文書の過去の版を表示しています。
HAProxy を使用した OpenSearch クラスタのバランシング
Introduction
This document describes the configuration of a balanced OpenSearch cluster using HAProxy.
Installation and configuration of OpenSearch cluster
For the installation and configuration of an OpenSearch cluster, we will follow the official documentation at:
“Configuring an OpenSearch cluster for Pandora FMS”
Once completed, you will have a multi-node architecture with a functional cluster. As an example architecture, we will describe a 3-node cluster, for example:
os-node1os-node2os-node3
Installation and configuration of HAProxy
On another machine, we will install and configure the HAProxy balancer.
In our case, we will do this on the same machine where we have the Pandora FMS node with Rocky Linux 9 OS. However, it can be a separate machine for this purpose.
We will install the HAProxy and Vim packages to edit the configuration files (if it is a Pandora FMS node, Vim should already be installed by default).
dnf install -y haproxy vim
Once installed, we will make a copy of the default HAProxy configuration file.
cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.default
Now we will edit the file /etc/haproxy/haproxy.cfg with the following configuration:
global #log /dev/log local0 log /dev/log local1 notice maxconn 4096 user haproxy group haproxy daemon tune.ssl.default-dh-param 2048 defaults log global mode http #option httplog option dontlognull timeout connect 5s timeout client 30s timeout server 30s retries 3 # ==================================== # Frontend -- HTTP # ==================================== frontend opensearch_frontend #bind *:9200 bind *:9200 ssl crt /etc/haproxy/certs/haproxy.pem default_backend opensearch_backend # ==================================== # Backend -- Nodos HTTPS con auth # ==================================== backend opensearch_backend balance roundrobin # Conectar a backends HTTPS server node1 <ip-node1>:9200 ssl verify none check server node2 <ip-node2>:9200 ssl verify none check server node3 <ip-node3>:9200 ssl verify none check # ==================================== # Stats page optional # ==================================== listen stats bind *:8404 mode http stats enable stats uri /haproxy?stats stats refresh 10s stats auth admin:Pandor4!
Replace <ip-nodex> with the IP address of each OpenSearch node in our cluster and add more nodes following the same format if you have a larger cluster.
Save and exit.
This is a reference configuration file, so some options can be configured according to the needs of the environment, such as timeouts, retries, or SSL certificate verification.
Stats page
We have added a stats URL to the configuration, which will be useful for monitoring the status of HAProxy. This is optional and can be disabled by deleting the block starting with Stats page optional.
It is also possible to restrict access by limiting the exposed IP address, changing the port, or changing the access credentials.
In our case, the statics website will remain at
http://<nodo.pandorafms>:8404/haproxy?stats
With the credentials admin:Pandor4!.
Certificate for HTTPS HAProxy
As we can see, we refer to a certificate
bind *:9200 ssl crt /etc/haproxy/certs/haproxy.pem
in the configuration file. In production, it is best to use an official certificate signed by a trusted CA. For lab testing, we will use a self-generated certificate that we will create with the commands:
sudo mkdir -p /etc/haproxy/certs # Generate private key and self-signed certificate sudo openssl req -x509 -nodes -days 365 \ -newkey rsa:2048 \ -keyout /etc/haproxy/certs/haproxy.key \ -out /etc/haproxy/certs/haproxy.crt \ -subj "/CN=haproxy.local"
Now we will create a .pem file by concatenating the key and the certificate. If using a valid certificate, the steps will be similar, but using the certificate files.
# Combine certificate and key into a single file (required by HAProxy) sudo cat /etc/haproxy/certs/haproxy.key /etc/haproxy/certs/haproxy.crt > /etc/haproxy/certs/haproxy.pem
We restarted the HAProxy service.
systemctl restart haproxy
We verify that we can attack the OpenSearch nodes using HTTPS by running from the terminal of the node where we installed HAProxy:
curl -XGET -ku admin:'P4nd0r4!FMS' "https://127.0.0.1:9200/_cat/nodes?v"
If we make a couple of calls to the API root, we can verify that the calls are balanced between nodes.
curl -XGET -ku admin:'P4nd0r4!FMS' "https://127.0.0.1:9200/
Configuration in the Pandora FMS console
HAProxy can be in any other instance, but to avoid having to add more machines to our cluster, we have installed it directly on the Pandora FMS node itself, so we will use localhost for our configuration. However, if it has been configured on another machine, you must use that machine's IP address.
Go to the Pandora FMS console, to the settings section Management → Settings → System Settings → Log collector, and fill in the required fields, activating Use HTTPS if you have configured a certificate.
We will see the green check mark indicating that we have configured and connected our OpenSearch with Pandora FMS.