I have multiple web servers, hosting multiple domains. Occasionally, I need to move a domain from one web server to another. Rather than have to update the DNS for the domain to point at the new server location, I would like to set all the domains to point to a reverse proxy (?) that will then pass web requests on to the correct servers. I am trying to use haproxy to achieve this, without much success.
as an example:
There are two servers, web1.foo.com and web2.foo.com. web1 serves sites for abc.com and def.com. web2 serves sites for cba.com and fed.com.
there is also a proxy server, proxy.foo.com.
dns for abc.com, etc are pointed at proxy.foo.com, which is configured to map domains to servers like so:
abc.com -> web1.foo.com
def.com -> web1.foo.com
cba.com -> web2.foo.com
fed.com -> web2.foo.com
the problem is, I cant get it to work using haproxy… it is trying to load balance instead of reverse proxy… if I go to abc.com, it will cycle between web1 and web2.
so, I guess I am wondering, is this even possible with haproxy, and if so, where am I going wrong with the configuration? my config looks like this:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend localhost
bind *:80
bind *:443
option tcplog
mode tcp
default_backend servers
backend servers
mode tcp
server abc.com web1.foo.com
server def.com web1.foo.com
server cba.com web2.foo.com
server fed.com web2.foo.com
Best Answer
Yes, the way you have things configured will essentially load balance all incoming connections between the backend servers.
What you want is basically one backend definition for each real web server. I think the gist of what you want is multiple backend definitions, one for each real web server. Then in your frontend section, you'd want to use various conditionals to use the associated backend for whichever frontend URL was requested. A pseudo-config might look something like this:
Note the
mode http
. I believe that's required to actually do things like make decisions based on HTTP headers.And when it's time to move what URLs go to what backend, it's a simple matter of updating the config file and doing a soft reload to haproxy.