Updated HAProxy Load Balancer Virtual Appliance

VMware View with HAProxy Load Balanced Security Servers and Connection ServersLast year I shared a free load balancer virtual appliance for VMware View that I created on SuSE Studio.  The load balancer uses HAProxy and came with a very basic configuration for use with VMware Horizon View Connection Servers or Security Servers.  The appliance has been downloaded a few hundred times and has been useful to me in my own home lab.

Since publishing the appliance I have made several changes to the configuration and thought I would share those updates.

You can download the latest version of the appliance in OVF format here: http://susestudio.com/a/R42GDM/vmtoday-vmware-view-load-balancer.

Instructions for setting up and configuring the appliance are on the original post here: http://vmtoday.com/2012/09/free-vmware-view-load-balancer-using-suse-studio-and-haproxy/.

I’ve been asked whether or not this is appropriate for production use; that’s a hard one to answer.  My intent was to provide a simple way to set up load balancing for test/pilot environments.  Here are some thoughts on running this for production/internet facing use:

  • HAProxy is stable and used by many organizations (Reddit, Instagram, Egnyte, RedHat OpenShift, Twitter).
  • I am not a linux guy and as such have not done anything to harden this virtual appliance other than enable the firewall, but a good *nix admin could probably tighten it up a bit.
  • This is a single point of failure unless you create a second instance and use something like keepalived and maybe mercurial to keep configs in sync.
  • No commercial support for my build.  I’ll do what I can to help if you ask nicely, but I do have a day job and family.
  • Logging is not very robust in my build – you would probably want to implement Logwatch, syslog or another mechanism to monitor it.

I’ll leave it up to you to weigh the pros and cons of running my appliance in an internet facing role or in production.

I’ve also been asked if this appliance can support SSL offloading.  The short answer is no.  The long answer is that HAProxy 1.5 (still in development) will offer SSL Offloading, SSL health checks, ACLs and a bunch of other features.  I have also heard of people using Pound with HAProxy to handle SSL offloading, but have not done it myself.  I’m working on a couple articles that describe architectures and options for Horizon View Security Servers and Connection Servers with load balancers and DMZs.  You may find that SSL offloading for VMware Horizon View is not a requirement (at least for those who are using this appliance in a test environment).

Change Log (as of 0.2.16 of the appliance)

  1. Updated HAProxy to 1.4.24-1 as the older version had some vulnerabilities (CVE-2013-2175).  I built the RPM from source for this version as it was not in any public repositories for SLES 11.  Previous versions of my appliance used HAProxy version 1.4.21-3.1.
  2. Cleaned up some of the extraneous packages and old repositories for a leaner build.
  3. Updated VMware Tools to the latest version.
  4. Updated the HAProxy config to:
  • Establish a proper frontend / backend configuration – this will help with the web based admin interface to enable/disable Connection / Security servers during maintenance windows.
  • Removed session stickyness – not working well and really not needed
  • Switched to source-based balancing instead of round robin as some folks reported problems
  • Added some comments to help with configuration.

Here’s the updated configuration for anyone who is rolling their own HAproxy:

### VMware Horizon View LoadBalancer vApp
### HAproxy config by Josh Townsend
### Visit http://vmtoday.com for more info

global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
pidfile /var/run/haproxy.pid
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /var/run/haproxy.stat mode 600

defaults
log global
mode tcp
option tcplog
option dontlognull
retries 3
option redispatch
maxconn 3000
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s

userlist UsersFor_HAProxyStatistics
group admin users haproxy
user haproxy insecure-password HA@VmView5
user stats insecure-password letmein

listen stats *:1936
mode http
stats enable
#stats scope http
#stats scope www
#stats scope static
#stats scope static_httpclose
#stats realm Haproxy\ Statistics
stats uri /haproxy?stats
#stats auth haproxy:HA@VmView5
stats refresh 20s
stats show-node
stats show-legends
acl AuthOkay_ReadOnly http_auth(UsersFor_HAProxyStatistics)
acl AuthOkay_Admin http_auth_group(UsersFor_HAProxyStatistics) admin
stats http-request auth realm HAProxy-Statistics unless AuthOkay_ReadOnly
stats admin if AuthOkay_Admin

#————–FRONTEND———————————————–
#———————————————————————
# redirect http to https as View Security Servers don’t listen on 80
# change URL to the DNS name your users use to connect to View
#———————————————————————
frontend inbound-http *:80
mode http
redirect location https://desktop.example.com/
option http-server-close
option forwardfor except 127.0.0.0/8
option httplog
#———————————————————————
# listen for View HTTPS inbound
# use OpenSSL to create cert request, import .pem, uncomment #ssl crt
#———————————————————————
frontend inbound-https
bind :443 #ssl crt ./my_view_cert.pem
mode tcp
option tcplog
default_backend view_https

#———————————————————————
# listen for View PCoIP inbound <- ignore, we don't blanace UDP # PCoIP Secure Gateway Config will tell client which broker to talk to #--------------------------------------------------------------------- #frontend inbound-pcoip # bind :4172 # mode tcp # default_backend view_pcoip #--------------------------------------------------------------------- # listen for View RDP inbound #--------------------------------------------------------------------- #frontend inbound-rdp # bind :3389 # mode tcp # default_backend view_rdp #-----------BACKEND--------------------------------------------------- #--------------------------------------------------------------------- # Define your View Security or Connection Servers here # balance source will use source IP to send to a backend - this may not # be the most equally balanced, but it works reliably. Play with roundrobin # if you are the adventerous type. #--------------------------------------------------------------------- backend view_https mode tcp option tcplog option ssl-hello-chk #make sure we can talk SSL, not just TCP balance source #-- Balance roundrobin with stickyness with 3 lines below------------ #balance roundrobin #stick store-request src #stick-table type ip size 200k expire 30m #--------------------------------------------------------------------- # Add View Security and/or Connection Servers below and uncomment #--------------------------------------------------------------------- #server ALIAS HOSTNAME_OR_IP:443 check id 1 inter 10s rise 5 fall 2 #server ALIAS HOSTNAME_OR_IP:443 check id 2 inter 10s rise 5 fall 2 #server ALIAS HOSTNAME_OR_IP:443 check id 3 inter 10s rise 5 fall 2 #No need for this in my configuration.... #backend view_pcoip # mode tcp # option tcplog # balance roundrobin #--------------------------------------------------------------------- #Next line sticks clients that enter through https-backend to same server for PCoIP. #Session sticking doesn't quite work the way I want, and View is flexible to let me #define a PCoIP Secure Gateway without having to pass thru my load balancer, so #I'll just comment this out and ignore until (if?) I get HAproxy 1.5 with SSL support #when I'll be able to run everything through HAproxy #stick match src table view_https #--------------------------------------------------------------------- # Add View Security and/or Connection Servers below and uncomment #--------------------------------------------------------------------- #server ALIAS HOSTNAME_OR_IP:4172 check id 1 #server ALIAS HOSTNAME_OR_IP:4172 check id 2 #server ALIAS HOSTNAME_OR_IP:4172 check id 3 #No need for this in my configuration....you can play with different protocols if you want... #backend view_rdp # mode tcp # option tcplog # balance roundrobin # stick-table type ip size 200k expire 30m # stick on src #--------------------------------------------------------------------- # Add View Security and/or Connection Servers below and uncomment #--------------------------------------------------------------------- #server ALIAS HOSTNAME_OR_IP:4172 check id 1 #server ALIAS HOSTNAME_OR_IP:4172 check id 2 #server ALIAS HOSTNAME_OR_IP:4172 check id 3 [/sourcecode] The source for my HAProxy RPM build, HAProxy cfg and other files for the appliance are now in a GitHub Repository if you want to check it out or fork it.

OVF Import The specified operating system identifier "(id:83)" is not supportedOne final note – when you import the OVF into vSphere, you may get a warning stating that “The specified operating system identifier “(id:83)” is not supported on the selected host.”  I’m not sure why, but this is easily fixed.  Don’t power up the VM on import.  After the import is completed, edit the settings of your VM.  On the Options tab, click General Options, then change the Linux Version to SuSE Linux Enterprise 11 (64-bit).  Power up your VM and everything should be just fine.

Change VM linux version

Special thanks to Mark K for some suggestions for improving the configuration.  Let me know if you have any problems, questions, or suggestions for improvement.  Also feel free to leave a comment below to let me know of some creative ways you are using this appliance.

Comments

  1. For those who wants an HAProxy based appliance with support and SSL offloading, simply use an ALOHA from @exceliance: http://www.exceliance.fr/en/aloha-load-balancer-virtual-appliance

  2. Josh,
    Great work and site. In my RSS feed.

    Wondering if you have tried the appliance for SSO HA?

  3. Milan Markovic says:

    Hi Josh,

    I installed your appliance, but when trying to uncomment ssl cert as following:

    frontend inbound-https
    bind :443 ssl crt ./cert.pem

    then after reloading haproxy, I got error:

    [ALERT] 063/113323 (6522) : parsing [/etc/haproxy/haproxy.cfg:72] : ‘bind’ only supports the ‘transparent’, ‘defer-accept’, ‘name’, ‘id’, ‘mss’ and ‘interface’ options.
    [ALERT] 063/113323 (6522) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
    [ALERT] 063/113323 (6522) : Fatal errors found in configuration.

    Does it mean that this version of haproxy does not support SSL certificates? What should be done in order to be able to use SSL certificates (CA signed or self-signed)?

    Milan

  4. When I use the balance option : balance source
    No problems what so ever, but then the load isn’t shared like round robin.

    But when i choose as balance option: round robin
    we notice error upon connecting to the connection servers: Your session has expired. Please re-connect the server.

    You experienced the same problem ? This is due to session sticky i can’t get it to work ?

    All I want is to redirect the traffic TCP based (straight redirection) and the connections evenly directed based like round robin.

    Thnx in advance!

Trackbacks

  1. […] Townsend has an updated version of his HAProxy virtual appliance […]

Drop a comment below:

%d bloggers like this: