy.pem
use_backend http-out-primary if { srv_is_up(http-out-primary/noi-primary) }
use_backend http-out-backup if { srv_is_up(http-out-backup/noi-backup) }
backend http-out-primary
option httpchk
http-check send meth GET uri /coordinator/operationalState hdr Host <primary_cluster_netcool_route_address> hdr Authorization 'Basic YXBpX3VzZXJuYW1lOmFwaV9wYXNzd29yZA=='
# the basic auth string here is the DR coordinator user:password string coded in base64 (e.g. echo api-username:api-password|base64)
# default-server inter 3s fall 3 rise 2
# The ca-file refers to the signing certificate of the NETCOOL_OCP_HOST_PRIMARY route endpoint.
server noi-primary "${NETCOOL_OCP_HOST_PRIMARY}":443 ssl verify none check
http-request set-header X-NOI-HAProxy-Host %[req.hdr(Host)]
http-request set-header x-noi-haproxy-host %[req.hdr(Host)]
acl auth1 res.hdr(Location) -m beg https://<primary_haproxy_full_host_name>/users/api/authprovider/v1/authorize
# If redirecting to NOI, change base to point to the proxy
http-request set-header Host "${NETCOOL_OCP_HOST_PRIMARY}"
http-response replace-value location ^([^:]*://)"${NETCOOL_OCP_HOST_PRIMARY}"(.*)$ \1"${PROXY_HOST}"\2
# If redirect has a return URI within NOI, change that as well
http-response replace-value location ^(.*redirect_uri=[^&]*)"${NETCOOL_OCP_HOST_PRIMARY}"(.*)$ \1"${PROXY_HOST}"\2
backend http-out-backup
option httpchk
http-check send meth GET uri /coordinator/operationalState hdr Host <backup cluster netcool route address> hdr Authorization 'Basic YXBpX3VzZXJuYW1lOmFwaV9wYXNzd29yZA=='
# the basic auth string here is the DR coordinator user:password string coded in base64 (e.g. echo api-username:api-password|base64)
# default-server inter 3s fall 3 rise 2
server noi-backup "${NETCOOL_OCP_HOST_BACKUP}":443 ssl verify none check
# server noi-backup "${NETCOOL_OCP_HOST_BACKUP}" addr "${NETCOOL_OCP_HOST_BACKUP}" port 443 ssl verify none check
acl auth1 res.hdr(Location) -m beg https:// <primary_haproxy_full_host_name>/users/api/authprovider/v1/authorize
http-request set-header X-NOI-HAProxy-Host %[req.hdr(Host)]
http-request set-header Host "${NETCOOL_OCP_HOST_BACKUP}"
# If redirecting to NOI, change base to point to the proxy
http-response replace-value location ^([^:]*://)"${NETCOOL_OCP_HOST_BACKUP}"(.*)$ \1"${PROXY_HOST}"\2
# If redirect has a return URI within NOI, change that as well
http-response replace-value location ^(.*redirect_uri=[^&]*[^\.])"${NETCOOL_OCP_HOST_BACKUP}"(.*)$ \1"${PROXY_HOST}"\2
Backup haproxy.cfg file
example
global
log stdout local0
# The following is the location for valid certificates for HA Proxy endpoint and the value is given by the PROXY_HOST.
ca-base /<location_of_proxy_certs_directory>/
# For example: ca-base /usr/local/etc/ca-certs
# PROXY_HOST – will only work with port 443
# This file configures the east HAProxy
presetenv PROXY_HOST "<backup_proxy_host_address>"
# Use the following line on the west HAProxy
#presetenv PROXY_HOST "netcool.west.example.com"
# This is the NOI OCP route endpoint for the PRIMARY Deployment
setenv NETCOOL_OCP_HOST_PRIMARY "<primary_cluster_netcool_route_address>"
# This is the NOI OCP route endpoint for the BACKUP Deployment
setenv NETCOOL_OCP_HOST_BACKUP "<backup_cluster_netcool_route_address>"
defaults
mode http
log global
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
option httplog
frontend http-in
# This is the server certificate for the proxy frontend hostname, PROXY_HOST. This is usually generated by the Corporation Signing Certificate authority (CA). proxy.pem is the file we created in step 7
bind *:443 ssl crt /<location_of_proxy_certs_directory>/proxy.pem
# For example: bind *:443 ssl crt /usr/local/etc/keys/proxy.pem
use_backend http-out-primary if { srv_is_up(http-out-primary/noi-primary) }
use_backend http-out-backup if { srv_is_up(http-out-backup/noi-backup) }
backend http-out-primary
option httpchk
http-check send meth GET uri /coordinator/operationalState hdr Host primary_cluster_netcool_route_address hdr Authorization 'Basic YXBpX3VzZXJuYW1lOmFwaV9wYXNzd29yZA=='
# the authorisation key is the dr coordinator user:spassword string coded in base64
# default-server inter 3s fall 3 rise 2
# The ca-file refers to the signing certificate of the NETCOOL_OCP_HOST_PRIMARY route endpoint.
server noi-primary "${NETCOOL_OCP_HOST_PRIMARY}":443 ssl verify none check
http-request set-header X-NOI-HAProxy-Host %[req.hdr(Host)]
http-request set-header x-noi-haproxy-host %[req.hdr(Host)]
acl auth1 res.hdr(Location) -m beg https://<backup_proxy_host>/users/api/authprovider/v1/authorize
# If redirecting to NOI, change base to point to the proxy
http-request set-header Host "${NETCOOL_OCP_HOST_PRIMARY}"
http-response replace-value location ^([^:]*://)"${NETCOOL_OCP_HOST_PRIMARY}"(.*)$ \1"${PROXY_HOST}"\2
# If redirect has a return URI within NOI, change that as well
http-response replace-value location ^(.*redirect_uri=[^&]*)"${NETCOOL_OCP_HOST_PRIMARY}"(.*)$ \1"${PROXY_HOST}"\2
backend http-out-backup
option httpchk
http-check send meth GET uri /coordinator/operationalState hdr Host <backup_cluster_netcool_route_address> hdr Authorization 'Basic YXBpX3VzZXJuYW1lOmFwaV9wYXNzd29yZA=='
# DR coordinator user:password string coded in base64
# default-server inter 3s fall 3 rise 2
server noi-backup "${NETCOOL_OCP_HOST_BACKUP}":443 ssl verify none check
# server noi-backup "${NETCOOL_OCP_HOST_BACKUP}" addr "${NETCOOL_OCP_HOST_BACKUP}" port 443 ssl verify none check
acl auth1 res.hdr(Location) -m beg https://<backup_proxy_host_address>/users/api/authprovider/v1/authorize
http-request set-header X-NOI-HAProxy-Host %[req.hdr(Host)]
http-request set-header Host "${NETCOOL_OCP_HOST_BACKUP}"
# If redirecting to NOI, change base to point to the proxy
http-response replace-value location ^([^:]*://)"${NETCOOL_OCP_HOST_BACKUP}"(.*)$ \1"${PROXY_HOST}"\2
# If redirect has a return URI within NOI, change that as well
http-response replace-value location ^(.*redirect_uri=[^&]*[^\.])"${NETCOOL_OCP_HOST_BACKUP}"(.*)$ \1"${PROXY_HOST}"\2
- Install and configure the HAProxy to run under systemctl control by creating a system service
and updating the /usr/lib/systemd/system/haproxy.service file as required. For
more information, see the Configuration Manual
in the HAProxy documentation.
- Instead of running a Podman process for the HAProxy, update the /etc/haproxy/haproxy.cfg files with the Netcool Operations Insight hybrid HADR HAProxy configuration file details, as listed in the Primary haproxy.cfg file and Backup haproxy.cfg file examples.
- After the haproxy.cfg file is updated correctly in the
/etc/haproxy directory, run or restart the HAProxy process with one of the
following commands.
systemctl start haproxy
To view the output from the HAProxy process that runs in the background, use the following command.systemctl restart haproxy
Example output:systemctl status haproxy
[root@xyz-haproxy21 haproxy]# systemctl status haproxy haproxy.service - HAProxy Load Balancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; preset:> Active: active (running) since Mon 2024-04-22 05:23:19 PDT; 1min 9s ago Process: 63444 ExecStartPre=/usr/local/sbin/haproxy -f $CONFIG -c -q (code=> Main PID: 63446 (haproxy) Tasks: 3 (limit: 11048) Memory: 76.6M CPU: 458ms CGroup: /system.slice/haproxy.service ├─63446 /usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p> └─63448 /usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p> Apr 22 05:24:18 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:18> Apr 22 05:24:19 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:19> Apr 22 05:24:21 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:21> Apr 22 05:24:22 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:22> Apr 22 05:24:23 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:23> Apr 22 05:24:24 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:24> Apr 22 05:24:25 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:25> Apr 22 05:24:27 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:27> Apr 22 05:24:28 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:28> Apr 22 05:24:29 xyz-haproxy21.xyz.com haproxy[63448]: <134>Apr 22 05:24:29>