Re: Chaining haproxy instances for a migration scenario
On Fri, Sep 11, 2015 at 10:41 AM, Tim Verhoevenwrote: > Hello everyone, > > I'm mostly passive on this list but a happy haproxy user for more then 2 > years. > > Now, we are going to migrate our platform to a new provider (and new > hardware) in the coming months and I'm looking for a way to avoid a one-shot > migration. > > So I've been doing some googl'ing and it should be possible to use the proxy > protocol to send traffic from one haproxy instance (at the old site) to the > another haproxy instance (at the new site). Then at the new site the haproxy > instance there would just accept the traffic as it came from the internet > directly. > > Is that how it works? Is that possible? > > Ideally the traffic between the 2 haproxy instances would be encrypted with > TLS to avoid having to setup an VPN. > > Now I haven't found any examples of this kind of setup, so any pointers on > how to set this up would be really appriciated. > > Thanks, > Tim Hi Tim, Your usecase is an interesting scenario for a blog article :) About your questions, simply update the app backend of the current site in order to add a new 'server' that would be the HAProxy of the new site: backend myapp [...] server app1 ... server app2 ... server newhaproxy [IP]:8443 check ssl send-proxy-v2 ca-file /etc/haproxy/myca.pem crt /etc/haproxy/client.pem ca-file: to validate the certificate presented by the server using your own CA (or use DANGEROUSLY "ssl-server-verify none" in your global section) crt : allows you to use a client certificate to get connected on the other HAProxy On the newhaproxy (in the new instance): frontend fe_myapp bind :80 bind :443 ssl crt server.pem bind :8443 ssl crt server.pem accept-proxy-v2 You can play with weight on the current site to send a few request to the newhaproxy box and increase this weight once you're confident. Baptiste
Re: Chaining haproxy instances for a migration scenario
2015-09-11 10:55 GMT+02:00 Baptiste: > On Fri, Sep 11, 2015 at 10:41 AM, Tim Verhoeven > wrote: > > Hello everyone, > > > > I'm mostly passive on this list but a happy haproxy user for more then 2 > > years. > > > > Now, we are going to migrate our platform to a new provider (and new > > hardware) in the coming months and I'm looking for a way to avoid a > one-shot > > migration. > > > > So I've been doing some googl'ing and it should be possible to use the > proxy > > protocol to send traffic from one haproxy instance (at the old site) to > the > > another haproxy instance (at the new site). Then at the new site the > haproxy > > instance there would just accept the traffic as it came from the internet > > directly. > > > > Is that how it works? Is that possible? > > > > Ideally the traffic between the 2 haproxy instances would be encrypted > with > > TLS to avoid having to setup an VPN. > > > > Now I haven't found any examples of this kind of setup, so any pointers > on > > how to set this up would be really appriciated. > > > > Thanks, > > Tim > > > Hi Tim, > > Your usecase is an interesting scenario for a blog article :) > > About your questions, simply update the app backend of the current > site in order to add a new 'server' that would be the HAProxy of the > new site: > > backend myapp > [...] > server app1 ... > server app2 ... > server newhaproxy [IP]:8443 check ssl send-proxy-v2 ca-file > /etc/haproxy/myca.pem crt /etc/haproxy/client.pem > > ca-file: to validate the certificate presented by the server using > your own CA (or use DANGEROUSLY "ssl-server-verify none" in your > global section) > crt : allows you to use a client certificate to get connected on the > other HAProxy > > On the newhaproxy (in the new instance): > > frontend fe_myapp > bind :80 > bind :443 ssl crt server.pem > bind :8443 ssl crt server.pem accept-proxy-v2 > > > > You can play with weight on the current site to send a few request to > the newhaproxy box and increase this weight once you're confident. > > Baptiste > > Hi Tim, i'm having a similiar use case (smooth migration from 1.5 to 1.6). I've recently blogged about this: http://godevops.net/2015/09/07/testing-new-haproxy-versions-with-some-sort-of-ab-testing/ - Best Regards / Mit freundlichen Grüßen Bjoern
Chaining haproxy instances for a migration scenario
Hello everyone, I'm mostly passive on this list but a happy haproxy user for more then 2 years. Now, we are going to migrate our platform to a new provider (and new hardware) in the coming months and I'm looking for a way to avoid a one-shot migration. So I've been doing some googl'ing and it should be possible to use the proxy protocol to send traffic from one haproxy instance (at the old site) to the another haproxy instance (at the new site). Then at the new site the haproxy instance there would just accept the traffic as it came from the internet directly. Is that how it works? Is that possible? Ideally the traffic between the 2 haproxy instances would be encrypted with TLS to avoid having to setup an VPN. Now I haven't found any examples of this kind of setup, so any pointers on how to set this up would be really appriciated. Thanks, Tim