subject:"Chaining haproxy instances for a migration scenario"

Re: Chaining haproxy instances for a migration scenario

2015-09-11 Thread Baptiste

On Fri, Sep 11, 2015 at 10:41 AM, Tim Verhoeven
 wrote:
> Hello everyone,
>
> I'm mostly passive on this list but a happy haproxy user for more then 2
> years.
>
> Now, we are going to migrate our platform to a new provider (and new
> hardware) in the coming months and I'm looking for a way to avoid a one-shot
> migration.
>
> So I've been doing some googl'ing and it should be possible to use the proxy
> protocol to send traffic from one haproxy instance (at the old site) to the
> another haproxy instance (at the new site). Then at the new site the haproxy
> instance there would just accept the traffic as it came from the internet
> directly.
>
> Is that how it works? Is that possible?
>
> Ideally the traffic between the 2 haproxy instances would be encrypted with
> TLS to avoid having to setup an VPN.
>
> Now I haven't found any examples of this kind of setup, so any pointers on
> how to set this up would be really appriciated.
>
> Thanks,
> Tim


Hi Tim,

Your usecase is an interesting scenario for a blog article :)

About your questions, simply update the app backend of the current
site in order to add a new 'server' that would be the HAProxy of the
new site:

backend myapp
 [...]
 server app1 ...
 server app2 ...
 server newhaproxy [IP]:8443 check ssl send-proxy-v2 ca-file
/etc/haproxy/myca.pem crt /etc/haproxy/client.pem

ca-file: to validate the certificate presented by the server using
your own CA (or use DANGEROUSLY "ssl-server-verify none" in your
global section)
crt : allows you to use a client certificate to get connected on the
other HAProxy

On the newhaproxy (in the new instance):

frontend fe_myapp
 bind :80
 bind :443 ssl crt server.pem
 bind :8443 ssl crt server.pem accept-proxy-v2



You can play with weight on the current site to send a few request to
the newhaproxy box and increase this weight once you're confident.

Baptiste

Re: Chaining haproxy instances for a migration scenario

2015-09-11 Thread bjun...@gmail.com

2015-09-11 10:55 GMT+02:00 Baptiste :

> On Fri, Sep 11, 2015 at 10:41 AM, Tim Verhoeven
>  wrote:
> > Hello everyone,
> >
> > I'm mostly passive on this list but a happy haproxy user for more then 2
> > years.
> >
> > Now, we are going to migrate our platform to a new provider (and new
> > hardware) in the coming months and I'm looking for a way to avoid a
> one-shot
> > migration.
> >
> > So I've been doing some googl'ing and it should be possible to use the
> proxy
> > protocol to send traffic from one haproxy instance (at the old site) to
> the
> > another haproxy instance (at the new site). Then at the new site the
> haproxy
> > instance there would just accept the traffic as it came from the internet
> > directly.
> >
> > Is that how it works? Is that possible?
> >
> > Ideally the traffic between the 2 haproxy instances would be encrypted
> with
> > TLS to avoid having to setup an VPN.
> >
> > Now I haven't found any examples of this kind of setup, so any pointers
> on
> > how to set this up would be really appriciated.
> >
> > Thanks,
> > Tim
>
>
> Hi Tim,
>
> Your usecase is an interesting scenario for a blog article :)
>
> About your questions, simply update the app backend of the current
> site in order to add a new 'server' that would be the HAProxy of the
> new site:
>
> backend myapp
>  [...]
>  server app1 ...
>  server app2 ...
>  server newhaproxy [IP]:8443 check ssl send-proxy-v2 ca-file
> /etc/haproxy/myca.pem crt /etc/haproxy/client.pem
>
> ca-file: to validate the certificate presented by the server using
> your own CA (or use DANGEROUSLY "ssl-server-verify none" in your
> global section)
> crt : allows you to use a client certificate to get connected on the
> other HAProxy
>
> On the newhaproxy (in the new instance):
>
> frontend fe_myapp
>  bind :80
>  bind :443 ssl crt server.pem
>  bind :8443 ssl crt server.pem accept-proxy-v2
>
>
>
> You can play with weight on the current site to send a few request to
> the newhaproxy box and increase this weight once you're confident.
>
> Baptiste
>
>

Hi Tim,

i'm having a similiar use case (smooth migration from 1.5 to 1.6). I've
recently blogged about this:


http://godevops.net/2015/09/07/testing-new-haproxy-versions-with-some-sort-of-ab-testing/


-
Best Regards / Mit freundlichen Grüßen

Bjoern

Chaining haproxy instances for a migration scenario

2015-09-11 Thread Tim Verhoeven

Hello everyone,

I'm mostly passive on this list but a happy haproxy user for more then 2
years.

Now, we are going to migrate our platform to a new provider (and new
hardware) in the coming months and I'm looking for a way to avoid a
one-shot migration.

So I've been doing some googl'ing and it should be possible to use the
proxy protocol to send traffic from one haproxy instance (at the old site)
to the another haproxy instance (at the new site). Then at the new site the
haproxy instance there would just accept the traffic as it came from the
internet directly.

Is that how it works? Is that possible?

Ideally the traffic between the 2 haproxy instances would be encrypted with
TLS to avoid having to setup an VPN.

Now I haven't found any examples of this kind of setup, so any pointers on
how to set this up would be really appriciated.

Thanks,
Tim

Re: Chaining haproxy instances for a migration scenario

Re: Chaining haproxy instances for a migration scenario

Chaining haproxy instances for a migration scenario

3 matches

Site Navigation

Mail list logo

Footer information