setting up CloudFlare DNS & HAProxy on Oracle Cloud Infrastructure for High Availability

Goal

This blog covers end to end administrative setup for High Availability Architecture starting with registering a domain name from a service provider, configuring DNS at cloudflare and setting up HAProxy for High Availability Load Balancing on Oracle Cloud Infrastructure 

Requesting Domain Name

You can purchase domain name from service providers like godaddy or anyone, in this case i will take an example of having purchased domain name from godaddy.

login to My Account  page to review your domain name

Setting up DNS at Cloudflare

Login to Cloudflare account , register your site , you have an option of getting free or paid service , you can choose the one that best suits your need, give the IP address of your load balancer and white list all the servers that you would be accessing

Add A Name Entry under DNS tab

 

Note : the A name should point to public IP of your load balancer running HAProxy Service

Setup Caching Level so that pages can load faster

Setting up DNS from CloudFlare at GoDaddy

From the MyAccount page , click on Manage Domain Option , You would now need to point the DNS that you received from cloudflare at godaddy domain console

Architecture

Request from Public Internet –> GoDaddy Hostname lookup -> Lookup for DNS –> Connect with Cloudflare —> Cloudflare to Get Content from Cached Servers -> Map request to Load Balancer IP –> Load Balancer will decide on which server to take request –> Cloudflare will respond back to request

Architecture without load balancing

Architecture with load balancing

Reference

Setting up Back end machines

Backend machines will have the actual replica of source codes that you wish to run , in ideal case they need to be at different availability domain, We can use Bitnami or OCI to create a simple Backend machine

In our case we will setup LAMP machine through Bitnami

Refer my previous blog on how to setup a Ubuntu 16.04 LAMP Bitnami image

Now we have setup 2 identical machines with same code with 2 public IP address

LAMP Machine 1 –> public ip address AA.BB.CC.DD

LAMP Machine 2 –> public ip address AA.BB.EE.FF

Setting up Front end machines

Similarly we will create one more LAMP machine for HAProxy Load balancing

LAMP Machine 3 –> public ip address AA.BB.DD.EE

Setting up HAProxy on Ubuntu 16.04

SSH into HAProxy Machine ( Ubuntu 16.04 LAMP Stack)

Stop Apache Server

chmod 700 bitnami-opc-a457995.pem
ssh -i bitnami-opc-a457995.pem bitnami@publicIP
....
bitnami@ubuntu:/etc/haproxy$ sudo /opt/bitnami/ctlscript.sh stop

Install HAProxy

bitnami@ubuntu:sudo apt-get -y install haproxy
bitnami@ubuntu:/etc/haproxy/keys$ haproxy -v
HA-Proxy version 1.7.10-1ppa1~xenial 2018/01/03
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

Configure HAProxy

roundrobin

Round Robin selects servers in turns. This is the default algorithm.

leastconn

Selects the server with the least number of connections–it is recommended for longer sessions. Servers in the same backend are also rotated in a round-robin fashion.

source

This selects which server to use based on a hash of the source IP i.e. your user’s IP address. This is one method to ensure that a user will connect to the same server.

bitnami@ubuntu:/etc/haproxy$ sudo vi /etc/haproxy/haproxy.cfg
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative directives can be obtained from
        # https://mozilla.er-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend http_front
   bind *:80
   option forwardfor
   stats uri /haproxy?stats
   default_backend http_back

backend http_back
   balance roundrobin
   server server246  AA.BB.CC.DD:80 check
   server server158  AA.BB.EE.FF:80 check

Check if configuration file is correct and restart

bitnami@ubuntu:/etc/haproxy$ haproxy -f /etc/haproxy/haproxy.cfg -c
Configuration file is valid
bitnami@ubuntu:/etc/haproxy$ sudo service haproxy status
● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
   Active: inactive (dead) (Result: exit-code) since Sun 2018-04-08 12:12:54 UTC; 17min ago
     Docs: man:haproxy(1)
           file:/usr/share/doc/haproxy/configuration.txt.gz
  Process: 7936 ExecStart=/usr/sbin/haproxy-systemd-wrapper 
-f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=1/FAILURE)
  Process: 7932 ExecStartPre=/usr/sbin/haproxy 
-f $CONFIG -c -q $EXTRAOPTS (code=exited, status=0/SUCCESS)
 Main PID: 7936 (code=exited, status=1/FAILURE)
...
bitnami@ubuntu:/etc/haproxy$ sudo service haproxy restart

Conclusion: Now everytime user access your domain the load balancer will serve the requests from one of the IP addresses listed in the configuration list , there by ensuring High Availability

Author Madhusudhan Rao