How to setup HAProxy for Rancher v2.x

This document (000020175) is provided subject to the disclaimer at the end of this document.

Situation

Task

Setup HAProxy as a frontend load balancer for Rancher v2.x.

Overview

Overview

Install HAProxy

Ubuntu
apt update
apt install -y haproxy
systemctl enable haproxy
systemctl start haproxy
CentOS / RedHat
yum update
yum install haproxy -y
systemctl enable haproxy
systemctl start haproxy

Example HAProxy Config

Option A - Full SSL
  • Copy cert and key into a single file called /etc/haproxy/cert.pem
  • Add frontend to /etc/haproxy/haproxy.cfg:
    frontend www-http
    bind *:80
    reqadd X-Forwarded-Proto:\ http
    default_backend rancher-http
    frontend www-https
    bind *:443 ssl crt /etc/haproxy/cert.pem
    reqadd X-Forwarded-Proto:\ https
    default_backend rancher-https
  • Add backends to /etc/haproxy/haproxy.cfg:
    backend rancher-http
    mode http
    option httpchk HEAD /healthz HTTP/1.0
    server rancher01 192.168.1.103:80 check weight 1 maxconn 1024
    server rancher02 192.168.1.104:80 check weight 1 maxconn 1024
    server rancher03 192.168.1.105:80 check weight 1 maxconn 1024
    backend rancher-https
    mode http
    option httpchk HEAD /healthz HTTP/1.0
    server rancher01 192.168.1.103:443 check weight 1 maxconn 1024 ssl verify none
    server rancher02 192.168.1.104:443 check weight 1 maxconn 1024 ssl verify none
    server rancher03 192.168.1.105:443 check weight 1 maxconn 1024 ssl verify none
  • Test the configuration:
    haproxy -f /etc/haproxy/haproxy.cfg -c
  • Reload HAProxy:
    systemctl reload haproxy

Example config

Option B - External TLS Termination
  • Follow Rancher install doc https://rancher.com/docs/rancher/v2.x/en/installation/options/chart-options/#external-tls-termination
  • Verify Rancher URL works went connecting directly to a Rancher node. For example:
    curl --header "Host: rancher.example.com" http://192.168.1.103/ping
  • Copy cert and key into a single file called /etc/haproxy/cert.pem
  • Create frontends:
    frontend www-http
    bind *:80
    reqadd X-Forwarded-Proto:\ http
    default_backend rancher-http
    frontend www-https
    bind *:443 ssl crt /etc/haproxy/cert.pem
    reqadd X-Forwarded-Proto:\ https
    default_backend rancher-http
  • Create backends:
    backend rancher-http
    mode http
    option httpchk HEAD /healthz HTTP/1.0
    server rancher01 192.168.1.103:80 check weight 1 maxconn 1024
    server rancher02 192.168.1.104:80 check weight 1 maxconn 1024
    server rancher03 192.168.1.105:80 check weight 1 maxconn 1024
  • Test the configuration:
    haproxy -f /etc/haproxy/haproxy.cfg -c
  • Reload HAProxy:
    systemctl reload haproxy

Example config

Option C - TCP pass-through
  • Create backends:
    backend rancher-http
    mode tcp
    balance roundrobin
    source 0.0.0.0 usesrc client
    server rancher01 192.168.1.103:80
    server rancher02 192.168.1.104:80
    server rancher03 192.168.1.105:80
    backend rancher-https
    mode tcp
    balance roundrobin
    source 0.0.0.0 usesrc client
    server rancher01 192.168.1.103:443
    server rancher02 192.168.1.104:443
    server rancher03 192.168.1.105:443
  • Test the configuration:
    haproxy -f /etc/haproxy/haproxy.cfg -c
  • Reload HAProxy:
    systemctl reload haproxy

Example config

Troubleshooting

  • Add the following to /etc/haproxy/haproxy.cfg before the frontend section.
    listen stats
    bind :9000
    mode http
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /
    stats auth admin:admin
  • Go to http://load01.example.com:9000/
  • Username/Password: admin/admin
  • If there are firewall rules blocking port 9000, use ssh tunneling to proxy the connection:
    ssh -f -N -L 9000:127.0.0.1:9000 root@192.168.1.101
  • Go to http://localhost:9000/

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020175
  • Creation Date: 13-Jul-2021
  • Modified Date:13-Jul-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center