64787: Acronis Cyber Infrastructure: How to run storage behind HAProxy

use Google Translate

    Last update: 14-04-2020

    Introduction

    Acronis Cyber Infrastructure has built-in capability for service failover via DNS round-robin, which can be used as basic failover and load balancing. For complex environments HAProxy might be used to build a scalable and redundant load balancing platform which can be easily moved or migrated and is independent from Acronis Cyber Infrastructure. Another advantage of this approach is that HAProxy will act as the public / private network connection point and Acronis Cyber Infrastructure nodes can operate in a fully isolated private network.

    HAProxy

    HAProxy is a free, fast and reliable solution offering high availabilityload balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites. Over the years it has become the de-facto standard open source load balancer, is now shipped with most mainstream Linux distributions, and is often deployed by default in cloud platforms.

    Examples

    1. Simple Configuration (Backup Gateway)

    In the example below Acronis Cyber Infrastructure is running on 5 nodes, WebCP is running under its own HA and Acronis Backup Gateway is running on all 5 nodes. It is a basic version which will simply do a round-robin of each incoming connection. It emulates DNS-RR.

    # global configuration section.
    global
            maxconn         32768
            chroot          /var/lib/haproxy
            user            haproxy
            group           haproxy
            daemon
            quiet
     
    # default configuration and timeouts.
    defaults
            log             global
            retries         10
            maxconn         32768
            timeout connect 30s
            timeout server  1d
            timeout client  1d
            timeout queue   1d
            timeout tarpit  1d
     
    # service for 'Backup Gateway' redirect.
    listen  abgw
            bind            *:44445
            mode            tcp
            server          srv1 192.168.1.11:44445
            server          srv2 192.168.1.12:44445
            server          srv3 192.168.1.13:44445
            server          srv4 192.168.1.14:44445
            server          srv5 192.168.1.15:44445

    2. Usual Configuration with health checks (WebCP, Backup Gateway and S3)

    In the example below Acronis Cyber Infrastructure is running on 5 nodes, WebCP is running under its own HA, Acronis Backup Gateway is running on all 5 nodes and S3 is running on 3 nodes. It is more advanced round-robin configuration as it does regular health checks of the destination and will not redirect any connection to it if it fails.

    # global configuration section.
    global
            maxconn                 32768
            chroot                  /var/lib/haproxy
            user                    haproxy
            group                   haproxy
            daemon
            quiet
     
    # default configuration and timeouts.
    defaults
            mode                    http
            log                     global
            option                  httplog
            option                  dontlognull
            option                  http-server-close
            option                  forwardfor except 127.0.0.0/8
            option                  redispatch
            retries                 3              
            timeout http-request    10s            
            timeout queue           1m             
            timeout connect         10s            
            timeout client          1m             
            timeout server          1m             
            timeout http-keep-alive 10s            
            timeout check           10s
            maxconn                 4096
     
    # frontend for 'WebCP'.
    frontend    webcp
                bind                *:8888
                mode                tcp
                default_backend     backend-webcp
     
    # frontend for 'S3'.
    frontend    s3
                bind                *:443
                mode                tcp
                default_backend     backend-s3
     
    # frontend for 'Backup Gateway'.
    frontend    abgw
                bind                *:44445
                mode                tcp
                default_backend     backend-abgw
     
    # backend for 'WebCP'.
    backend     backend-webcp
                mode                tcp
                server              management1 192.168.1.10:8888
     
    # backend for 'S3'.
    backend     backend-s3
                mode                tcp
                balance             roundrobin
                server              object1 192.168.1.11:443
                server              object2 192.168.1.12:443
                server              object3 192.168.1.13:443
     
    # backend for 'Backup Gateway'.
    backend     backend-abgw
                mode                tcp
                timeout server      12h
                balance             source
                server              storage1 192.168.1.11:44445 check
                server              storage2 192.168.1.12:44445 check
                server              storage3 192.168.1.13:44445 check
                server              storage4 192.168.1.14:44445 check
                server              storage5 192.168.1.15:44445 check

    3. Complex Configuration with health checks and SSL termination (WebCP, Backup Gateway and S3)

    In the example below Acronis Cyber Infrastructure is running on 5 nodes, WebCP is running under its own HA, Acronis Backup Gateway is running on all 5 nodes and S3 is running on 3 nodes. It is more advanced round-robin configuration as it does regular health checks of the destination and will not redirect any connection to it if it fails. Also it will do SSL termination and mix WebCP and S3 into single external URL. Lastly it uses leastconn balancing algorithm to distribute the load in a simple way across the cluster nodes for HTTPS traffic and source for source based IP balancing accross Backup Gateway nodes.

    # global configuration section.
    global
            maxconn                 32768
            chroot                  /var/lib/haproxy
            user                    haproxy
            group                   haproxy
            daemon
            quiet
     
    # default configuration and timeouts.
    defaults
            mode                    http
            log                     global
            option                  httplog
            option                  dontlognull
            option                  http-server-close
            option                  forwardfor except 127.0.0.0/8
            option                  redispatch
            retries                 3              
            timeout http-request    10s            
            timeout queue           1m             
            timeout connect         10s            
            timeout client          1m             
            timeout server          1m             
            timeout http-keep-alive 10s            
            timeout check           10s
            maxconn                 4096
     
    # frontend for 'WebCP' and 'S3' mixed on port 443.
    frontend    webcp-s3
                bind                *:443 ssl crt /etc/letsencrypt/live/acronis.com/fullchain.pem
                mode                http
                use_backend         backend-webcp if { hdr(host) -i webcp.as.acronis.com }
                use_backend         backend-s3 if { hdr(host) -i .s3.as.acronis.com }
     
    # frontend for 'Backup Gateway'.
    frontend    abgw
                bind                *:44445
                mode                tcp
                default_backend     backend-abgw
     
    # backend for 'WebCP'.
    backend     backend-webcp
                server              management1 192.168.1.10:8888
     
    # backend for 'S3'.
    backend     backend-s3
                mode                tcp
                balance             leastconn
                server              object1 192.168.1.11:443
                server              object2 192.168.1.12:443
                server              object3 192.168.1.13:443
     
    # backend for 'Backup Gateway'.
    backend     backend-abgw
                mode                tcp
                timeout server      12h
                balance             source
                server              storage1 192.168.1.11:44445 check
                server              storage2 192.168.1.12:44445 check
                server              storage3 192.168.1.13:44445 check
                server              storage4 192.168.1.14:44445 check
                server              storage5 192.168.1.15:44445 check

    Additional Information

    With HAProxy it is possible to build complex setups and serve almost any usage scenario. In case of using http mode you can automatically show a company branded maintenance page while WebCP or S3 is not reachable. Beside this it is possible to use HAProxy for SSL termination and forward traffic either unencrypted or using self-signed certificates in the backend. However we do not recommend this type of setup.

    The full documentation of all available configuration options can be found in a single document here.