ER and haproxy

There are various topics discussed in previous threads about having some kind of reverse proxy / load balancer built into ER. I'd like to re-open that discussion.

Currently we have, in production, a bash script I wrote to use haproxy on a set of edgerouters for a customer (it is initiated via system task-schedule, and accounts for installing the service and creating the config file). The purpose here, as we are using it, is to provide redundant access to a hosted application which sits behind a VPN. The customer has >20 locations. We have them interconnected via ospf routing and 4 instances of haproxy (on 4 different edgerouters). Those 4 ERs are the only ones that have VPNs to the hosted application. I can discuss more about that particular setup, but I've probably already said more than is necessary.

My point here is to open a discussion about potentially including haproxy as a configurable service. For my purposes, i would only need to use it in tcp mode. something simple like

service {
   haproxy {
      frontend fe_http {
         listen 192.168.1.1:80
         listen 10.1.1.1:80
         mode tcp
         default_backend be_http
      }
      backend be_http {
         balance source
         mode tcp
         server server1 {
            192.168.1.10 check port 80 source 10.1.1.1
         }
         server server2 {
            10.1.1.10 check port 80 source 10.1.1.1 backup
         }
      }
      stats {
         mode http
         listen 10.1.1.1:8085
      }
}

In my opinion, haproxy config lends itself really well to being reflected in the ER config syntax. 

we would need sections for global and defaults, also. Probably do something similar to dhcp and openvpn where you have some open-ended config sections where we can inject arbitrary options for frontends, backends, stats, etc. where they would just get written into the config section.

I'm not sure how performance would be for other proxy modes, but tcp mode is not taxing at all on the ER pro (we don't have any ER models using haproxy currently)

P.S. Here's my bash script in case anyone else is interested in that

#!/bin/sh


#whoami > /tmp/haproxyscript

input=$1

if [ "$input" == "--help" ] ; then
  echo "valid parameters: silent reload rebuild"
  echo "silent - standard run without any output: creates config file if not present, installs haproxy if not present, starts services if not running"
  echo "reload - reloads config file without terminating active connections"
  echo "rebuild - rebuilds config file with defaults"
  exit 0
fi

configFileSym="/etc/haproxy/haproxy.cfg"
configFile="/config/scripts/haproxy.cfg"

if [ "$input" == "rebuild" ] ; then
  [ "$input" == "silent" ] || echo deleting $configFile
  rm -f $configFile
  input="reload"
fi

if [ "$input" == "restart" ] ; then
  service haproxy restart
fi





if [ -e "$configFile" ] ; then
  [ "$input" == "silent" ] || echo $configFile exists
else
  lanIP=`ifconfig br0 | grep inet\ addr | awk '{ print $2 }' | cut -d\: -f2`
  #firstThree=`echo $lanIP | sed -e s/\.1$//`
  thirdOct=`echo $lanIP | cut -d. -f3`


cat > /tmp/haproxyBindList <<EOL
 bind $lanIP:{port} name LANAddress
 bind $lanIP:{port2} name LANAddress
 bind $lanIP:{port3} name LANAddress
 bind $lanIP:{port4} name LANAddress
 bind $lanIP:{port5} name LANAddress
 bind $lanIP:{port6} name LANAddress
 bind 192.168.254.254:{port} name LoopbackAddress
 bind 192.168.254.254:{port2} name LoopbackAddress
 bind 192.168.254.254:{port3} name LoopbackAddress
 bind 192.168.254.254:{port4} name LoopbackAddress
 bind 192.168.254.254:{port5} name LoopbackAddress
 bind 192.168.254.254:{port6} name LoopbackAddress
EOL

httpBindList=`grep -v bind\ \: /tmp/haproxyBindList | sed s/{port}/8080/ | sed s/{port2}/8081/ | sed s/{port3}/9081/ | sed s/{port4}/10680/ | sed s/{port5}/10560/ | sed s/{port6}/445/`


mkdir -p "`echo $configFile | sed s/haproxy.cfg//`" &> /dev/null
cat > $configFile <<EOL
global
        log 127.0.0.1   local0
        log 127.0.0.1   local1 notice
        maxconn 4096
        chroot /tmp
        user root
        group root
        daemon
        #debug
        #quiet

defaults
        hash-type consistent
        option tcpka
        option tcplog
        maxconn 1000
        timeout connect 3s
        timeout server 300s
        timeout client 300s


listen stats $lanIP:8085
        balance
        mode http
        stats enable
        #stats auth me:password
        #stats scope .
        stats refresh 10s
        stats show-legends
        stats uri /
        log global



frontend fe_HCS
$httpBindList
 mode tcp
 log global
 default_backend be_HCS

backend be_HCS
 balance source
 mode tcp
 default-server inter 3s rise 10 fall 3
 server HCSMain 10.10.10.10 check port 9081 source $lanIP


EOL

fi


if [ `dpkg --get-selections | grep -v deinstall | grep haproxy | wc -l` -gt 0 ] ; then
  [ "$input" == "silent" ] || echo "haproxy installed"

else
  [ "$input" == "silent" ] || echo "haproxy not installed"

  grep ^Acquire::Check-Valid-Until /etc/apt/apt.conf || echo "Acquire::Check-Valid-Until false;" | sudo tee -a /etc/apt/apt.conf
  apt-get update &> /dev/null
  apt-get install haproxy -y &> /dev/null
fi

rm -f $configFileSym &> /dev/null
ln -s $configFile $configFileSym &> /dev/null

# remove autostart of service
for i in `find /etc/rc*.d/ -name S*haproxy`
do
  rm -f $i
done

sed -e "s/ENABLED\=0/ENABLED\=1/" -i /etc/default/haproxy

if [ "$input" == "reload" ] ; then
 [ "$input" == "silent" ] || echo reloading haproxy service
 service haproxy reload &> /dev/null
else
 [ "$input" == "silent" ] || echo starting haproxy service if not running
 service haproxy start &> /dev/null
fi


#sleep 30