__**BASIC CONCEPTS**__\\ [[https://www.digitalocean.com/community/tutorials/an-introduction-to-haproxy-and-load-balancing-concepts|External Link]]\\ /etc/haproxy/haproxy.cfg We define acl and backends. Then acl define what backend we use. use_backend blog-backend if acl_url_blog ---- **OPERATION:**\\ Restart: /etc/rc.d/init.d/haproxy restart ---- __**MONITORING**__\\ From the cli, this command gives us a csv, dump in Calc. Check max connections and current connections. echo "show info;show stat" | nc -U /var/lib/haproxy/stats # Also | grep DOWN to see what is not working atm ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -n ha1.dc "echo "show stat" | nc -U /var/lib/haproxy/stats" > file1 ; csvtool readable file1 | view - ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -n ha1.dc "echo "show info" | nc -U /var/lib/haproxy/stats" [[https://www.datadoghq.com/blog/how-to-collect-haproxy-metrics/|External Link]] There's GUI available as well as interacetive commands accessible with: nc -U /var/run/haproxy.sock Also non-interactive commands for automated based operations. \\ \\ From the stats page: * Session rate : number of new sessions per second. A session is a connection that was accepted by the layer 4 rules. * Connection: Note that a session can have one or more connections. "With the introduction of SSL, proxy protocol and layer4 ACLs, it was needed to cut the end-to-end sessions in smaller parts, hence the introduction of "connections"" ---- __**PROTECT AGAINST DDOS:**__\\ * [[https://www.haproxy.com/blog/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/|haproxy-first-row-of-defense-against-ddos]] * Block by source IP based on different criteria. Stick tables. Some examples [[http://blog.exceliance.fr/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/st-ddos/|here]]: ---- **SPECIAL FEATURES**\\ Enable slow start: [[https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.2-slowstart|https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#5.2-slowstart]] ---- * Conceptual difference between a proxy and a 'reverse proxy': Proxy is a client proxy; reverse proxy is ~load balancer. * Proxy hides clients identity to the server. This is for client to server connections. * Proxy hides servers identity to the client. This is for client to server connections **as well**. TODO:\\ * Block by source IP based on different criteria. Stick tables: * Some examples here: http://blog.exceliance.fr/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/