Merge pull request #1005 from edumeet/feat-haproxyconfig-example

Feat haproxyconfig example
2026-01-23 02:34:58 +00:00 · 2022-05-20 15:02:31 +02:00 · 2022-05-20 15:02:31 +02:00 · 488eb47581
commit 488eb47581
parent 0948035389 0076b6e831
2 changed files with 122 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -248,7 +248,7 @@ sudo systemctl enable edumeet

 ## Load balanced installation

-To deploy this as a load balanced cluster, have a look at [HAproxy](HAproxy.md).
+To deploy this as a load balanced cluster, have a look at [HAproxy](/docs/HAproxy.md).

 ## Learning management integration

--- a/docs/HAproxy.md
+++ b/docs/HAproxy.md
@ -64,13 +64,17 @@ OR

 ### Server config

-mm/configs/server/config.js
-
-``` js
-redisOptions : { host: '192.0.2.4'},
-listeningPort: 80,
-httpOnly: true,
-trustProxy           : ['192.0.2.5'],
+config.yaml
+``` yaml
+turnAPIKey            : "<key>"
+turnAPIURI            : "<turn url>"
+listeningPort         : 80
+httpOnly              : true
+trustProxy : "192.0.2.5"
+redisOptions:
+  host: "192.0.2.4"                                   
+  port: "6379"                                 
+  password: "passwd"
 ```

 ## Deploy HA proxy
@ -78,24 +82,121 @@ trustProxy           : ['192.0.2.5'],
 * Configure certificate / letsencrypt for `meet.example.com`
  * In this example we put a complete chain and private key in /root/certificate.pem.
 * Install and setup haproxy
+```bash 
+apt install haproxy
+```
+* Install haproxy 2.2 (recommended)
+``` bash
+sudo apt-get install gnupg2 curl -y
+curl https://haproxy.debian.net/bernat.debian.org.gpg | sudo apt-key add -
+echo deb http://haproxy.debian.net buster-backports-2.2 main | sudo tee /etc/apt/sources.list.d/haproxy.list
+sudo apt-get update
+apt-get install haproxy=2.2.\*

-  `apt install haproxy`
+sudo systemctl start haproxy
+sudo systemctl enable haproxy
+```

 * Add to /etc/haproxy/haproxy.cfg config

  ``` plaintext
-    backend edumeet
-        balance url_param roomId
-        hash-type consistent

-        server mm1 192.0.2.1:80 check maxconn 2000 verify none
-        server mm2 192.0.2.2:80 check maxconn 2000 verify none
-        server mm3 192.0.2.3:80 check maxconn 2000 verify none
+  global
+    # mult thread setup
+    nbproc 1
+    nbthread 4
+    cpu-map auto:1/1-4 0-3
+
+    log /dev/log    local0
+    log /dev/log    local1 notice
+    chroot /var/lib/haproxy
+    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+    stats socket /run/haproxy.sock mode 660 level admin
+    stats timeout 30s
+    user haproxy
+    group haproxy
+    daemon
+
+    # Default SSL material locations
+    ca-base /etc/ssl/certs
+    crt-base /etc/ssl/private
+
+    # Default ciphers to use on SSL-enabled listening sockets.
+    # For more information, see ciphers(1SSL). This list is from:
+    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+    # An alternative list with additional directives can be obtained from
+    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
+    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+    ssl-default-bind-options no-sslv3
+    tune.ssl.default-dh-param 2048
+    maxconn 20000
+
+  defaults
+    log     global
+    mode    http
+    option  httplog
+    #option  logasap
+    #option dontlognull
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+    maxconn 8192
+
+  backend letsmeet-room-backend
+    fullconn 4000
+    balance url_param roomId
+    hash-type consistent
+    stick-table type string len 1024 size 100k expire 8h
+    stick store-request url_param(roomId)
+    stick match url_param(roomId)
+    stick match url_param(state),url_dec,b64dec,field(8,'\"')
+
+    server edumeet1 192.0.2.1:80 check maxconn 2000 verify none
+    server edumeet2 192.0.2.2:80 check maxconn 1000 verify none
+    server edumeet3 192.0.2.3:80 check maxconn 1000 verify none
+
+  backend letsmeet-backend
+    fullconn 4000
+    balance leastconn
+    stick-table type ip size 200k expire 30m
+    stick on src
+    hash-type consistent
+
+    server edumeet1 192.0.2.1:80 check maxconn 2000 verify none
+    server edumeet2 192.0.2.2:80 check maxconn 1000 verify none
+    server edumeet3 192.0.2.3:80 check maxconn 1000 verify none
+
+  frontend letsmeet
+    bind *:80
+    bind*:443 ssl crt /etc/ssl/edumeet.example.com/edumeet.example.com.pem alpn h2,http/1.1
+    http-request redirect scheme https if !{ ssl_fc }
+    http-request add-header X-Forwarded-Proto https
+    stats enable
+    stats uri /static/stats
+    #stats hide-version
+    stats refresh 10s
+    stats admin if TRUE
+    #stats admin if LOCALHOST
+    stats realm Haproxy\ Statistics
+    stats auth admin:password
+
+    maxconn 6000
+    acl roomId-acl url_param(roomId) -m found 
+    acl callback-acl path_beg /auth/callback
+    use_backend letsmeet-room-backend if roomId-acl || callback-acl
+    default_backend letsmeet-backend

-    frontend meet.example.com
-        bind 192.0.2.5:80
-        bind 192.0.2.5:443 ssl crt /root/certificate.pem
-        http-request redirect scheme https unless { ssl_fc }
-        reqadd X-Forwarded-Proto:\ https
-        default_backend edumeet
  ```
+
+* Creating cert with letsencrypt :
+
+``` bash
+sudo cat /etc/letsencrypt/live/edumeet.example.com/fullchain.pem     /etc/letsencrypt/live/edumeet.example.com/privkey.pem     | sudo tee /etc/ssl/edumeet.example.com/edumeet.example.com.pem
+```