i HAProxy logging and monitoring – All things in moderation

HAProxy logging and monitoring

In post we mentioned about installing and configuring HAProxy. This post go to next level explore more about logging and monitoring HAProxy.

Logging

What we have to concern about haproxy logging ? Some of keywords we need to know are log levels, log formats, advanced logging options, timming events, etc. Find out more here

Standard information provided in logs include client ports, TCP/HTTP state timers, precise session state at termination and precise termination cause, information about decisions to direct traffic to a server, and certainly the ability to capture arbitrary headers.

Configure logging for HAProxy

An haproxy example config /etc/haproxy/haproxy.cfg :

global  
    log 127.0.0.1 local0 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
    log global
    mode    http
    option  httplog
    option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        ...

The log will be sent to syslog server but On Ubunut rsyslog is already installed and running but it doesn’t listen on any IP address. So we have to make it do:
Edit the config file of rsyslog:

vim /etc/rsyslog.conf  

Add, Uncomment the following lines:

Create a rule for HAProxy logs:

vim /etc/rsyslog.d/haproxy.conf

Make sure you have a line like it.

if ($programname == 'haproxy') then -/var/log/haproxy.log  

Now restart the rsyslog service:

service rsyslog restart  

This writes all HAProxy messages and access logs to /var/log/haproxy.log

Monitoring

We have an example haproxy configuration here /etc/haproxy/haproxy.cfg

... 
frontend localnodes
    bind *:80
    mode http
    default_backend nodes

backend nodes
    mode http
    balance roundrobin
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server web01 127.0.0.1:9000 check
    server web02 127.0.0.1:9001 check
    server web03 127.0.0.1:9002 check

listen haproxy-monitoring
   bind *:1936
   mode http
   stats enable
   stats hide-version
   stats realm Haproxy\ Statistics
   stats uri /
   stats auth myUser:myPassword

HAProxy comes with a web interface for monitoring the load balancer and the servers it is setup to use. Let’s go over the above options:
* bind *:1936 – it listent on port 1936
* stats enable – Enable the * stats monitoring dashboard
* stats uri / – The URI to reach it is just / (on port 1936)
* stats hide-version – Hide the version of HAProxy used
stats auth someuser:password – Use HTTP basic authentication.
here’s what the dashboard will look like:

References

https://www.digitalocean.com/community/tutorials/how-to-use-haproxy-to-set-up-http-load-balancing-on-an-ubuntu-vps#configure-logging-for-haproxy
https://serversforhackers.com/load-balancing-with-haproxy

Leave a Reply