There are various topics discussed in previous threads about having some kind of reverse proxy / load balancer built into ER. I'd like to re-open that discussion.
Currently we have, in production, a bash script I wrote to use haproxy on a set of edgerouters for a customer (it is initiated via system task-schedule, and accounts for installing the service and creating the config file). The purpose here, as we are using it, is to provide redundant access to a hosted application which sits behind a VPN. The customer has >20 locations. We have them interconnected via ospf routing and 4 instances of haproxy (on 4 different edgerouters). Those 4 ERs are the only ones that have VPNs to the hosted application. I can discuss more about that particular setup, but I've probably already said more than is necessary.
My point here is to open a discussion about potentially including haproxy as a configurable service. For my purposes, i would only need to use it in tcp mode. something simple like
service { haproxy { frontend fe_http { listen 192.168.1.1:80 listen 10.1.1.1:80 mode tcp default_backend be_http } backend be_http { balance source mode tcp server server1 { 192.168.1.10 check port 80 source 10.1.1.1 } server server2 { 10.1.1.10 check port 80 source 10.1.1.1 backup } } stats { mode http listen 10.1.1.1:8085 } }
In my opinion, haproxy config lends itself really well to being reflected in the ER config syntax.
we would need sections for global and defaults, also. Probably do something similar to dhcp and openvpn where you have some open-ended config sections where we can inject arbitrary options for frontends, backends, stats, etc. where they would just get written into the config section.
I'm not sure how performance would be for other proxy modes, but tcp mode is not taxing at all on the ER pro (we don't have any ER models using haproxy currently)
P.S. Here's my bash script in case anyone else is interested in that
#!/bin/sh #whoami > /tmp/haproxyscript input=$1 if [ "$input" == "--help" ] ; then echo "valid parameters: silent reload rebuild" echo "silent - standard run without any output: creates config file if not present, installs haproxy if not present, starts services if not running" echo "reload - reloads config file without terminating active connections" echo "rebuild - rebuilds config file with defaults" exit 0 fi configFileSym="/etc/haproxy/haproxy.cfg" configFile="/config/scripts/haproxy.cfg" if [ "$input" == "rebuild" ] ; then [ "$input" == "silent" ] || echo deleting $configFile rm -f $configFile input="reload" fi if [ "$input" == "restart" ] ; then service haproxy restart fi if [ -e "$configFile" ] ; then [ "$input" == "silent" ] || echo $configFile exists else lanIP=`ifconfig br0 | grep inet\ addr | awk '{ print $2 }' | cut -d\: -f2` #firstThree=`echo $lanIP | sed -e s/\.1$//` thirdOct=`echo $lanIP | cut -d. -f3` cat > /tmp/haproxyBindList <<EOL bind $lanIP:{port} name LANAddress bind $lanIP:{port2} name LANAddress bind $lanIP:{port3} name LANAddress bind $lanIP:{port4} name LANAddress bind $lanIP:{port5} name LANAddress bind $lanIP:{port6} name LANAddress bind 192.168.254.254:{port} name LoopbackAddress bind 192.168.254.254:{port2} name LoopbackAddress bind 192.168.254.254:{port3} name LoopbackAddress bind 192.168.254.254:{port4} name LoopbackAddress bind 192.168.254.254:{port5} name LoopbackAddress bind 192.168.254.254:{port6} name LoopbackAddress EOL httpBindList=`grep -v bind\ \: /tmp/haproxyBindList | sed s/{port}/8080/ | sed s/{port2}/8081/ | sed s/{port3}/9081/ | sed s/{port4}/10680/ | sed s/{port5}/10560/ | sed s/{port6}/445/` mkdir -p "`echo $configFile | sed s/haproxy.cfg//`" &> /dev/null cat > $configFile <<EOL global log 127.0.0.1 local0 log 127.0.0.1 local1 notice maxconn 4096 chroot /tmp user root group root daemon #debug #quiet defaults hash-type consistent option tcpka option tcplog maxconn 1000 timeout connect 3s timeout server 300s timeout client 300s listen stats $lanIP:8085 balance mode http stats enable #stats auth me:password #stats scope . stats refresh 10s stats show-legends stats uri / log global frontend fe_HCS $httpBindList mode tcp log global default_backend be_HCS backend be_HCS balance source mode tcp default-server inter 3s rise 10 fall 3 server HCSMain 10.10.10.10 check port 9081 source $lanIP EOL fi if [ `dpkg --get-selections | grep -v deinstall | grep haproxy | wc -l` -gt 0 ] ; then [ "$input" == "silent" ] || echo "haproxy installed" else [ "$input" == "silent" ] || echo "haproxy not installed" grep ^Acquire::Check-Valid-Until /etc/apt/apt.conf || echo "Acquire::Check-Valid-Until false;" | sudo tee -a /etc/apt/apt.conf apt-get update &> /dev/null apt-get install haproxy -y &> /dev/null fi rm -f $configFileSym &> /dev/null ln -s $configFile $configFileSym &> /dev/null # remove autostart of service for i in `find /etc/rc*.d/ -name S*haproxy` do rm -f $i done sed -e "s/ENABLED\=0/ENABLED\=1/" -i /etc/default/haproxy if [ "$input" == "reload" ] ; then [ "$input" == "silent" ] || echo reloading haproxy service service haproxy reload &> /dev/null else [ "$input" == "silent" ] || echo starting haproxy service if not running service haproxy start &> /dev/null fi #sleep 30