[TUTORIAL] Config Dump: Apache Load Balancer (Fail-Over) and Reverse Proxy

D

Distance

New Member
Proxmox Subscriber
Jul 24, 2023
3
4
3
config dump from our running and working apache reverse proxy with load balancer config in case someone needs it.

needed apache modules:
Code: 
proxy_http
proxy_balancer
lbmethod_byrequests

vhost config:

Code: 
<VirtualHost *:443>

    ServerName PROXMOX.DOMAIN.TLD

    ServerSignature Off
    TraceEnable Off

    LogLevel Warn
    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log combined


    <Location /*>

        Order allow,deny
        Allow from 192.168.0.0/16

    </Location>


    <IfModule mod_proxy_balancer.c>

    <Proxy balancer://proxmox>
        BalancerMember https://PROXMOX-1.DOMAIN.TLD:8006
        BalancerMember https://PROXMOX-2.DOMAIN.TLD:8006 status=+H
        ProxySet lbmethod=byrequests
    </Proxy>

    </IfModule>


    <IfModule mod_proxy.c>

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyErrorOverride On

    SSLProxyEngine On

    SetEnv force-proxy-request-1.0 1
    SetEnv proxy-nokeepalive 1

    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    ProxyPass "/" "balancer://proxmox/"
    ProxyPassReverse "/" "balancer://proxmox/"

    </IfModule>


    <IfModule mod_ssl.c>

    SSLCertificateFile /etc/letsencrypt/live/PROXMOX.DOMAIN.TLDfullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/PROXMOX.DOMAIN.TLDprivkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    </IfModule>


</VirtualHost>

option "status=+H" in BalancerMember number 2 (or any following servers) enables fail-over. this host(s) are only used if the none "status=+H" server fails to answer.
 
Last edited:
  • Like
Reactions: ijurisic, Stoiko Ivanov and Zerstoiber
Thanks for sharing this!

If it works fine - I think the tag '[TUTORIAL]' would be more fitting here than '[SOLVED]' (you can change that by clicking 'Edit Thread' above your top post.

Thanks again!
 
Thank you for sharing.

Here is my config for HAProxy and it works with noVNC :
Code: 
frontend SSL_PROXMOX
    bind            11.11.11.11:8006 name 11.11.11.11:8006  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl crt-list /var/etc/haproxy/SSL_PROXMOX.crt_list 
    bind            22.22.22.22:8006 name 22.22.22.22:8006  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl crt-list /var/etc/haproxy/SSL_PROXMOX.crt_list 
    mode            http
    log            global
    option            dontlognull
    option            dontlog-normal
    option            http-keep-alive
    option            forwardfor
    acl https ssl_fc
    http-request set-header        X-Forwarded-Proto http if !https
    http-request set-header        X-Forwarded-Proto https if https
    timeout client        30000
    default_backend SSL-PROXMOX_ipvANY

backend SSL-PROXMOX_ipvANY
    mode            http
    id            102
    log            global
    http-response set-header Strict-Transport-Security max-age=17280000;
    balance            source
    timeout connect        30000
    timeout server        30000
    retries            3
    load-server-state-from-file    global
    server            PROX-13 192.168.1.213:8006 id 103 ssl check inter 1000  verify none
    server            PROX-10 192.168.1.210:8006 id 104 ssl check inter 1000  verify none
    server            PROX-11 192.168.1.211:8006 id 105 ssl check inter 1000  verify none
    server            PROX-12 192.168.1.212:8006 id 106 ssl check inter 1000  verify none
    server            PROX-01 192.168.1.201:8006 id 107 ssl check inter 1000  verify none

11.11.11.11 = External Front end IP1
22.22.22.22 = External Front end IP2

We have 2 internet connexion in failover.
 
You must log in or register to reply here.
Top Bottom