Proxy and Load Balance on AlmaLinux 9

• 1: How to Install Squid to Configure a Proxy Server on AlmaLinux
• 2: How to Configure Linux, Mac, and Windows Proxy Clients on AlmaLinux
• 3: How to Set Basic Authentication and Limit Squid for Users on AlmaLinux
• 4: How to Configure Squid as a Reverse Proxy Server on AlmaLinux
• 5: HAProxy: How to Configure HTTP Load Balancing Server on AlmaLinux
• 6: HAProxy: How to Configure SSL/TLS Settings on AlmaLinux
• 7: HAProxy: How to Refer to the Statistics Web on AlmaLinux
• 8: HAProxy: How to Refer to the Statistics CUI on AlmaLinux
• 9: Implementing Layer 4 Load Balancing with HAProxy on AlmaLinux
• 10: Configuring HAProxy ACL Settings on AlmaLinux
• 11: Configuring Layer 4 ACL Settings in HAProxy on AlmaLinux

1 - How to Install Squid to Configure a Proxy Server on AlmaLinux

Proxy servers play a vital role in managing and optimizing network traffic, improving security, and controlling internet access. One of the most popular tools for setting up a proxy server is Squid, an open-source, high-performance caching proxy. Squid supports various protocols like HTTP, HTTPS, and FTP, making it ideal for businesses, educational institutions, and individuals seeking to improve their network’s efficiency.

This guide provides a step-by-step process to install and configure Squid Proxy Server on AlmaLinux.

What is Squid Proxy Server?

Squid Proxy Server acts as an intermediary between client devices and the internet. It intercepts requests, caches content, and enforces access policies. Some of its key features include:

• Web caching: Reducing bandwidth consumption by storing frequently accessed content.
• Access control: Restricting access to certain resources based on rules.
• Content filtering: Blocking specific websites or types of content.
• Enhanced security: Hiding client IP addresses and inspecting HTTPS traffic.

With Squid, network administrators can optimize internet usage, monitor traffic, and safeguard network security.

Benefits of Setting Up a Proxy Server with Squid

Implementing Squid Proxy Server offers several advantages:

1. Bandwidth Savings: Reduces data consumption by caching repetitive requests.
2. Improved Speed: Decreases load times for frequently visited sites.
3. Access Control: Manages who can access specific resources on the internet.
4. Enhanced Privacy: Masks the client’s IP address from external servers.
5. Monitoring: Tracks user activity and provides detailed logging.

Prerequisites for Installing Squid on AlmaLinux

Before proceeding with the installation, ensure:

1. You have a server running AlmaLinux with sudo or root access.
2. Your system is updated.
3. Basic knowledge of terminal commands and networking.

Step 1: Update AlmaLinux

Begin by updating your system to ensure all packages and dependencies are up to date:

sudo dnf update -y

Step 2: Install Squid

Install Squid using the default package manager, dnf:

sudo dnf install squid -y

Verify the installation by checking the version:

squid -v

Once installed, Squid’s configuration files are stored in the following locations:

• Main configuration file: /etc/squid/squid.conf
• Access logs: /var/log/squid/access.log
• Cache logs: /var/log/squid/cache.log

Step 3: Start and Enable Squid

Start the Squid service:

sudo systemctl start squid

Enable Squid to start on boot:

sudo systemctl enable squid

Check the service status to confirm it’s running:

sudo systemctl status squid

Step 4: Configure Squid

Squid’s behavior is controlled through its main configuration file. Open it with a text editor:

sudo nano /etc/squid/squid.conf

Step 4.1: Define Access Control Lists (ACLs)

Access Control Lists (ACLs) specify which devices or networks can use the proxy. Add the following lines to allow specific IP ranges:

acl localnet src 192.168.1.0/24
http_access allow localnet

Replace 192.168.1.0/24 with your local network’s IP range.

Step 4.2: Change the Listening Port

By default, Squid listens on port 3128. You can change this by modifying:

http_port 3128

For example, to use port 8080:

http_port 8080

Step 4.3: Configure Caching

Set cache size and directory to optimize performance. Locate the cache_dir directive and adjust the settings:

cache_dir ufs /var/spool/squid 10000 16 256

• ufs is the storage type.
• /var/spool/squid is the cache directory.
• 10000 is the cache size in MB.

Step 4.4: Restrict Access to Specific Websites

Block websites by adding them to a file and linking it in the configuration:

1. Create a file for blocked sites:

   sudo nano /etc/squid/blocked_sites.txt
   

2. Add the domains you want to block:

   example.com
   badsite.com
   

3. Reference this file in squid.conf:

   acl blocked_sites dstdomain "/etc/squid/blocked_sites.txt"
   http_access deny blocked_sites
   

Step 5: Apply Changes and Restart Squid

After making changes to the configuration file, restart the Squid service to apply them:

sudo systemctl restart squid

Verify Squid’s syntax before restarting to ensure there are no errors:

sudo squid -k parse

Step 6: Configure Clients to Use the Proxy

To route client traffic through Squid, configure the proxy settings on client devices.

For Windows:

1. Open Control Panel > Internet Options.
2. Navigate to the Connections tab and click LAN settings.
3. Check the box for Use a proxy server and enter the server’s IP address and port (e.g., 3128).

For Linux:

Set the proxy settings in the network manager or use the terminal:

export http_proxy="http://<server-ip>:3128"
export https_proxy="http://<server-ip>:3128"

Step 7: Monitor Squid Proxy Logs

Squid provides logs that help monitor traffic and troubleshoot issues. Use these commands to view logs:

• Access logs:

  sudo tail -f /var/log/squid/access.log
  

• Cache logs:

  sudo tail -f /var/log/squid/cache.log
  

Logs provide insights into client activity, blocked sites, and overall proxy performance.

Step 8: Enhance Squid with Authentication

Add user authentication to restrict proxy usage. Squid supports basic HTTP authentication.

1. Install the required package:

   sudo dnf install httpd-tools -y
   

2. Create a password file and add users:

   sudo htpasswd -c /etc/squid/passwd username
   

   Replace username with the desired username. You’ll be prompted to set a password.

3. Configure Squid to use the password file. Add the following lines to squid.conf:

   auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
   auth_param basic children 5
   auth_param basic realm Squid Proxy
   auth_param basic credentialsttl 2 hours
   acl authenticated proxy_auth REQUIRED
   http_access allow authenticated
   

4. Restart Squid to apply the changes:

   sudo systemctl restart squid
   

Now, users will need to provide a username and password to use the proxy.

Step 9: Test Your Proxy Server

Use a web browser or a command-line tool to test the proxy:

curl -x http://<server-ip>:3128 http://example.com

Replace <server-ip> with your server’s IP address. If the proxy is working correctly, the page will load through Squid.

Advanced Squid Configurations

1. SSL Interception

Squid can intercept HTTPS traffic for content filtering and monitoring. However, this requires generating and deploying SSL certificates.

2. Bandwidth Limitation

You can set bandwidth restrictions to ensure fair usage:

delay_pools 1
delay_class 1 2
delay_parameters 1 64000/64000 8000/8000
delay_access 1 allow all

3. Reverse Proxy

Squid can act as a reverse proxy to cache and serve content for backend web servers. This improves performance and reduces server load.

Conclusion

Setting up a Squid Proxy Server on AlmaLinux is a straightforward process that can significantly enhance network efficiency, security, and control. By following this guide, you’ve learned how to install, configure, and optimize Squid for your specific needs.

Whether you’re managing a corporate network, school, or personal setup, Squid provides the tools to monitor, secure, and improve internet usage.

2 - How to Configure Linux, Mac, and Windows Proxy Clients on AlmaLinux

Proxy servers are indispensable tools for optimizing network performance, enhancing security, and controlling internet usage. Once you’ve set up a proxy server on AlmaLinux, the next step is configuring clients to route their traffic through the proxy. Proper configuration ensures seamless communication between devices and the proxy server, regardless of the operating system.

In this article, we’ll provide a step-by-step guide on how to configure Linux, Mac, and Windows clients to use a proxy server hosted on AlmaLinux.

Why Use a Proxy Server?

Proxy servers act as intermediaries between client devices and the internet. By configuring clients to use a proxy, you gain the following benefits:

1. Bandwidth Optimization: Cache frequently accessed resources to reduce data consumption.
2. Enhanced Security: Mask client IP addresses, filter content, and inspect traffic.
3. Access Control: Restrict or monitor internet access for users or devices.
4. Improved Speed: Accelerate browsing by caching static content locally.

Prerequisites

Before configuring clients, ensure the following:

1. A proxy server (e.g., Squid) is installed and configured on AlmaLinux.
2. The proxy server’s IP address (e.g., 192.168.1.100) and port number (e.g., 3128) are known.
3. Clients have access to the proxy server on the network.

Step 1: Configure Linux Proxy Clients

Linux systems can be configured to use a proxy in various ways, depending on the desktop environment and command-line tools.

1.1 Configure Proxy via GNOME Desktop Environment

1. Open the Settings application.
2. Navigate to Network or Wi-Fi, depending on your connection type.
3. Scroll to the Proxy section and select Manual.
4. Enter the proxy server’s IP address and port for HTTP, HTTPS, and FTP.
   • For example:
     • HTTP Proxy: 192.168.1.100
     • Port: 3128
5. Save the settings and close the window.

1.2 Configure Proxy for Command-Line Tools

For command-line utilities such as curl or wget, you can configure the proxy by setting environment variables:

1. Open a terminal and edit the shell profile file:

   nano ~/.bashrc
   

2. Add the following lines:

   export http_proxy="http://192.168.1.100:3128"
   export https_proxy="http://192.168.1.100:3128"
   export ftp_proxy="http://192.168.1.100:3128"
   export no_proxy="localhost,127.0.0.1"
   

   • no_proxy specifies addresses to bypass the proxy.

3. Apply the changes:

   source ~/.bashrc
   

1.3 Configure Proxy for APT Package Manager (Debian/Ubuntu)

To use a proxy with APT:

1. Edit the configuration file:

   sudo nano /etc/apt/apt.conf.d/95proxies
   

2. Add the following lines:

   Acquire::http::Proxy "http://192.168.1.100:3128/";
   Acquire::https::Proxy "http://192.168.1.100:3128/";
   

3. Save the file and exit.

1.4 Verify Proxy Configuration

Test the proxy settings using curl or wget:

curl -I http://example.com

If the response headers indicate the proxy is being used, the configuration is successful.

Step 2: Configure Mac Proxy Clients

Mac systems allow proxy configuration through the System Preferences interface or using the command line.

2.1 Configure Proxy via System Preferences

1. Open System Preferences and go to Network.
2. Select your active connection (Wi-Fi or Ethernet) and click Advanced.
3. Navigate to the Proxies tab.
4. Check the boxes for the proxy types you want to configure (e.g., HTTP, HTTPS, FTP).
5. Enter the proxy server’s IP address and port.
   • Example:
     • Server: 192.168.1.100
     • Port: 3128
6. If the proxy requires authentication, enter the username and password.
7. Click OK to save the settings.

2.2 Configure Proxy via Terminal

1. Open the Terminal application.

2. Use the networksetup command to configure the proxy:

   sudo networksetup -setwebproxy Wi-Fi 192.168.1.100 3128
   sudo networksetup -setsecurewebproxy Wi-Fi 192.168.1.100 3128
   

   Replace Wi-Fi with the name of your network interface.

3. To verify the settings, use:

   networksetup -getwebproxy Wi-Fi
   

2.3 Bypass Proxy for Specific Domains

To exclude certain domains from using the proxy:

1. In the Proxies tab of System Preferences, add domains to the Bypass proxy settings for these Hosts & Domains section.
2. Save the settings.

Step 3: Configure Windows Proxy Clients

Windows offers multiple methods for configuring proxy settings, depending on your version and requirements.

3.1 Configure Proxy via Windows Settings

1. Open the Settings app.
2. Navigate to Network & Internet > Proxy.
3. In the Manual proxy setup section:
   • Enable the toggle for Use a proxy server.
   • Enter the proxy server’s IP address (192.168.1.100) and port (3128).
   • Optionally, specify addresses to bypass the proxy in the Don’t use the proxy server for field.
4. Save the settings.

3.2 Configure Proxy via Internet Options

1. Open the Control Panel and go to Internet Options.
2. In the Connections tab, click LAN settings.
3. Enable the checkbox for Use a proxy server for your LAN.
4. Enter the proxy server’s IP address and port.
5. Click Advanced to configure separate proxies for HTTP, HTTPS, FTP, and bypass settings.

3.3 Configure Proxy via Command Prompt

1. Open Command Prompt with administrative privileges.

2. Use the netsh command to set the proxy:

   netsh winhttp set proxy 192.168.1.100:3128
   

3. To verify the configuration:

   netsh winhttp show proxy
   

3.4 Configure Proxy via Group Policy (For Enterprises)

1. Open the Group Policy Editor (gpedit.msc).
2. Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Proxy Settings.
3. Enable the proxy settings and specify the server details.

Step 4: Verify Proxy Connectivity on All Clients

To ensure the proxy configuration is working correctly on all platforms:

1. Open a browser and attempt to visit a website.

2. Check if the request is routed through the proxy by monitoring the access.log on the AlmaLinux proxy server:

   sudo tail -f /var/log/squid/access.log
   

Look for entries corresponding to the client’s IP address.

Advanced Proxy Configurations

1. Authentication

If the proxy server requires authentication:

• Linux: Add http_proxy credentials:

  export http_proxy="http://username:password@192.168.1.100:3128"
  

• Mac: Enable authentication in the Proxies tab.

• Windows: Provide the username and password when prompted.

2. PAC File Configuration

Proxy Auto-Configuration (PAC) files dynamically define proxy rules. Host the PAC file on the AlmaLinux server and provide its URL to clients.

3. DNS Resolution

Ensure that DNS settings on all clients are consistent with the proxy server to avoid connectivity issues.

Conclusion

Configuring Linux, Mac, and Windows clients to use a proxy server hosted on AlmaLinux is a straightforward process that enhances network management, security, and efficiency. By following the steps outlined in this guide, you can ensure seamless integration of devices into your proxy environment.

Whether for personal use, educational purposes, or corporate networks, proxies offer unparalleled control over internet access and resource optimization.

3 - How to Set Basic Authentication and Limit Squid for Users on AlmaLinux

Proxy servers are essential tools for managing and optimizing network traffic. Squid, a powerful open-source proxy server, provides features like caching, traffic filtering, and access control. One key feature of Squid is its ability to implement user-based restrictions using basic authentication. By enabling authentication, administrators can ensure only authorized users access the proxy, further enhancing security and control.

This guide walks you through configuring basic authentication and setting user-based limits in Squid on AlmaLinux.

Why Use Basic Authentication in Squid?

Basic authentication requires users to provide a username and password to access the proxy server. This ensures:

1. Access Control: Only authenticated users can use the proxy.
2. Usage Monitoring: Track individual user activity via logs.
3. Security: Prevent unauthorized use of the proxy, reducing risks.

Combined with Squid’s access control features, basic authentication allows fine-grained control over who can access specific websites or network resources.

Prerequisites

Before configuring basic authentication, ensure the following:

1. AlmaLinux is installed and updated.
2. Squid Proxy Server is installed and running.
3. You have root or sudo access to the server.

Step 1: Install Squid on AlmaLinux

If Squid isn’t already installed, follow these steps:

Update System Packages

sudo dnf update -y

Install Squid

sudo dnf install squid -y

Start and Enable Squid

sudo systemctl start squid
sudo systemctl enable squid

Verify Installation

Check if Squid is running:

sudo systemctl status squid

Step 2: Configure Basic Authentication in Squid

2.1 Install Apache HTTP Tools

Squid uses htpasswd from Apache HTTP Tools to manage usernames and passwords.

Install the package:

sudo dnf install httpd-tools -y

2.2 Create the Password File

Create a file to store usernames and passwords:

sudo htpasswd -c /etc/squid/passwd user1

• Replace user1 with the desired username.
• You’ll be prompted to set a password for the user.

To add more users, omit the -c flag:

sudo htpasswd /etc/squid/passwd user2

Verify the contents of the password file:

cat /etc/squid/passwd

2.3 Configure Squid for Authentication

Edit Squid’s configuration file:

sudo nano /etc/squid/squid.conf

Add the following lines to enable basic authentication:

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Proxy Authentication
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive on

acl authenticated_users proxy_auth REQUIRED
http_access allow authenticated_users
http_access deny all

Here’s what each line does:

• auth_param basic program: Specifies the authentication helper and password file location.
• auth_param basic realm: Sets the authentication prompt users see.
• acl authenticated_users: Defines an access control list (ACL) for authenticated users.
• http_access: Grants access only to authenticated users and denies everyone else.

2.4 Restart Squid

Apply the changes by restarting Squid:

sudo systemctl restart squid

Step 3: Limit Access for Authenticated Users

Squid’s ACL system allows you to create user-based restrictions. Below are some common scenarios and their configurations.

3.1 Restrict Access by Time

To limit internet access to specific hours:

1. Add a time-based ACL to squid.conf:

   acl work_hours time MTWHF 09:00-17:00
   http_access allow authenticated_users work_hours
   http_access deny authenticated_users
   

   • This configuration allows access from Monday to Friday, 9 AM to 5 PM.

2. Restart Squid:

   sudo systemctl restart squid
   

3.2 Block Specific Websites

To block certain websites for all authenticated users:

1. Create a file listing the blocked websites:

   sudo nano /etc/squid/blocked_sites.txt
   

   Add the domains to block, one per line:

   facebook.com
   youtube.com
   

2. Reference this file in squid.conf:

   acl blocked_sites dstdomain "/etc/squid/blocked_sites.txt"
   http_access deny authenticated_users blocked_sites
   

3. Restart Squid:

   sudo systemctl restart squid
   

3.3 Limit Bandwidth for Users

To enforce bandwidth restrictions:

1. Enable delay pools in squid.conf:

   delay_pools 1
   delay_class 1 2
   delay_parameters 1 64000/64000 16000/16000
   delay_access 1 allow authenticated_users
   delay_access 1 deny all
   

   • 64000/64000: Total bandwidth (in bytes per second).
   • 16000/16000: Bandwidth per request.

2. Restart Squid:

   sudo systemctl restart squid
   

3.4 Allow Access to Specific Users Only

To restrict access to specific users:

1. Define an ACL for the user:

   acl user1 proxy_auth user1
   http_access allow user1
   http_access deny all
   

2. Restart Squid:

   sudo systemctl restart squid
   

Step 4: Monitor and Troubleshoot

Monitoring and troubleshooting are essential to ensure Squid runs smoothly.

4.1 View Logs

Squid logs user activity in the access.log file:

sudo tail -f /var/log/squid/access.log

4.2 Test Authentication

Use a browser or command-line tool (e.g., curl) to verify:

curl -x http://<proxy-ip>:3128 -U user1:password http://example.com

4.3 Troubleshoot Configuration Issues

Check Squid’s syntax before restarting:

sudo squid -k parse

If issues persist, review the Squid logs in /var/log/squid/cache.log.

Step 5: Best Practices for Squid Authentication and Access Control

1. Encrypt Password Files: Protect your password file using file permissions:

   sudo chmod 600 /etc/squid/passwd
   sudo chown squid:squid /etc/squid/passwd
   

2. Combine ACLs for Fine-Grained Control: Use multiple ACLs to create layered restrictions (e.g., time-based limits with content filtering).

3. Enable HTTPS Proxying with SSL Bumping: To inspect encrypted traffic, configure Squid with SSL bumping.

4. Monitor Usage Regularly: Use tools like sarg or squid-analyzer to generate user activity reports.

5. Keep Squid Updated: Regularly update Squid to benefit from security patches and new features:

   sudo dnf update squid
   

Conclusion

Implementing basic authentication and user-based restrictions in Squid on AlmaLinux provides robust access control and enhances security. By following this guide, you can enable authentication, limit user access by time or domain, and monitor usage effectively.

Squid’s flexibility allows you to tailor proxy configurations to your organization’s needs, ensuring efficient and secure internet access for all users.

4 - How to Configure Squid as a Reverse Proxy Server on AlmaLinux

A reverse proxy server acts as an intermediary between clients and backend servers, offering benefits like load balancing, caching, and enhanced security. One of the most reliable tools for setting up a reverse proxy is Squid, an open-source, high-performance caching proxy server. Squid is typically used as a forward proxy, but it can also be configured as a reverse proxy to optimize backend server performance and improve the user experience.

In this guide, we’ll walk you through the steps to configure Squid as a reverse proxy server on AlmaLinux.

What is a Reverse Proxy Server?

A reverse proxy server intercepts client requests, forwards them to backend servers, and relays responses back to the clients. Unlike a forward proxy that works on behalf of clients, a reverse proxy represents servers.

Key Benefits of a Reverse Proxy

1. Load Balancing: Distributes incoming requests across multiple servers.
2. Caching: Reduces server load by serving cached content to clients.
3. Security: Hides the identity and details of backend servers.
4. SSL Termination: Offloads SSL encryption and decryption tasks.
5. Improved Performance: Compresses and optimizes responses for faster delivery.

Prerequisites

Before configuring Squid as a reverse proxy, ensure the following:

1. AlmaLinux is installed and updated.
2. Squid is installed on the server.
3. Root or sudo access to the server.
4. Basic understanding of Squid configuration files.

Step 1: Install Squid on AlmaLinux

Update the System

Ensure all packages are up to date:

sudo dnf update -y

Install Squid

Install Squid using the dnf package manager:

sudo dnf install squid -y

Start and Enable Squid

Start the Squid service and enable it to start at boot:

sudo systemctl start squid
sudo systemctl enable squid

Verify Installation

Check if Squid is running:

sudo systemctl status squid

Step 2: Understand the Squid Configuration File

The primary configuration file for Squid is located at:

/etc/squid/squid.conf

This file controls all aspects of Squid’s behavior, including caching, access control, and reverse proxy settings.

Before making changes, create a backup of the original configuration file:

sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.bak

Step 3: Configure Squid as a Reverse Proxy

3.1 Basic Reverse Proxy Setup

Edit the Squid configuration file:

sudo nano /etc/squid/squid.conf

Add the following configuration to define Squid as a reverse proxy:

# Define HTTP port for reverse proxy
http_port 80 accel vhost allow-direct

# Cache peer (backend server) settings
cache_peer backend_server_ip parent 80 0 no-query originserver name=backend

# Map requests to the backend server
acl sites_to_reverse_proxy dstdomain example.com
http_access allow sites_to_reverse_proxy
cache_peer_access backend allow sites_to_reverse_proxy
cache_peer_access backend deny all

# Deny all other traffic
http_access deny all

Explanation of Key Directives:

• http_port 80 accel vhost allow-direct: Configures Squid to operate as a reverse proxy on port 80.
• cache_peer: Specifies the backend server’s IP address and port. The originserver flag ensures Squid treats it as the origin server.
• acl sites_to_reverse_proxy: Defines an access control list (ACL) for the domain being proxied.
• cache_peer_access: Associates client requests to the appropriate backend server.
• http_access deny all: Denies any requests that don’t match the ACL.

Replace backend_server_ip with the IP address of your backend server and example.com with your domain name.

3.2 Configure DNS Settings

Ensure Squid resolves your domain name correctly. Add the backend server’s IP address to your /etc/hosts file for local DNS resolution:

sudo nano /etc/hosts

Add the following line:

backend_server_ip example.com

Replace backend_server_ip with the backend server’s IP address and example.com with your domain name.

3.3 Enable SSL (Optional)

If your reverse proxy needs to handle HTTPS traffic, you’ll need to configure SSL.

Step 3.3.1: Install SSL Certificates

Obtain an SSL certificate for your domain from a trusted certificate authority or generate a self-signed certificate.

Place the certificate and private key files in a secure directory, e.g., /etc/squid/ssl/.

Step 3.3.2: Configure Squid for HTTPS

Edit the Squid configuration file to add SSL support:

https_port 443 accel cert=/etc/squid/ssl/example.com.crt key=/etc/squid/ssl/example.com.key vhost
cache_peer backend_server_ip parent 443 0 no-query originserver ssl name=backend

• Replace example.com.crt and example.com.key with your SSL certificate and private key files.
• Add ssl to the cache_peer directive to enable encrypted connections to the backend.

3.4 Configure Caching

Squid can cache static content like images, CSS, and JavaScript files to improve performance.

Add caching settings to squid.conf:

# Enable caching
cache_mem 256 MB
maximum_object_size_in_memory 1 MB
cache_dir ufs /var/spool/squid 1000 16 256
maximum_object_size 10 MB
minimum_object_size 0 KB

# Refresh patterns for caching
refresh_pattern ^ftp:       1440    20%     10080
refresh_pattern ^gopher:    1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .           0       20%     4320

• cache_mem: Allocates memory for caching.
• cache_dir: Configures the storage directory and size for disk caching.

Step 4: Apply and Test the Configuration

Restart Squid

After making changes, restart Squid to apply the new configuration:

sudo systemctl restart squid

Check Logs

Monitor Squid logs to verify requests are being handled correctly:

• Access log:

  sudo tail -f /var/log/squid/access.log
  

• Cache log:

  sudo tail -f /var/log/squid/cache.log
  

Test the Reverse Proxy

1. Open a browser and navigate to your domain (e.g., http://example.com).
2. Ensure the request is routed through Squid and served by the backend server.

Use tools like curl to test from the command line:

curl -I http://example.com

Step 5: Optimize and Secure Squid

5.1 Harden Access Control

Limit access to trusted IP ranges by adding ACLs:

acl allowed_ips src 192.168.1.0/24
http_access allow allowed_ips
http_access deny all

5.2 Configure Load Balancing

If you have multiple backend servers, configure Squid for load balancing:

cache_peer backend_server1_ip parent 80 0 no-query originserver round-robin
cache_peer backend_server2_ip parent 80 0 no-query originserver round-robin

The round-robin option distributes requests evenly among backend servers.

5.3 Enable Logging and Monitoring

Install tools like sarg or squid-analyzer for detailed traffic reports:

sudo dnf install squid-analyzer -y

Conclusion

Configuring Squid as a reverse proxy server on AlmaLinux is a straightforward process that can greatly enhance your network’s performance and security. With features like caching, SSL termination, and load balancing, Squid helps optimize backend resources and deliver a seamless experience to users.

By following this guide, you’ve set up a functional reverse proxy and learned how to secure and fine-tune it for optimal performance. Whether for a small application or a large-scale deployment, Squid’s versatility makes it an invaluable tool for modern network infrastructure.

5 - HAProxy: How to Configure HTTP Load Balancing Server on AlmaLinux

As web applications scale, ensuring consistent performance, reliability, and availability becomes a challenge. HAProxy (High Availability Proxy) is a powerful and widely-used open-source solution for HTTP load balancing and proxying. By distributing incoming traffic across multiple backend servers, HAProxy improves fault tolerance and optimizes resource utilization.

In this detailed guide, you’ll learn how to configure an HTTP load-balancing server using HAProxy on AlmaLinux, ensuring your web applications run efficiently and reliably.

What is HAProxy?

HAProxy is a high-performance, open-source load balancer and reverse proxy server designed to distribute traffic efficiently across multiple servers. It’s known for its reliability, extensive protocol support, and ability to handle large volumes of traffic.

Key Features of HAProxy

• Load Balancing: Distributes traffic across multiple backend servers.
• High Availability: Automatically reroutes traffic from failed servers.
• Scalability: Manages large-scale traffic for enterprise-grade applications.
• Health Checks: Monitors the status of backend servers.
• SSL Termination: Handles SSL encryption and decryption to offload backend servers.
• Logging: Provides detailed logs for monitoring and debugging.

Why Use HAProxy for HTTP Load Balancing?

HTTP load balancing ensures:

1. Optimized Resource Utilization: Distributes traffic evenly among servers.
2. High Availability: Redirects traffic from failed servers to healthy ones.
3. Improved Performance: Reduces latency and bottlenecks.
4. Fault Tolerance: Keeps services running even during server failures.
5. Scalable Architecture: Accommodates increasing traffic demands by adding more servers.

Prerequisites

Before starting, ensure:

1. AlmaLinux is installed and updated.
2. You have root or sudo access to the server.
3. Multiple web servers (backend servers) are available for load balancing.
4. Basic knowledge of Linux commands and networking.

Step 1: Install HAProxy on AlmaLinux

Update System Packages

Ensure your system is up to date:

sudo dnf update -y

Install HAProxy

Install HAProxy using the dnf package manager:

sudo dnf install haproxy -y

Verify Installation

Check the HAProxy version to confirm installation:

haproxy -v

Step 2: Understand HAProxy Configuration

The primary configuration file for HAProxy is located at:

/etc/haproxy/haproxy.cfg

This file contains sections that define:

• Global Settings: General HAProxy configurations like logging and tuning.
• Defaults: Default settings for all proxies.
• Frontend: Handles incoming traffic from clients.
• Backend: Defines the pool of servers to distribute traffic.
• Listen: Combines frontend and backend configurations.

Step 3: Configure HAProxy for HTTP Load Balancing

3.1 Backup the Default Configuration

Before making changes, back up the default configuration:

sudo cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak

3.2 Edit the Configuration File

Open the configuration file for editing:

sudo nano /etc/haproxy/haproxy.cfg

Global Settings

Update the global section to define general parameters:

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    maxconn 2000

• log: Configures logging.
• chroot: Sets the working directory for HAProxy.
• maxconn: Defines the maximum number of concurrent connections.

Default Settings

Modify the defaults section to set basic options:

defaults
    log     global
    option  httplog
    option  dontlognull
    timeout connect 5000ms
    timeout client  50000ms
    timeout server  50000ms
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

• timeout connect: Timeout for establishing a connection to the backend.
• timeout client: Timeout for client inactivity.
• timeout server: Timeout for server inactivity.

Frontend Configuration

Define how HAProxy handles incoming client requests:

frontend http_front
    bind *:80
    mode http
    default_backend web_servers

• bind *:80: Listens for HTTP traffic on port 80.
• default_backend: Specifies the backend pool of servers.

Backend Configuration

Define the pool of backend servers for load balancing:

backend web_servers
    mode http
    balance roundrobin
    option httpchk GET /
    server server1 192.168.1.101:80 check
    server server2 192.168.1.102:80 check
    server server3 192.168.1.103:80 check

• balance roundrobin: Distributes traffic evenly across servers.
• option httpchk: Sends health-check requests to backend servers.
• server: Defines each backend server with its IP, port, and health-check status.

Step 4: Test and Apply the Configuration

4.1 Validate Configuration Syntax

Check for syntax errors in the configuration file:

sudo haproxy -c -f /etc/haproxy/haproxy.cfg

4.2 Restart HAProxy

Apply the configuration changes by restarting HAProxy:

sudo systemctl restart haproxy

4.3 Enable HAProxy at Boot

Ensure HAProxy starts automatically during system boot:

sudo systemctl enable haproxy

Step 5: Monitor HAProxy

5.1 Enable HAProxy Statistics

To monitor traffic and server status, enable the HAProxy statistics dashboard. Add the following section to the configuration file:

listen stats
    bind *:8080
    stats enable
    stats uri /haproxy?stats
    stats auth admin:password

• bind *:8080: Access the stats page on port 8080.
• stats uri: URL path for the dashboard.
• stats auth: Username and password for authentication.

Restart HAProxy and access the dashboard:

http://<haproxy-server-ip>:8080/haproxy?stats

5.2 Monitor Logs

Check HAProxy logs for detailed information:

sudo tail -f /var/log/haproxy.log

Step 6: Advanced Configurations

6.1 SSL Termination

To enable HTTPS traffic, HAProxy can handle SSL termination. Install an SSL certificate and update the frontend configuration:

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
    mode http
    default_backend web_servers

6.2 Load Balancing Algorithms

Customize traffic distribution by choosing a load-balancing algorithm:

• roundrobin: Default method, distributes requests evenly.
• leastconn: Sends requests to the server with the fewest active connections.
• source: Routes traffic based on the client’s IP address.

For example:

balance leastconn

6.3 Error Pages

Customize error pages by creating custom HTTP files and referencing them in the defaults section:

errorfile 503 /etc/haproxy/errors/custom_503.http

Step 7: Troubleshooting

Check HAProxy Status

Verify the service status:

sudo systemctl status haproxy

Debug Configuration

Run HAProxy in debugging mode:

sudo haproxy -d -f /etc/haproxy/haproxy.cfg

Verify Backend Health

Check the health of backend servers:

curl -I http://<haproxy-server-ip>

Conclusion

Configuring HAProxy as an HTTP load balancer on AlmaLinux is a vital step in building a scalable and reliable infrastructure. By distributing traffic efficiently, HAProxy ensures high availability and improved performance for your web applications. With its extensive features like health checks, SSL termination, and monitoring, HAProxy is a versatile solution for businesses of all sizes.

By following this guide, you’ve set up HAProxy, tested its functionality, and explored advanced configurations to optimize your system further. Whether for small projects or large-scale deployments, HAProxy is an essential tool in modern networking.

6 - HAProxy: How to Configure SSL/TLS Settings on AlmaLinux

As web applications and services increasingly demand secure communication, implementing SSL/TLS (Secure Sockets Layer/Transport Layer Security) is essential for encrypting traffic between clients and servers. HAProxy, a powerful open-source load balancer and reverse proxy, offers robust support for SSL/TLS termination and passthrough, ensuring secure and efficient traffic management.

In this guide, we will walk you through configuring SSL/TLS settings on HAProxy running on AlmaLinux, covering both termination and passthrough setups, as well as advanced security settings.

What is SSL/TLS?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that encrypt communication between a client (e.g., a web browser) and a server. This encryption ensures:

• Confidentiality: Prevents eavesdropping on data.
• Integrity: Protects data from being tampered with.
• Authentication: Confirms the identity of the server and optionally the client.

Why Use SSL/TLS with HAProxy?

Integrating SSL/TLS with HAProxy provides several benefits:

1. SSL Termination: Decrypts incoming traffic, reducing the computational load on backend servers.
2. SSL Passthrough: Allows encrypted traffic to pass directly to backend servers.
3. Improved Security: Ensures encrypted connections between clients and the proxy.
4. Centralized Certificate Management: Simplifies SSL/TLS certificate management for multiple backend servers.

Prerequisites

Before configuring SSL/TLS in HAProxy, ensure:

1. AlmaLinux is installed and updated.
2. HAProxy is installed and running.
3. You have an SSL certificate and private key for your domain.
4. Basic knowledge of HAProxy configuration files.

Step 1: Install HAProxy on AlmaLinux

If HAProxy isn’t already installed, follow these steps:

Update System Packages

sudo dnf update -y

Install HAProxy

sudo dnf install haproxy -y

Start and Enable HAProxy

sudo systemctl start haproxy
sudo systemctl enable haproxy

Verify Installation

haproxy -v

Step 2: Obtain and Prepare SSL Certificates

2.1 Obtain SSL Certificates

You can get an SSL certificate from:

• A trusted Certificate Authority (e.g., Let’s Encrypt, DigiCert).
• Self-signed certificates (for testing purposes).

2.2 Combine Certificate and Private Key

HAProxy requires the certificate and private key to be combined into a single .pem file. If your certificate and key are separate:

cat example.com.crt example.com.key > /etc/haproxy/certs/example.com.pem

2.3 Secure the Certificates

Set appropriate permissions to protect your private key:

sudo mkdir -p /etc/haproxy/certs
sudo chmod 700 /etc/haproxy/certs
sudo chown haproxy:haproxy /etc/haproxy/certs
sudo chmod 600 /etc/haproxy/certs/example.com.pem

Step 3: Configure SSL Termination in HAProxy

SSL termination decrypts incoming HTTPS traffic at HAProxy, sending unencrypted traffic to backend servers.

3.1 Update the Configuration File

Edit the HAProxy configuration file:

sudo nano /etc/haproxy/haproxy.cfg

Add or modify the following sections:

Frontend Configuration

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
    mode http
    default_backend web_servers

• *bind :443 ssl crt: Binds port 443 (HTTPS) to the SSL certificate.
• default_backend: Specifies the backend server pool.

Backend Configuration

backend web_servers
    mode http
    balance roundrobin
    option httpchk GET /
    server server1 192.168.1.101:80 check
    server server2 192.168.1.102:80 check

• balance roundrobin: Distributes traffic evenly across servers.
• server: Defines backend servers by IP and port.

3.2 Restart HAProxy

Apply the changes by restarting HAProxy:

sudo systemctl restart haproxy

3.3 Test SSL Termination

Open a browser and navigate to your domain using HTTPS (e.g., https://example.com). Verify that the connection is secure.

Step 4: Configure SSL Passthrough

In SSL passthrough mode, HAProxy does not terminate SSL traffic. Instead, it forwards encrypted traffic to the backend servers.

4.1 Update the Configuration File

Edit the configuration file:

sudo nano /etc/haproxy/haproxy.cfg

Modify the frontend and backend sections as follows:

Frontend Configuration

frontend https_passthrough
    bind *:443
    mode tcp
    default_backend web_servers

• mode tcp: Ensures that SSL traffic is passed as-is to the backend.

Backend Configuration

backend web_servers
    mode tcp
    balance roundrobin
    server server1 192.168.1.101:443 check ssl verify none
    server server2 192.168.1.102:443 check ssl verify none

• verify none: Skips certificate validation (use cautiously).

4.2 Restart HAProxy

sudo systemctl restart haproxy

4.3 Test SSL Passthrough

Ensure that backend servers handle SSL decryption by visiting your domain over HTTPS.

Step 5: Advanced SSL/TLS Settings

5.1 Enforce TLS Versions

Restrict the use of older protocols (e.g., SSLv3, TLSv1) to improve security:

frontend https_front
    bind *:443 ssl crt /etc/haproxy/certs/example.com.pem alpn h2,http/1.1 no-sslv3 no-tlsv10 no-tlsv11

• no-sslv3: Disables SSLv3.
• no-tlsv10: Disables TLSv1.0.

5.2 Configure Cipher Suites

Define strong cipher suites to enhance encryption:

bind *:443 ssl crt /etc/haproxy/certs/example.com.pem ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH no-sslv3

5.3 Enable HTTP/2

HTTP/2 improves performance by multiplexing multiple requests over a single connection:

bind *:443 ssl crt /etc/haproxy/certs/example.com.pem alpn h2,http/1.1

Step 6: Monitor and Test the Configuration

6.1 Check Logs

Monitor HAProxy logs to ensure proper operation:

sudo tail -f /var/log/haproxy.log

6.2 Test with Tools

• Use SSL Labs to analyze your SSL configuration: https://www.ssllabs.com/ssltest/.
• Verify HTTP/2 support using curl:

  curl -I --http2 https://example.com
  

Step 7: Troubleshooting

Common Issues

1. Certificate Errors: Ensure the .pem file contains the full certificate chain.
2. Unreachable Backend: Verify backend server IPs, ports, and firewall rules.
3. Protocol Errors: Check for unsupported TLS versions or ciphers.

Conclusion

Configuring SSL/TLS settings in HAProxy on AlmaLinux enhances your server’s security, performance, and scalability. Whether using SSL termination for efficient encryption management or passthrough for end-to-end encryption, HAProxy offers the flexibility needed to meet diverse requirements.

By following this guide, you’ve set up secure HTTPS traffic handling with advanced configurations like TLS version enforcement and HTTP/2 support. With HAProxy, you can confidently build a secure and scalable infrastructure for your web applications.

7 - HAProxy: How to Refer to the Statistics Web on AlmaLinux

HAProxy is a widely used open-source solution for load balancing and high availability. Among its robust features is a built-in statistics web interface that provides detailed metrics on server performance, connections, and backend health. This post delves into how to set up and refer to the HAProxy statistics web interface on AlmaLinux, a popular choice for server environments due to its stability and RHEL compatibility.

Prerequisites

Before proceeding, ensure the following:

• AlmaLinux Server: A running instance of AlmaLinux with administrative privileges.
• HAProxy Installed: HAProxy version 2.4 or later installed.
• Firewall Access: Ability to configure the firewall to allow web access to the statistics page.
• Basic Command-Line Skills: Familiarity with Linux command-line operations.

Step 1: Install HAProxy

If HAProxy is not already installed on your AlmaLinux server, follow these steps:

1. Update the System:

   sudo dnf update -y
   

2. Install HAProxy:

   sudo dnf install haproxy -y
   

3. Verify Installation: Confirm that HAProxy is installed by checking its version:

   haproxy -v
   

   Example output:

   HAProxy version 2.4.3 2021/07/07 - https://haproxy.org/
   

Step 2: Configure HAProxy for the Statistics Web Interface

To enable the statistics web interface, modify the HAProxy configuration file:

1. Open the Configuration File:

   sudo nano /etc/haproxy/haproxy.cfg
   

2. Add the Statistics Section: Locate the global and defaults sections and append the following configuration:

   listen stats
       bind :8404
       mode http
       stats enable
       stats uri /haproxy?stats
       stats realm HAProxy\ Statistics
       stats auth admin:password
   

   • bind :8404: Configures the statistics interface to listen on port 8404.
   • stats uri /haproxy?stats: Sets the URL path to access the statistics page.
   • stats auth admin:password: Secures access with a username (admin) and password (password). Replace these with more secure credentials in production.

3. Save and Exit: Save the changes and exit the editor.

Step 3: Restart HAProxy Service

Apply the changes by restarting the HAProxy service:

sudo systemctl restart haproxy

Verify that HAProxy is running:

sudo systemctl status haproxy

Step 4: Configure the Firewall

Ensure the firewall allows traffic to the port specified in the configuration (port 8404 in this example):

1. Open the Port:

   sudo firewall-cmd --add-port=8404/tcp --permanent
   

2. Reload Firewall Rules:

   sudo firewall-cmd --reload
   

Step 5: Access the Statistics Web Interface

1. Open a web browser and navigate to:

   http://<server-ip>:8404/haproxy?stats
   

   Replace <server-ip> with the IP address of your AlmaLinux server.

2. Enter the credentials specified in the stats auth line of the configuration file (e.g., admin and password).

3. The statistics web interface should display metrics such as:

   • Current session rate
   • Total connections
   • Backend server health
   • Error rates

Step 6: Customize the Statistics Interface

To enhance or adjust the interface to meet your requirements, consider the following options:

1. Change the Binding Address: By default, the statistics interface listens on all network interfaces (bind :8404). For added security, restrict it to a specific IP:

   bind 127.0.0.1:8404
   

   This limits access to localhost. Use a reverse proxy (e.g., NGINX) to manage external access.

2. Use HTTPS: Secure the interface with SSL/TLS by specifying a certificate:

   bind :8404 ssl crt /etc/haproxy/certs/haproxy.pem
   

   Generate or obtain a valid SSL certificate and save it as haproxy.pem.

3. Advanced Authentication: Replace basic authentication with a more secure method, such as integration with LDAP or OAuth, by using HAProxy’s advanced ACL capabilities.

Troubleshooting

If you encounter issues, consider the following steps:

1. Check HAProxy Logs: Logs can provide insights into errors:

   sudo journalctl -u haproxy
   

2. Test Configuration: Validate the configuration before restarting HAProxy:

   sudo haproxy -c -f /etc/haproxy/haproxy.cfg
   

   If errors are present, they will be displayed.

3. Verify Firewall Rules: Ensure the port is open:

   sudo firewall-cmd --list-ports
   

4. Check Browser Access: Confirm the server’s IP address and port are correctly specified in the URL.

Best Practices for Production

1. Strong Authentication: Avoid default credentials. Use a strong, unique username and password.

2. Restrict Access: Limit access to the statistics interface to trusted IPs using HAProxy ACLs or firewall rules.

3. Monitor Regularly: Use the statistics web interface to monitor performance and troubleshoot issues promptly.

4. Automate Metrics Collection: Integrate HAProxy metrics with monitoring tools like Prometheus or Grafana for real-time visualization and alerts.

Conclusion

The HAProxy statistics web interface is a valuable tool for monitoring and managing your load balancer’s performance. By following the steps outlined above, you can enable and securely access this interface on AlmaLinux. With proper configuration and security measures, you can leverage the detailed metrics provided by HAProxy to optimize your server infrastructure and ensure high availability for your applications.

8 - HAProxy: How to Refer to the Statistics CUI on AlmaLinux

Introduction
HAProxy (High Availability Proxy) is a widely used open-source load balancer and proxy server designed to optimize performance, distribute traffic, and improve the reliability of web applications. Known for its robustness, HAProxy is a go-to solution for managing high-traffic websites and applications. A valuable feature of HAProxy is its statistics interface, which provides real-time metrics about server performance and traffic.

On AlmaLinux—a popular Linux distribution tailored for enterprise use—accessing the HAProxy statistics interface via the Command-Line User Interface (CUI) is essential for system administrators looking to monitor their setup effectively. This article explores how to refer to and utilize the HAProxy statistics CUI on AlmaLinux, guiding you through installation, configuration, and effective usage.

Section 1: What is HAProxy and Why Use the Statistics CUI?

Overview of HAProxy

HAProxy is widely recognized for its ability to handle millions of requests per second efficiently. Its use cases span multiple industries, from web hosting to financial services. Core benefits include:

• Load balancing across multiple servers.
• SSL termination for secure communication.
• High availability through failover mechanisms.

The Importance of the Statistics CUI

The HAProxy statistics CUI offers an interactive and real-time way to monitor server performance. With this interface, you can view metrics such as:

• The number of current connections.
• Requests handled per second.
• Backend server health statuses.

This data is crucial for diagnosing bottlenecks, ensuring uptime, and optimizing configurations.

Section 2: Installing HAProxy on AlmaLinux

Step 1: Update Your AlmaLinux System

Before installing HAProxy, ensure your system is up-to-date:

sudo dnf update -y

Step 2: Install HAProxy

AlmaLinux includes HAProxy in its repositories. To install:

sudo dnf install haproxy -y

Step 3: Verify Installation

Confirm that HAProxy is installed correctly by checking its version:

haproxy -v

Output similar to the following confirms success:

HAProxy version 2.x.x-<build-info>

Section 3: Configuring HAProxy for Statistics CUI Access

To use the statistics interface, HAProxy must be configured appropriately.

Step 1: Locate the Configuration File

The primary configuration file is usually located at:

/etc/haproxy/haproxy.cfg

Step 2: Add Statistics Section

Within the configuration file, include the following section to enable the statistics page:

frontend stats
    bind *:8404
    mode http
    stats enable
    stats uri /
    stats realm HAProxy\ Statistics
    stats auth admin:password

• bind *:8404: Specifies the port where statistics are served.
• stats uri /: Sets the URL endpoint for the statistics interface.
• stats auth: Defines username and password authentication for security.

Step 3: Restart HAProxy

Apply your changes by restarting the HAProxy service:

sudo systemctl restart haproxy

Section 4: Accessing the HAProxy Statistics CUI on AlmaLinux

Using curl to Access Statistics

To query the HAProxy statistics page via CUI, use the curl command:

curl -u admin:password http://<your-server-ip>:8404

Replace <your-server-ip> with your server’s IP address. After running the command, you’ll receive a summary of metrics in plain text format.

Interpreting the Output

Key details to focus on include:

• Session rates: Shows the number of active and total sessions.
• Server status: Indicates whether a backend server is up, down, or in maintenance.
• Queue metrics: Helps diagnose traffic bottlenecks.

Automating Metric Retrieval

For ongoing monitoring, create a shell script that periodically retrieves metrics and logs them for analysis. Example:

#!/bin/bash
curl -u admin:password http://<your-server-ip>:8404 >> haproxy_metrics.log

Section 5: Optimizing Statistics for AlmaLinux Environments

Leverage Logging for Comprehensive Insights

Enable detailed logging in HAProxy by modifying the configuration:

global
    log /dev/log local0
    log /dev/log local1 notice

Then, ensure AlmaLinux’s system logging is configured to capture HAProxy logs.

Monitor Resources with AlmaLinux Tools

Combine HAProxy statistics with AlmaLinux’s monitoring tools like top or htop to correlate traffic spikes with system performance metrics like CPU and memory usage.

Use Third-Party Dashboards

Integrate HAProxy with visualization tools such as Grafana for a more intuitive, graphical representation of metrics. This requires exporting data from the statistics CUI into a format compatible with visualization software.

Section 6: Troubleshooting Common Issues

Statistics Page Not Loading

• Verify Configuration: Ensure the stats section in haproxy.cfg is properly defined.

• Check Port Availability: Ensure port 8404 is open using:

  sudo firewall-cmd --list-ports
  

• Restart HAProxy: Sometimes, a restart resolves minor misconfigurations.

Authentication Issues

• Confirm the username and password in the stats auth line of your configuration file.
• Use escape characters for special characters in passwords when using curl.

Resource Overheads

• Optimize HAProxy configuration by reducing logging verbosity if system performance is impacted.

Conclusion

The HAProxy statistics CUI is an indispensable tool for managing and monitoring server performance on AlmaLinux. By enabling, configuring, and effectively using this interface, system administrators can gain invaluable insights into their server environments. Regular monitoring helps identify potential issues early, optimize traffic flow, and maintain high availability for applications.

With the steps and tips provided, you’re well-equipped to harness the power of HAProxy on AlmaLinux for reliable and efficient system management.

Meta Title: How to Refer to HAProxy Statistics CUI on AlmaLinux
Meta Description: Learn how to configure and access the HAProxy statistics CUI on AlmaLinux. Step-by-step guide to monitor server performance and optimize your system effectively.

9 - Implementing Layer 4 Load Balancing with HAProxy on AlmaLinux

Introduction
Load balancing is a crucial component of modern IT infrastructure, ensuring high availability, scalability, and reliability for web applications and services. HAProxy, an industry-standard open-source load balancer, supports both Layer 4 (TCP/UDP) and Layer 7 (HTTP) load balancing. Layer 4 load balancing, based on transport-layer protocols like TCP and UDP, is faster and more efficient for applications that don’t require deep packet inspection or application-specific rules.

In this guide, we’ll explore how to implement Layer 4 mode load balancing with HAProxy on AlmaLinux, an enterprise-grade Linux distribution. We’ll cover everything from installation and configuration to testing and optimization.

Section 1: Understanding Layer 4 Load Balancing

What is Layer 4 Load Balancing?

Layer 4 load balancing operates at the transport layer of the OSI model. It directs incoming traffic based on IP addresses, ports, and protocol types (TCP/UDP) without inspecting the actual content of the packets.

Key Benefits of Layer 4 Load Balancing:

• Performance: Lightweight and faster compared to Layer 7 load balancing.
• Versatility: Supports any TCP/UDP-based protocol (e.g., HTTP, SMTP, SSH).
• Simplicity: No need for application-layer parsing or rules.

Layer 4 load balancing is ideal for workloads like database clusters, game servers, and email services, where speed and simplicity are more critical than application-specific routing.

Section 2: Installing HAProxy on AlmaLinux

Before configuring Layer 4 load balancing, you need HAProxy installed on your AlmaLinux server.

Step 1: Update AlmaLinux

Run the following command to update the system:

sudo dnf update -y

Step 2: Install HAProxy

Install HAProxy using the default AlmaLinux repository:

sudo dnf install haproxy -y

Step 3: Enable and Verify HAProxy

Enable HAProxy to start automatically on boot and check its status:

sudo systemctl enable haproxy
sudo systemctl start haproxy
sudo systemctl status haproxy

Section 3: Configuring HAProxy for Layer 4 Load Balancing

Step 1: Locate the Configuration File

The main configuration file for HAProxy is located at:

/etc/haproxy/haproxy.cfg

Step 2: Define the Frontend Section

The frontend section defines how HAProxy handles incoming requests. For Layer 4 load balancing, you’ll specify the bind address and port:

frontend layer4_frontend
    bind *:80
    mode tcp
    default_backend layer4_backend

• bind *:80: Accepts traffic on port 80.
• mode tcp: Specifies Layer 4 (TCP) mode.
• default_backend: Points to the backend section handling traffic distribution.

Step 3: Configure the Backend Section

The backend section defines the servers to which traffic is distributed. Example:

backend layer4_backend
    mode tcp
    balance roundrobin
    server server1 192.168.1.101:80 check
    server server2 192.168.1.102:80 check

• balance roundrobin: Distributes traffic evenly across servers.
• server: Specifies the backend servers with health checks enabled (check).

Step 4: Enable Logging

Enable logging to troubleshoot and monitor traffic:

global
    log /dev/log local0
    log /dev/log local1 notice

Section 4: Testing the Configuration

Step 1: Validate the Configuration

Before restarting HAProxy, validate the configuration file:

sudo haproxy -c -f /etc/haproxy/haproxy.cfg

If the configuration is valid, you’ll see a success message.

Step 2: Restart HAProxy

Apply your changes by restarting HAProxy:

sudo systemctl restart haproxy

Step 3: Simulate Traffic

Simulate traffic to test load balancing. Use curl to send requests to the HAProxy server:

curl http://<haproxy-ip>

Check the responses to verify that traffic is being distributed across the backend servers.

Step 4: Analyze Logs

Examine the logs to ensure traffic routing is working as expected:

sudo tail -f /var/log/haproxy.log

Section 5: Optimizing Layer 4 Load Balancing

Health Checks for Backend Servers

Ensure that health checks are enabled for all backend servers to avoid sending traffic to unavailable servers. Example:

server server1 192.168.1.101:80 check inter 2000 rise 2 fall 3

• inter 2000: Checks server health every 2 seconds.
• rise 2: Marks a server as healthy after 2 consecutive successes.
• fall 3: Marks a server as unhealthy after 3 consecutive failures.

Optimize Load Balancing Algorithms

Choose the appropriate load balancing algorithm for your needs:

• roundrobin: Distributes requests evenly.
• leastconn: Directs traffic to the server with the fewest connections.
• source: Routes traffic from the same source IP to the same backend server.

Tune Timeout Settings

Set timeouts to handle slow connections efficiently:

defaults
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

Section 6: Troubleshooting Common Issues

Backend Servers Not Responding

• Verify that backend servers are running and accessible from the HAProxy server.
• Check the firewall rules on both HAProxy and backend servers.

Configuration Errors

• Use haproxy -c -f to validate configurations before restarting.
• Review logs for syntax errors or misconfigurations.

Uneven Load Distribution

• Ensure the load balancing algorithm is appropriate for your use case.
• Check health check settings to avoid uneven traffic routing.

Conclusion

Layer 4 load balancing with HAProxy on AlmaLinux is a powerful way to ensure efficient and reliable traffic distribution for TCP/UDP-based applications. By following this guide, you can set up a high-performing and fault-tolerant load balancer tailored to your needs. From installation and configuration to testing and optimization, this comprehensive walkthrough equips you with the tools to maximize the potential of HAProxy.

Whether you’re managing a database cluster, hosting game servers, or supporting email services, HAProxy’s Layer 4 capabilities are an excellent choice for performance-focused load balancing.

10 - Configuring HAProxy ACL Settings on AlmaLinux

Introduction
HAProxy (High Availability Proxy) is a powerful, open-source software widely used for load balancing and proxying. It’s a staple in enterprise environments thanks to its high performance, scalability, and flexibility. One of its most valuable features is Access Control Lists (ACLs), which allow administrators to define specific rules for processing traffic based on customizable conditions.

In this article, we’ll guide you through the process of configuring ACL settings for HAProxy on AlmaLinux, an enterprise-grade Linux distribution. From understanding ACL basics to implementation and testing, this comprehensive guide will help you enhance control over your traffic routing.

Section 1: What are ACLs in HAProxy?

Understanding ACLs

Access Control Lists (ACLs) in HAProxy enable administrators to define rules for allowing, denying, or routing traffic based on specific conditions. ACLs operate by matching predefined criteria such as:

• Source or destination IP addresses.
• HTTP headers and paths.
• TCP ports or payload content.

ACLs are highly versatile and are used for tasks like:

• Routing traffic to different backend servers based on URL patterns.
• Blocking traffic from specific IP addresses.
• Allowing access to certain resources only during specified times.

Advantages of Using ACLs

• Granular Traffic Control: Fine-tune how traffic flows within your infrastructure.
• Enhanced Security: Block unauthorized access at the proxy level.
• Optimized Performance: Route requests efficiently based on defined criteria.

Section 2: Installing HAProxy on AlmaLinux

Step 1: Update the System

Ensure your AlmaLinux system is up to date:

sudo dnf update -y

Step 2: Install HAProxy

Install HAProxy using the default repository:

sudo dnf install haproxy -y

Step 3: Enable and Verify the Service

Start and enable HAProxy:

sudo systemctl start haproxy
sudo systemctl enable haproxy
sudo systemctl status haproxy

Section 3: Configuring ACL Settings in HAProxy

Step 1: Locate the Configuration File

The primary configuration file is located at:

/etc/haproxy/haproxy.cfg

Make a backup of this file before making changes:

sudo cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak

Step 2: Define ACL Rules

ACL rules are defined within the frontend or backend sections of the configuration file. Example:

frontend http_front
    bind *:80
    acl is_static path_end .jpg .png .css .js
    acl is_admin path_beg /admin
    use_backend static_server if is_static
    use_backend admin_server if is_admin

Explanation:

• acl is_static: Matches requests ending with .jpg, .png, .css, or .js.
• acl is_admin: Matches requests that begin with /admin.
• use_backend: Routes traffic to specific backends based on ACL matches.

Step 3: Configure Backends

Define the backends corresponding to your ACL rules:

backend static_server
    server static1 192.168.1.101:80 check

backend admin_server
    server admin1 192.168.1.102:80 check

Section 4: Examples of Common ACL Scenarios

Example 1: Blocking Traffic from Specific IPs

To block traffic from a specific IP address, use an ACL with a deny rule:

frontend http_front
    bind *:80
    acl block_ips src 192.168.1.50 192.168.1.51
    http-request deny if block_ips

Example 2: Redirecting Traffic Based on URL Path

To redirect requests for /old-page to /new-page:

frontend http_front
    bind *:80
    acl old_page path_beg /old-page
    http-request redirect location /new-page if old_page

Example 3: Restricting Access by Time

To allow access to /maintenance only during business hours:

frontend http_front
    bind *:80
    acl business_hours time 08:00-18:00
    acl maintenance_path path_beg /maintenance
    http-request deny if maintenance_path !business_hours

Example 4: Differentiating Traffic by Protocol

Route traffic based on whether it’s HTTP or HTTPS:

frontend mixed_traffic
    bind *:80
    bind *:443 ssl crt /etc/ssl/certs/haproxy.pem
    acl is_http hdr(host) -i http
    acl is_https hdr(host) -i https
    use_backend http_server if is_http
    use_backend https_server if is_https

Section 5: Testing and Validating ACL Configurations

Step 1: Validate the Configuration File

Before restarting HAProxy, validate the configuration:

sudo haproxy -c -f /etc/haproxy/haproxy.cfg

Step 2: Restart HAProxy

Apply your changes:

sudo systemctl restart haproxy

Step 3: Test with curl

Use curl to simulate requests and test ACL rules:

curl -v http://<haproxy-ip>/admin
curl -v http://<haproxy-ip>/old-page

Verify the response codes and redirections based on your ACL rules.

Section 6: Optimizing ACL Performance

Use Efficient Matching

Use optimized ACL matching methods for better performance:

• Use path_beg or path_end for matching specific patterns.
• Avoid overly complex regex patterns that increase processing time.

Minimize Redundant Rules

Consolidate similar ACLs to reduce duplication and simplify maintenance.

Enable Logging

Enable HAProxy logging for debugging and monitoring:

global
    log /dev/log local0
    log /dev/log local1 notice

defaults
    log global

Monitor logs to verify ACL behavior:

sudo tail -f /var/log/haproxy.log

Section 7: Troubleshooting Common ACL Issues

ACLs Not Matching as Expected

• Double-check the syntax of ACL definitions.
• Use the haproxy -c -f command to identify syntax errors.

Unexpected Traffic Routing

• Verify the order of ACL rules—HAProxy processes them sequentially.
• Check for conflicting rules or conditions.

Performance Issues

• Reduce the number of ACL checks in critical traffic paths.
• Review system resource utilization and adjust HAProxy settings accordingly.

Conclusion

Configuring ACL settings in HAProxy is a powerful way to control traffic and optimize performance for enterprise applications on AlmaLinux. Whether you’re blocking unauthorized users, routing traffic dynamically, or enforcing security rules, ACLs provide unparalleled flexibility.

By following this guide, you can implement ACLs effectively, ensuring a robust and secure infrastructure that meets your organization’s needs. Regular testing and monitoring will help maintain optimal performance and reliability.

11 - Configuring Layer 4 ACL Settings in HAProxy on AlmaLinux

HAProxy: How to Configure ACL Settings for Layer 4 on AlmaLinux

Introduction
HAProxy (High Availability Proxy) is a versatile and powerful tool for load balancing and proxying. While it excels at Layer 7 (application layer) tasks, HAProxy’s Layer 4 (transport layer) capabilities are just as important for handling high-speed and protocol-agnostic traffic. Layer 4 Access Control Lists (ACLs) enable administrators to define routing rules and access policies based on IP addresses, ports, and other low-level network properties.

This article provides a comprehensive guide to configuring ACL settings for Layer 4 (L4) load balancing in HAProxy on AlmaLinux. We’ll cover installation, configuration, common use cases, and best practices to help you secure and optimize your network traffic.

Section 1: Understanding Layer 4 ACLs in HAProxy

What are Layer 4 ACLs?

Layer 4 ACLs operate at the transport layer of the OSI model, enabling administrators to control traffic based on:

• Source IP Address: Route or block traffic originating from specific IPs.
• Destination Port: Restrict or allow access to specific application ports.
• Protocol Type (TCP/UDP): Define behavior based on the type of transport protocol used.

Unlike Layer 7 ACLs, Layer 4 ACLs do not inspect packet content, making them faster and more suitable for scenarios where high throughput is required.

Benefits of Layer 4 ACLs

• Low Latency: Process rules without inspecting packet payloads.
• Enhanced Security: Block unwanted traffic at the transport layer.
• Protocol Independence: Handle traffic for any TCP/UDP-based application.

Section 2: Installing HAProxy on AlmaLinux

Step 1: Update the System

Keep your system up-to-date to avoid compatibility issues:

sudo dnf update -y

Step 2: Install HAProxy

Install HAProxy from AlmaLinux’s repositories:

sudo dnf install haproxy -y

Step 3: Enable and Verify Service

Enable HAProxy to start on boot and check its status:

sudo systemctl start haproxy
sudo systemctl enable haproxy
sudo systemctl status haproxy

Section 3: Configuring Layer 4 ACLs in HAProxy

Step 1: Locate the Configuration File

The main configuration file for HAProxy is located at:

/etc/haproxy/haproxy.cfg

Before proceeding, make a backup of the file:

sudo cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak

Step 2: Define Layer 4 ACLs

Layer 4 ACLs are typically defined in the frontend section. Below is an example of a basic configuration:

frontend l4_frontend
    bind *:443
    mode tcp
    acl block_ip src 192.168.1.100
    acl allow_subnet src 192.168.1.0/24
    tcp-request connection reject if block_ip
    use_backend l4_backend if allow_subnet

Explanation:

• mode tcp: Enables Layer 4 processing.
• acl block_ip: Defines a rule to block traffic from a specific IP address.
• acl allow_subnet: Allows traffic from a specific subnet.
• tcp-request connection reject: Drops connections matching the block_ip ACL.
• use_backend: Routes allowed traffic to the specified backend.

Step 3: Configure the Backend

Define the backend servers for traffic routing:

backend l4_backend
    mode tcp
    balance roundrobin
    server srv1 192.168.1.101:443 check
    server srv2 192.168.1.102:443 check

Section 4: Common Use Cases for Layer 4 ACLs

1. Blocking Traffic from Malicious IPs

To block traffic from known malicious IPs:

frontend l4_frontend
    bind *:80
    mode tcp
    acl malicious_ips src 203.0.113.50 203.0.113.51
    tcp-request connection reject if malicious_ips

2. Allowing Access from Specific Subnets

To restrict access to a trusted subnet:

frontend l4_frontend
    bind *:22
    mode tcp
    acl trusted_subnet src 192.168.2.0/24
    tcp-request connection reject if !trusted_subnet

3. Differentiating Traffic by Ports

To route traffic based on the destination port:

frontend l4_frontend
    bind *:8080-8090
    mode tcp
    acl port_8080 dst_port 8080
    acl port_8090 dst_port 8090
    use_backend backend_8080 if port_8080
    use_backend backend_8090 if port_8090

4. Enforcing Traffic Throttling

To limit the rate of new connections:

frontend l4_frontend
    bind *:443
    mode tcp
    stick-table type ip size 1m expire 10s store conn_rate(10s)
    acl too_many_connections src_conn_rate(10s) gt 100
    tcp-request connection reject if too_many_connections

Section 5: Testing and Validating Configuration

Step 1: Validate Configuration File

Check for syntax errors before applying changes:

sudo haproxy -c -f /etc/haproxy/haproxy.cfg

Step 2: Restart HAProxy

Apply your changes by restarting the service:

sudo systemctl restart haproxy

Step 3: Test ACL Behavior

Simulate traffic using curl or custom tools to test ACL rules:

curl -v http://<haproxy-ip>:80

Step 4: Monitor Logs

Enable HAProxy logging to verify how traffic is processed:

global
    log /dev/log local0
    log /dev/log local1 notice

defaults
    log global

Monitor logs for ACL matches:

sudo tail -f /var/log/haproxy.log

Section 6: Optimizing ACL Performance

1. Use Efficient ACL Rules

• Use IP-based rules (e.g., src) for faster processing.
• Avoid complex regex patterns unless absolutely necessary.

2. Consolidate Rules

Combine similar rules to reduce redundancy and simplify configuration.

3. Tune Timeout Settings

Optimize timeout settings for faster rejection of unwanted connections:

defaults
    timeout connect 5s
    timeout client 50s
    timeout server 50s

4. Monitor System Performance

Use tools like top or htop to ensure HAProxy’s CPU and memory usage remain optimal.

Section 7: Troubleshooting Common Issues

ACL Not Matching as Expected

• Double-check the syntax and ensure ACLs are defined within the appropriate scope.
• Use the haproxy -c command to identify misconfigurations.

Unintended Traffic Blocking

• Review the sequence of ACL rules—HAProxy processes them in order.
• Check for overlapping or conflicting ACLs.

High Latency

• Optimize rules by avoiding overly complex checks.
• Verify network and server performance to rule out bottlenecks.

Conclusion
Configuring Layer 4 ACL settings in HAProxy on AlmaLinux provides robust control over your network traffic. By defining rules based on IP addresses, ports, and connection rates, you can secure your infrastructure, optimize performance, and enhance reliability.

With this guide, you now have the tools to implement, test, and optimize L4 ACL configurations effectively. Remember to regularly review and update your rules to adapt to changing traffic patterns and security needs.