-
Notifications
You must be signed in to change notification settings - Fork 8
Loadbalance Coin Daemon with HAproxy
Putting a loadbalancer in between your explorer and your coins is an extremely useful means to limit overwhelming your RPC connections and ensuring you always have a connection to the network. In this tutorial we're going to setup HAproxy on a VM, configure three coinDaemon endpoints, and point our explorer to the HAproxy loadbalancer instead of directly to the daemon.
- 4 Virtual Machines running debian/ubuntu (1x nodeJS Server & HAProxy, 3x coinDaemons)
- Each VM is going to have a LAN IP to communicate with each other.
- This guide is not a security focused guide, so we will not be spending time going over Firewall, coinD.conf specific settings to enhance security (other than RPCAllowIP)
- NodeJS/HaProxy will run on 192.168.2.2, and each CoinD VM will be 192.168.2.3-5.
- Explorer is already installed on the NodeJS server and properly running.
- All 3 coindaemons are currently running and sync'd with their block files, ready for traffic from the explorer. One server may already be used as the daemon for the explorer.
# apt install haproxy
...
...
# vi /etc/haproxy/haproxy.cfg
Editing the haproxy.cfg config file, I use the following configuration
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http_front
bind *:81
stats uri /haproxy?stats
frontend rpc_front
bind *:82
default_backend rpc_back
mode tcp
backend rpc_back
balance roundrobin
mode tcp
http-check expect rstatus (2|3|4)[0-9][0-9]
server vulc1 192.168.2.3:52544 check
server vulc2 192.168.2.4:52544 check
server vulc3 192.168.2.5:52544 check
So now we have our HAproxy stats on 192.168.2.2:81/haproxy?stats so we can keep an eye on things as needed, that's the config for the frontend http_front.
For our rpc frontend, which will server as our endpoint for our explorer to hit, we have frontend rpc_front which is listening on port 82 (192.168.2.2:82) and is simply running under a tcp mode.
Lastly, our RPC backend is defined in backend rpc_back and we'redoing the following:
- Balancing the traffic with the "roundrobin" algorithm or a some may know as 'A...B...C...A" method.
- We're still running on the tcp mode, same as our frontend
- We check for any HTTP codes to know things are alive and well
- We define all 3 servers and are going to
check. Each server should be pointed to the RPC port of your daemon.
Finally, just restart the service
# systemctl restart haproxy
Now you're ready to point the Explorer to your 3+ daemons, so go ahead and edit the file:
$ vi ./settings.json
Change the following from:
// wallet settings
"wallet": {
"host": "localhost",
"port": 9332,
"user": "darkcoinrpc",
"pass": "123gfjk3R3pCCVjHtbRde2s5kzdf233sa"
},
to
// wallet settings
"wallet": {
"host": "localhost",
"port": 82,
"user": "darkcoinrpc",
"pass": "123gfjk3R3pCCVjHtbRde2s5kzdf233sa"
},