1. 개요

아마존 리눅스에 HAProxy를 설치하는 과정이다.


2. 사전작업

2.1. 패키지 설치

$ sudo yum install -y make gcc gcc-c++ pcre-devel openssl-devel readline-devel systemd-devel zlib-devel

설치 결과는 다음과 같다.

Installed:
  gcc-c++.x86_64 0:7.3.1-15.amzn2                           openssl-devel.x86_64 1:1.0.2k-24.amzn2.0.4
  pcre-devel.x86_64 0:8.32-17.amzn2.0.2                     readline-devel.x86_64 0:6.2-10.amzn2.0.2
  systemd-devel.x86_64 0:219-78.amzn2.0.20                  zlib-devel.x86_64 0:1.2.7-19.amzn2.0.2

Dependency Installed:
  keyutils-libs-devel.x86_64 0:1.5.8-3.amzn2.0.2            krb5-devel.x86_64 0:1.15.1-37.amzn2.2.4
  libcom_err-devel.x86_64 0:1.42.9-19.amzn2                 libkadm5.x86_64 0:1.15.1-37.amzn2.2.4
  libselinux-devel.x86_64 0:2.5-12.amzn2.0.2                libsepol-devel.x86_64 0:2.5-8.1.amzn2.0.2
  libverto-devel.x86_64 0:0.2.5-4.amzn2.0.2                 ncurses-c++-libs.x86_64 0:6.0-8.20170212.amzn2.1.3
  ncurses-devel.x86_64 0:6.0-8.20170212.amzn2.1.3

Dependency Updated:
  openssl.x86_64 1:1.0.2k-24.amzn2.0.4   openssl-libs.x86_64 1:1.0.2k-24.amzn2.0.4   zlib.x86_64 0:1.2.7-19.amzn2.0.2

Complete!

2.2. Lua 설치

curl -R -O http://www.lua.org/ftp/lua-5.3.5.tar.gz
tar zxf lua-5.3.5.tar.gz
cd lua-5.3.5
make linux test
make linux install
cd ..

설치 결과는 다음과 같다.

/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/ct.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/des_modes.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/evp.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/ossl_store-file.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/ossl_store.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/passphrase-encoding.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/scrypt.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/ssl.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/x509.html

2.3. OpenSSL 설치

curl -R -O https://www.openssl.org/source/openssl-1.1.1c.tar.gz
tar xvzf openssl-1.1.1c.tar.gz
cd openssl-1.1.1c
./config --prefix=/usr/local/openssl-1.1.1c shared
make
make install

설치 결과는 다음과 같다.

...

/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/ct.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/des_modes.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/evp.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/ossl_store-file.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/ossl_store.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/passphrase-encoding.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/scrypt.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/ssl.html
/usr/local/openssl-1.1.1c/share/doc/openssl/html/man7/x509.html

3. HAProxy 설치

curl -R -O http://www.haproxy.org/download/2.6/src/haproxy-2.6.6.tar.gz
tar -xzf haproxy-2.6.6.tar.gz
cd haproxy-2.6.6
make -j $(nproc) TARGET=linux-glibc USE_OPENSSL=1 SSL_LIB=/usr/local/openssl-1.1.1c/lib SSL_INC=/usr/local/openssl-1.1.1c/include USE_ZLIB=1 USE_LUA=1 LUA_LIB=/usr/local/lib/ LUA_INC=/usr/local/include/ USE_PCRE=1 USE_SYSTEMD=1
make install
cp /usr/local/sbin/haproxy /usr/sbin/haproxy
useradd -M -r -s /sbin/nologin haproxy

설치가 잘 되었는지 확인한다.

# ls -l /usr/sbin/haproxy
-rwxr-xr-x 1 root root 15751328 Oct 31 07:20 /usr/sbin/haproxy

4. HAProxy 서비스 등록

/etc/systemd/system/haproxy.service 파일을 생성하고 다음 내용을 삽입한다.

[Unit]
Description=HAProxy Load Balancer
After=network-online.target
Wants=network-online.target

[Service]
EnvironmentFile=-/etc/default/haproxy
EnvironmentFile=-/etc/sysconfig/haproxy
Environment="LD_LIBRARY_PATH=/usr/local/openssl-1.1.1c/lib/"
Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "EXTRAOPTS=-S /run/haproxy-master.sock"
ExecStart=/usr/local/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS
ExecReload=/usr/local/sbin/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
Restart=always
SuccessExitStatus=143
Type=notify

# The following lines leverage SystemD's sandboxing options to provide
# defense in depth protection at the expense of restricting some flexibility
# in your setup (e.g. placement of your configuration files) or possibly
# reduced performance. See systemd.service(5) and systemd.exec(5) for further
# information.

# NoNewPrivileges=true
# ProtectHome=true
# If you want to use 'ProtectSystem=strict' you should whitelist the PIDFILE,
# any state files and any other files written using 'ReadWritePaths' or
# 'RuntimeDirectory'.
# ProtectSystem=true
# ProtectKernelTunables=true
# ProtectKernelModules=true
# ProtectControlGroups=true
# If your SystemD version supports them, you can add: @reboot, @swap, @sync
# SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io

[Install]
WantedBy=multi-user.target

5. HAProxy 실행

systemctl daemon-reload
mkdir -p /etc/haproxy
touch /etc/haproxy/haproxy.cfg
systemctl enable haproxy
systemctl start haproxy
cd ..