Personal tools

Haproxy package

From PFSenseDocs

Jump to: navigation, search

HAProxy[1] is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing. Supporting tens of thousands of connections is clearly realistic with todays hardware. Its mode of operation makes its integration into existing architectures very easy and riskless, while still offering the possibility not to expose fragile web servers to the Net.

Package Variants

Some of these may not appear on all platforms.

  • HAproxy-devel - Development version with new features and a newer HAproxy binary release. Recommended for testing, and if new features are required, deployment after testing.
  • HAproxy-full - The current recommended package for general use.
  • HAproxy - A version based on HAproxy-full's predecessor that does not include the changes in HAproxy-full. See this forum thread for details.

Recent Changes

  • Current version as of July 7, 2013: 1.4.24 pkg v 1.2

Older Releases:

  • 1.00 - A lot of changes and fixes:
    • Versioning changed - The package will show the version as "1.4.18 pkg v 1.0" where the first version is the version of the HAProxy binary, and the second is the package version.
    • HAProxy has been updated to 1.4.18, with separate compiled versions for 32 bit (i386) and 64 bit (amd64).
    • New Status Options - In addition to active and inactive, the options backup and disabled are available as a status for servers. These options translate directly to the equivalent options in HAProxy.
    • Monitor URI is now Optional - Having monitor URI as a required option prevented non-HTTP TCP frontends from operating properly.
    • XMLRPC Sync - Fixed two problem that prevented configuration sync from working correctly.
    • New Stats Options - Node name, node description, and auto-refresh are now available for the stats page.
    • New Load Balancing Options - The static-rr and leastconn load balancing options offered by HAProxy are not available options when creating frontends.
    • Ports Text Box - The ports box takes a comma separated list of ports but was limited to 10 characters. This has been raised to 500.
    • Global Advanced Options - Fixed a problem with the Advanced Options box on the globals tab that caused it to garble the text in both the HAProxy config and on display in the UI.
    • Default Tab - The default tab has been changed to the global tab rather than the frontends tab. Makes it easier to see the generated config after saving.
  • 0.29 - option to output the automatically generated haproxy.cfg on the global settings tab.
  • 0.28 - nbproc is now a setting on the global settings tab (number of processes in haproxy manual speak). local0 is now appended to the ip address of the remote syslog server.
  • 0.27 - open files limit increased, check inter now an option. http close and forward for now working correctly when unchecked
  • 0.26 - haproxy application version bumped to HA-Proxy version 1.3.22 2009/10/14
  • 0.25 - advanced box now allows carriage returns to separate multiple options/directives
  • 0.24 - Retries is no longer a required field
  • 0.23 - Advanced box added which allows passing thru to the haproxy configuration file options or directives that are not supported by the GUI.
  • 0.22 - httpclose is now an option
  • 0.21 - forwardfor is now an option
  • 0.19 - Remote logging feature added
  • 0.18 - Ability to select multiple frontends added
  • 0.16 - https mode added which will automatically adjust backend configuration
  • 0.15 - Configuration synchronization added for CARP clusters
  • 0.01 - Converted to a pfSense package

Status

Stable

Known issues

  • When editing a frontend, you choose an External Address and the description refers to "the interface chosen above" but you aren't able to choose an interface. Your only options for the address are "Interface Address", "Any", and any defined VIPs. I assume that the interface it chooses normally is the WAN, but this should be clarified.
  • Selecting Cancel when editing a frontend or server seems to use browser back; that means if you got to the previous page from a POST, it will ask you to resubmit the data, which is not desirable.
  • When changes are applied, it appears that everything was successful whether it is or not. If something you did caused an invalid HAProxy config to be generated, HAProxy will not be stopped nor will it be restarted. There is no error message to indicate that this is the case and the Apply Changes button will disappear.
  • Most time-based options appear to be optional and specify "default" amounts but are actually required (and shouldn't be).
  • Some unexpected behavior for those who are used to HAProxy configuration alone (see the differences section).

A matrix of haproxy application known bugs are located here[2]. This is out-of-date but there is no newer version as of this writing.

Things that could be improved

  • Configuration Sync should have X number of possible nodes, in the form of a list where you add additional nodes, rather than 3 static boxes.
  • An overhaul of the package to fully utilize HAProxy's capabilities. It would be difficult to simply add in tabs for the other sections due to internal naming. In the package, the "frontends" you set up in the Frontends tab are referred to in the configuration as backends. Including full support for frontends, backends, and listen sections would make it possible to use a lot more advanced features even without direct GUI support for them (through the use of the advanced pass thru box).
  • HAProxy has options for soft-restarts, which are useful in a high-availability environment. Some changes would be needed to the way the Apply Changes button works, or maybe make it optional. It needs more research.
  • Make all time fields accept the same time units that HAProxy does for the particular field.

Differences between this package and HAProxy used directly

HAProxy defines five main sections in its configuration.

  • global
  • defaults
  • frontend
  • backend
  • listen

global defines options that process-wide and often OS-specific.

defaults sets default parameters for all other sections following its declaration.

frontend describes a set of listening sockets accepting client connections.

backend describes a set of servers to which the proxy will connect to forward incoming connections.

listen defines a complete proxy with its frontend and backend parts combined in one section. It is generally useful for TCP-only traffic.


In the pfSense package, you have tabs to define "frontends" and "servers" but the resulting configuration is actually made up completely of listen sections. This is okay for the most part, but it does prevent advanced usages that need to refer to several backends and the like.

In HAProxy, you can make a single server directive with a blank port and it will listen on all the ports of the frontend that it is assigned to. The package's GUI implies that this will be the case by leaving the port blank.

What actually gets generated instead is a single server directive for each port that the frontend is listening on. This is an important difference when the ports that are being listened on are not interchangeable. Example:

You define a front end for SMTP connections listening on ports 25 and 465. The server is listening on both of those ports, but 25 does not accept SSL/TLS and 465 does. You want it so that when someone connects to the proxy on port 25, they get connected to the server on port 25, and when they connect on 465, they get connected to the server on port 465.

In a standard HAProxy configuration where you set the frontend to listen on both ports and you set a single server directive with no port, it will operate the way you expect.

In pfSense, two server directives will be generated; one for each port. HAProxy will not send connections the way you expect. It will loadbalance between them, regardless of whether the frontend and server ports match.

Therefore in pfSense you need to create a separate frontend for this, as they are essentially different services. You listen on port 25 and 2525, and it doesn't matter whether someone connected on one port gets directed to the other, then you can combine them.

Splitting the servers up by port also means that you'll see a separate entry for each one in the stats page, but the port will not be shown. In an HAProxy configuration where a single server directive has no ports and effectively handles multiple (due to inheriting from the frontend) it will only show up in the stats once.

Package maintainer special instructions

Add to /etc/make.conf: CFLAGS=-O2 -static

FreeBSD package information

Built from /usr/ports/net/haproxy-devel. Code for the pfSense package is located here[3].

pfSense package creator

Scott Ullrich turned the submission into a package and added many features outlined above.

Originally created by

Remco Hoef as a base system contribution[4].

Additional features and improvements by

Brian Scholer made the changes for package version 1.00, with help from forums user marcelloc to compile the binaries and publish the final version of the package.

ESF package support status

This package is currently supported by pfSense/ESF support [5]