Way 3 - TCP Balanced Round Robin with HAPROXY and PROXY

Important

This only applies to Web Safety version 6.0 and up. Older versions do not support PROXY protocol management from Admin UI.

In this case we will deploy a haproxy node in front of many proxy nodes. Browsers will connect to haproxy node that will distribute TCP connections to proxy nodes using round robin scheme.

This deployment is different from previously described Way 2 because haproxy and Squid instances will be connected using PROXY protocol. This protocol is used to notify Squid of real IP addresses of haproxy clients (browsers). It allows for full policy members matching by Active Directory name and IP address, ranges and subnets, removing limitations described at Way 2 article.

  1. Create new type A record for proxy.example.lan with IP address 192.168.178.10. This will be the haproxy frontend to our cluster.

    ../../../_images/ha_frontend8.png
  2. Create new type A record for node11.example.lan with IP address 192.168.178.11.

    ../../../_images/ha_node118.png
  3. Create new type A record for node12.example.lan with IP address 192.168.178.12.

    ../../../_images/ha_node128.png
  4. Configure haproxy on proxy.example.lan with the following configuration /etc/haproxy/haproxy.cfg. Note how each server is marked with send-proxy directive.

    global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
    
    defaults
        log     global
        mode    tcp
        option  tcplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
    
    frontend squid
        bind 192.168.178.10:3128
        default_backend squid_pool
    
    backend squid_pool
        balance roundrobin
        mode tcp
        server squid1 192.168.178.11:3128 check send-proxy
        server squid2 192.168.178.12:3128 check send-proxy
    
  5. Deploy two virtual appliances of Web Safety and assign IP address of 192.168.178.11 for the first node and 192.168.178.12 for the second node. For the instructions on how to assign static IP for a virtual appliance see article How to Set Static IP Address in VA.

  6. Enable support for PROXY protocol in UI / Squid / Settings / Netwrork by setting the Require presence of PROXY protocol header checkbox and providing haproxy’s IP address in address field as indicated on the following screenshot. Click Save and Restart.

    ../../../_images/proxy_squid3.png
  7. If Active Directory integration is required, follow the usual Active Directory configuration steps described in previous articles for each virtual appliance, but when configuring Kerberos authenticator provide the SPN based on proxy.example.lan and check the Use GSS_C_NO_NAME checkbox. This will let the node process requests for Kerberos authentication from browsers based on credentials contained in the request and not based on SPN (SPN still needs to be configured though).

    ../../../_images/gcc_c_no_name8.png
  8. Restart haproxy afterwards systemctl restart haproxy. Log in /var/log/haproxy.log should indicate both proxy nodes are working.