I’ve been using HAProxy for my company’s needs for some time now, aiming to facilitate communication between remote clients (through VPN network) and their resources hosted locally, through HAProxy.
Context: I have around 20 locally hosted Apache servers, each consisting of approximately 30 virtual hosts, each responding on a different DNS FQDN.
Currently, I’m using HAProxy and declaring as many backends as there are Apache servers to which I want to send requests.
So, I currently have about 20 backends defined in my HAProxy configuration, and I’m using a MAP to route requests to the correct backend based on the requested FQDN, like this:
frontend apache
bind *:80
bind *:443 ssl crt /etc/pki/tls/certs/mycert.pem
redirect scheme https if ! { ssl_fc }
use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/maps/hosts.map,be_default)]
With the file /etc/haproxy/maps/hosts.map looking like this:
myfqdnA.mydomain ServerApache1
myfqdnB.mydomain ServerApache1
myfqdnC.mydomain ServerApache1
myfqdnD.mydomain ServerApache2
myfqdnE.mydomain ServerApache2
myfqdnF.mydomain ServerApache2
myfqdnG.mydomain ServerApache3
myfqdnH.mydomain ServerApache3
myfqdnI.mydomain ServerApache3
myfqdnJ.mydomain ServerApache3
myfqdnK.mydomain ServerApache4
myfqdnL.mydomain ServerApache4
myfqdnM.mydomain ServerApache4
myfqdnN.mydomain ServerApache4
..
..
..
And backends definition like :
backend ServerApache1
description xxx
balance roundrobin
server ServerApache1 ServerApache1:443 check inter 2s fall 3 rise 2 ssl ca-file /etc/pki/CA/certs/cert.pem
stick-table type ip size 1m expire 60m
stick match src
stick store-request src
The issue I’m facing is that I would like to filter “network allowed” on my backends, but I potentially have many networks to allow on a given Apache server…
So, I’d like to proceed differently and create as many backends as virtual hosts on my remote proxy servers (so about 500 HTTP backends). => (It will also be much easier to navigate my backends, because they will have the same name as my Apache virtualhost)
Do you think this is something feasible and reasonable? If yes, are there any specific recommendations to implement in the HAProxy configuration? Or in terms of CPU/RAM on my HAProxy server?
Thank you all!
Dylan