Updated HAProxy Load Balancer Virtual Appliance

VMware View with HAProxy Load Balanced Security Servers and Connection ServersLast year I shared a free load balancer virtual appliance for VMware View that I created on SuSE Studio.  The load balancer uses HAProxy and came with a very basic configuration for use with VMware Horizon View Connection Servers or Security Servers.  The appliance has been downloaded a few hundred times and has been useful to me in my own home lab.

Since publishing the appliance I have made several changes to the configuration and thought I would share those updates.

You can download the latest version of the appliance in OVF format here: http://susestudio.com/a/R42GDM/vmtoday-vmware-view-load-balancer.

Instructions for setting up and configuring the appliance are on the original post here: http://vmtoday.com/2012/09/free-vmware-view-load-balancer-using-suse-studio-and-haproxy/.

I’ve been asked whether or not this is appropriate for production use; that’s a hard one to answer.  My intent was to provide a simple way to set up load balancing for test/pilot environments.  Here are some thoughts on running this for production/internet facing use:

  • HAProxy is stable and used by many organizations (Reddit, Instagram, Egnyte, RedHat OpenShift, Twitter).
  • I am not a linux guy and as such have not done anything to harden this virtual appliance other than enable the firewall, but a good *nix admin could probably tighten it up a bit.
  • This is a single point of failure unless you create a second instance and use something like keepalived and maybe mercurial to keep configs in sync.
  • No commercial support for my build.  I’ll do what I can to help if you ask nicely, but I do have a day job and family.
  • Logging is not very robust in my build – you would probably want to implement Logwatch, syslog or another mechanism to monitor it.

I’ll leave it up to you to weigh the pros and cons of running my appliance in an internet facing role or in production.

I’ve also been asked if this appliance can support SSL offloading.  The short answer is no.  The long answer is that HAProxy 1.5 (still in development) will offer SSL Offloading, SSL health checks, ACLs and a bunch of other features.  I have also heard of people using Pound with HAProxy to handle SSL offloading, but have not done it myself.  I’m working on a couple articles that describe architectures and options for Horizon View Security Servers and Connection Servers with load balancers and DMZs.  You may find that SSL offloading for VMware Horizon View is not a requirement (at least for those who are using this appliance in a test environment).

Change Log (as of 0.2.16 of the appliance)

  1. Updated HAProxy to 1.4.24-1 as the older version had some vulnerabilities (CVE-2013-2175).  I built the RPM from source for this version as it was not in any public repositories for SLES 11.  Previous versions of my appliance used HAProxy version 1.4.21-3.1.
  2. Cleaned up some of the extraneous packages and old repositories for a leaner build.
  3. Updated VMware Tools to the latest version.
  4. Updated the HAProxy config to:
  • Establish a proper frontend / backend configuration – this will help with the web based admin interface to enable/disable Connection / Security servers during maintenance windows.
  • Removed session stickyness – not working well and really not needed
  • Switched to source-based balancing instead of round robin as some folks reported problems
  • Added some comments to help with configuration.

Here’s the updated configuration for anyone who is rolling their own HAproxy:


The source for my HAProxy RPM build, HAProxy cfg and other files for the appliance are now in a GitHub Repository if you want to check it out or fork it.

OVF Import The specified operating system identifier "(id:83)" is not supportedOne final note – when you import the OVF into vSphere, you may get a warning stating that “The specified operating system identifier “(id:83)” is not supported on the selected host.”  I’m not sure why, but this is easily fixed.  Don’t power up the VM on import.  After the import is completed, edit the settings of your VM.  On the Options tab, click General Options, then change the Linux Version to SuSE Linux Enterprise 11 (64-bit).  Power up your VM and everything should be just fine.

Change VM linux version

Special thanks to Mark K for some suggestions for improving the configuration.  Let me know if you have any problems, questions, or suggestions for improvement.  Also feel free to leave a comment below to let me know of some creative ways you are using this appliance.

Comments

  1. For those who wants an HAProxy based appliance with support and SSL offloading, simply use an ALOHA from @exceliance: http://www.exceliance.fr/en/aloha-load-balancer-virtual-appliance

  2. Josh,
    Great work and site. In my RSS feed.

    Wondering if you have tried the appliance for SSO HA?

  3. Milan Markovic says:

    Hi Josh,

    I installed your appliance, but when trying to uncomment ssl cert as following:

    frontend inbound-https
    bind :443 ssl crt ./cert.pem

    then after reloading haproxy, I got error:

    [ALERT] 063/113323 (6522) : parsing [/etc/haproxy/haproxy.cfg:72] : ‘bind’ only supports the ‘transparent’, ‘defer-accept’, ‘name’, ‘id’, ‘mss’ and ‘interface’ options.
    [ALERT] 063/113323 (6522) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
    [ALERT] 063/113323 (6522) : Fatal errors found in configuration.

    Does it mean that this version of haproxy does not support SSL certificates? What should be done in order to be able to use SSL certificates (CA signed or self-signed)?

    Milan

  4. When I use the balance option : balance source
    No problems what so ever, but then the load isn’t shared like round robin.

    But when i choose as balance option: round robin
    we notice error upon connecting to the connection servers: Your session has expired. Please re-connect the server.

    You experienced the same problem ? This is due to session sticky i can’t get it to work ?

    All I want is to redirect the traffic TCP based (straight redirection) and the connections evenly directed based like round robin.

    Thnx in advance!

Trackbacks

  1. […] Townsend has an updated version of his HAProxy virtual appliance […]

Drop a comment below: