Add HAproxy doc

2020-03-31 00:22:48 +02:00 · 2020-03-31 00:22:48 +02:00 · 6c2efc6d04
parent 539813b464
commit 6c2efc6d04
1 changed files with 109 additions and 0 deletions
--- a/HAproxy.md
+++ b/HAproxy.md
@ -0,0 +1,109 @@
 # Howto deploy a (room based) loadbalanced cluster
 We use in this example an HA proxy loadbalancer to loadbalance between 3 backend server
 The static web will be loadbalanced rounrdobin, and the websocket(signaling) and the media will be loadbalnced based on roomId URL parameter.
 ## IP and dns
 In this basic example we use the following names and ips:
 ### Backend
 * `mm1.example.com` <=> `192.0.2.1`
 * `mm2.example.com` <=> `192.0.2.2`
 * `mm3.example.com` <=> `192.0.2.3`
 ### Redis
 * `redis.example.com` <=> `192.0.2.4`
 ### LoadBalncer HAproxy
 * `meet.example.com` <=> `192.0.2.5`
 ## Deploy multiple backend/worker
 For example with ansible
 Read more here: [mm-ansible](https://github.com/misi/mm-ansible)
 [![asciicast](https://asciinema.org/a/311365.svg)](https://asciinema.org/a/311365)
 ## Setup redis for central session store
 ### Use one redis for all multiparty meeting
 * Deploy a redis cluster so use one redis HA cluster for all instances.
  * We will use in our actual example `192.0.2.4` as redis HA cluster ip.
    It is out of scope howto deploy it.
 OR
 * Just for testing you can use one of the redis from the worker's.
 e.g. If you plan only for testing on your first worker
  * Configure redis configs/redis/redis.conf to not only bind to your loopback but also to your global ip address too:
    ``` plaintext
    bind 192.0.2.1
    ```
    And use `192.0.2.1` where we use in this example `192.0.2.4`
  * modify /etc/ferm/ferm.cfg or where ever your firewall config is to allow incoming redis
    ``` plaintext
    chain INPUT {
            policy DROP;
            saddr mm2.example.com proto tcp dport 6379 ACCEPT;
            saddr mm3.example.com proto tcp dport 6379 ACCEPT;
        }
    ```
 * **Use password or if you don't (like in this basic example) take care and use strict firewall rules**
 ## Setup backends/workers
 ### Setup App config
 mm/configs/app/config.js
 ``` js
 multipartyServer : 'meet.example.com',
 ```
 ### Setup Server config
 mm/configs/server/config.js
 ``` js
 redisOptions : { host: '10.0.2.4'},
 listeningPort: 80,
 httpOnly: true,
 trustProxy           : ['10.0.2.5'],
 ```
 ## Deploy host with HA proxy
 * configure cerificate / letsencrypt for your meet.example.com
  * in this example we put concat the privkey and full cert chain to /root/fullchain.pem.
 * Install and setup haproxy
  `apt install haproxy`
 * Add to /etc/haproxy/haproxy.cfg config
 ``` plaintext
 backend multipartymeeting
    balance url_param roomId
    hash-type consistent
    server mm1 192.0.2.1:80 check maxconn 20 verify none
    server mm2 192.0.2.2:80 check maxconn 20 verify none
    server mm3 192.0.2.3:80 check maxconn 20 verify none
 frontend meet.example.com
    bind 192.0.2.5:80
    bind 192.0.2.5:443 ssl crt /root/fullchain.pem
    http-request redirect scheme https unless { ssl_fc }
    reqadd X-Forwarded-Proto:\ https
    default_backend multipartymeeting
 ```