Logical Topology

Requirements

  1. IP protocol 112 (VRRP) must be supported in the network.
  2. If you use multicast, the network must support multicast request (use ip a | grep -i multicast).
  3. Already have ssl certificate components (.key .crt .ca) and bundling as pem for domain.

First thing to do

  1. Finish web and db connection setup.
  2. Synchronize web nodes data using lsync.
  3. Disabling all firewall services and selinux (/etc/selinux/config).
  4. Activate packet forwarding and non-binding setup on lb-nodes.
    cat >> /etc/sysctl.conf
    net.ipv4.ip_nonlocal_bind=1
    net.ipv4.ip_forward = 1
    sysctl -p
  5. Install haproxy and keepalived on lb-nodes.

Section 1 - Openstack configuration

  1. Grep port-id of instance : nova interface-list [instance-name]

  2. View allowed address pair of that port-id : openstack port show [port-id] | grep -i allowed_address_pairs
  3. Add the virtual floating ip to each port :neutron port-update [port-id] --allowed_address_pairs list=true type=dict ip_address=[dedicated-ip-address]
    neutron port-update 10ac9746-f6e3-49b2-96ba-25c593ebd45d --allowed_address_pairs list=true type=dict ip_address=10.0.0.11
    neutron port-update b77e5add-f0fd-4f36-9a81-537a7d0e64a2 --allowed_address_pairs list=true type=dict ip_address=10.0.0.11
  4. View allowed address pair of updated port-id

Section 2 - HAproxy configuration
LB01 - ssltermination01.darin.web.id

cp /etc/haproxy/haproxy.cfg haproxy.cfg.default
touch /var/log/haproxy.log
vim /etc/haproxy/haproxy.cfg
#enable this line
log 127.0.0.1 local2

vim /etc/rsyslog.conf
#uncomment this line
$ModLoad imudp 
$UDPServerRun 514

cat >> /etc/rsyslog.d/haproxy.conf
local2.* /var/log/haproxy.log

service rsyslog restart
service rsyslog status
tail -f /var/log/haproxy.log

LB02 - ssltermination02.darin.web.id

cp /etc/haproxy/haproxy.cfg haproxy.cfg.default
touch /var/log/haproxy.log
vim /etc/haproxy/haproxy.cfg
#enable this line
log 127.0.0.1 local2

vim /etc/rsyslog.conf
#uncomment this line
$ModLoad imudp 
$UDPServerRun 514

cat >> /etc/rsyslog.d/haproxy.conf
local2.* /var/log/haproxy.log

service rsyslog restart
service rsyslog status
tail -f /var/log/haproxy.log

systemctl start haproxy
systemctl enable haproxy

Section 3 - Keepalived configuration
LB01 - ssltermination01.darin.web.id as master
cat >> /etc/keepalived/keepalived.conf

LB02 - ssltermination02.darin.web.id as slave
cat >> /etc/keepalived/keepalived.conf

systemctl start keepalived
systemctl enable keepalived

Checking result
If haproxy on ssltermination01.darin.web.id up

If haproxy on ssltermination01.darin.web.id down