Monday, June 9, 2014

SSL Termination with HA Proxy, session storing with memcached

This post describes updated architecture of loadbalancing-owncloud-with-ha-proxy. I use HA Proxy in version 1.5 now, which can do SSL termination and I use memcached for owncloud's sessions.

Terminating SSL on HA Proxy is practical, because whole communication behind HA Proxy is now non-SSL, thus we get more performance.
Another adjustment is memcached for owncloud's session storage, instead of previously used apcu. This offers centralized session storing for all loadbalanced nodes with owncloud.

Memcached setup:
To enable this feature, we need to install memcached daemon and php library: memcached php-memcached
Enable memcached module in /etc/php/conf.d/memcached.ini (ArchLinux).
Copy systemd .service file for memcached and adjust port (if needed):
cp /usr/lib/systemd/system/memcached.service /etc/systemd/system/memcached.service
Custom port: ExecStart=/usr/bin/memcached -l 127.0.0.1:11211
Enable memcached in /etc/php/php.ini in [Session] section:
session.save_handler = memcached
session.save_path = "172.16.0.1:11211"
NOTE: there is difference between memcached and memcache. Session.save_path listener 172.16.0.1:11211 is on HA Proxy, proxied to 127.0.0.1:11211.

Add memcached entry to owncloud config file /usr/share/webapps/owncloud/config/config.php:
'memcached_server' => array('172.16.0.1', 11211),

HA Proxy configuration:
Here's my complete haproxy.cfg:
global
    log 127.0.0.1   local0
    log 127.0.0.1   local1 notice
    #log loghost    local0 info
    maxconn 128
    #chroot /usr/share/haproxy
    uid 99
    gid 99
    daemon
    #debug
    #quiet

defaults
    log global
    mode    http
    option  tcplog
    option  dontlognull
    retries 3
    option  redispatch
    maxconn 32
    contimeout  5000
    clitimeout  50000
    srvtimeout  50000

listen stats 127.0.0.1:1936
    mode http
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /
    stats auth name:password
    stats refresh 10s

# rasppi-p frontend
frontend rasppi
    bind 172.16.0.1:443 ssl crt /etc/haproxy/ssl/server.pem
    mode http

    acl url_trans path_beg /transmission /rpc #/memcached

    use_backend nginx-transmission if url_trans
    default_backend nginx-owncloud

# backend for owncloud
backend nginx-owncloud
    mode http
    balance roundrobin
    option httpclose
    server  rasppi-p 127.0.0.1:8080  weight 15  check inter 5000 rise 2 fall 3
    server  rasppi-t 172.16.0.3:8080 weight 10  check inter 5000 rise 2 fall 3
    server  krisko   172.16.0.2:8080 weight 200 check inter 5000 rise 2 fall 3

# backend for transmission
backend nginx-transmission
    mode http
    option httpclose
    #option forwardfor
    balance roundrobin
    server  rasppi-p 127.0.0.1:8180 check inter 5000 rise 2 fall 3

# rasppi-p mysql listener
listen mysql 172.16.0.1:3306
    mode tcp
    balance roundrobin
    server  rasppi-p 127.0.0.1:3306 check inter 5000 rise 2 fall 3

# rasppi-p memcached listener
listen memcached 172.16.0.1:11211
    mode tcp
    balance roundrobin
    server  rasppi-p 127.0.0.1:11211 check inter 5000 rise 2 fall 3

# haproxy stats listener
listen haproxy-stats 172.16.0.1:1936
    mode http
    option httpclose
    server rasppi-p 127.0.0.1:1936 check inter 5000 rise 2 fall 3
I use frontends for mysql and memcached for better scalability and to be able to monitor services via HA Proxy stats.
Updated scheme:


Posted by krisko at 2:44 PM
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)