Example configuration of HAproxy as a loadbalancer for Dispatcher Paragon cluster

The following guide shows an example of a configuration used to balance load from MFDs between multiple Dispatcher Paragon servers that form a Spooler Controller Group.

Disclaimer

The steps and configuration used in this guide are intended as a proof of concept. The actual configuration for specific environment has to be designed with respect to the specific needs and available options of the customer.

Prerequisites

  • HAproxy is installed and generally configured (this guide only shows steps specific to Dispatcher Paragon settings)

  • Dispatcher Paragon servers are configured and successfully formed a Spooler Controller Group. See Near Roaming in chapter Configuring Print Roaming

  • Dispatcher Paragon servers are configured and ready to be used in connection with a 3rd party load balancer. See chapter Configuring a Third-party Load Balancer for Terminal Failover

  • For load balancing running on OSI layer 7, a certificate and private key is needed. This certificate is issued for the IP address or hostname of the HAproxy frontends and is presented from the load balancer to the MFDs.

    • Save the file so that both private key (without a passphrase) and the public certificate are in one file. In example below, it is /etc/haproxy/haproxy.pem

    • The structure of the file will look like the following (order of key and certificate does not matter):
      -----BEGIN CERTIFICATE-----
      MIIF4z...
      -----END CERTIFICATE-----
      -----BEGIN PRIVATE KEY-----
      MIIF4z...
      -----END PRIVATE KEY-----

Terminology

  • frontend - specification of IP addresses/hostnames, ports and protocols on which HAproxy accepts communication to be balanced.

  • backend - specification of servers that are used for balancing purposes.

Configuration

There are two options how the HAproxy can be configured:

  • TCP mode - using balancing on OSI layer 4 (recommended)

    • This mode passes the session from MFD to a chosen Dispatcher Paragon server.

  • HTTP mode - using balancing on OSI layer 7

    • This mode terminates communication from MFD at HAproxy and initiates a new connection to the Dispatcher Paragon servers.

It is recommended to use the OSI layer 4 balancing (the TCP mode).

Both of the proposed configurations are made for the following example environment:

  • Dispatcher Paragon running Konica Minolta embedded terminals

  • Three Site Servers in a Spooler Controller Group running on IP addresses 10.0.125.1, 10.0.125.2 and 10.0.125.3.

    • First server also acts as a Management Server.

  • Affinity is set based on hash of the source (MFD) IP address and currently alive backend servers.

    • If a server is active, MFD will keep being routed to it. When any server goes down or up, affinity is reset for all servers and balancing starts again.

    • See example of round robin balancing that is added as a comment in the backend.

  • Statistics are available on http://<HAproxy IP>:1936/stats

When changing configuration, you can use the following steps to validate it and reload it.

  1. Validate the configuration works with no issues
    sudo haproxy -f /etc/haproxy/haproxy.cfg -c

  2. Restart the service to apply the configuration.
    sudo systemctl restart haproxy.service

Note that in the examples below, the sections global, defaults and stats can be configured differently. They are included to show the complete file. The important parts are under the backend and frontend sections.

Example configuration for Layer 4 balancing (pass through) - recommended

Following is content of /etc/haproxy/haproxy.cfg

In the setup below, only one backend is used because HAproxy does not perform any decryption/encryption.

As this uses Layer 4 (mode tcp in the setting below), the HAproxy is not modifying the communication and is transferring it to the selected server. There is no need for a certificate on HAproxy as the device sees and uses the certificate of the Dispatcher Paragon Terminal Server directly.

/etc/haproxy/haproxy.cfg
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
 
        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
 
        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3
 
defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 15000
        timeout client  150000
        timeout server  150000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
 
 
listen stats
        bind :1936
        mode http
        stats enable
        stats hide-version
        stats realm Haproxy\ Statistics
        stats uri /stats
 
 
frontend paragon
mode tcp
option tcplog
bind *:80
bind *:443
bind *:5011-5025
use_backend paragon
 
 
backend paragon
mode tcp
option http-server-close
option tcp-check
 
## AFFINITY BASED ON SOURCE IP, CONSISTENT ROUTING TO SAME BACKEND SERVER UNTIL AVAILABILITY CHANGES
hash-type consistent
balance source
 
## BALANCING WITH ROUND ROBIN AND AFFINITY SET TO 30 MINUTES (replaces affinity above):
#balance roundrobin
#stick-table type ip size 5k expire 30m
#stick on src
 
server site-server-2 10.0.125.3 check port 5022
server site-server-1 10.0.125.2 check port 5022
server mgmt-server-1 10.0.125.1 check port 5022

Example configuration for Layer 7 balancing

Following is content of /etc/haproxy/haproxy.cfg

In the setup below, a specific backend and fronted is used for SSL and non-SSL communication. This is needed so as not to route non-SSL traffic as SSL incorrectly.

As this uses Layer 7 (mode http in the setting below), the HAproxy is terminating the SSL communication and begins a new communication to the Dispatcher Paragon server. So there are two connections: MFD → HAproxy and then HAproxy → Terminal Server.
The backend servers have the parameter "ssl verify none" which means the certificate of the Dispatcher Paragon is not checked as is implicitly trusted. For a production environment, this should be removed and a trusted certificates should be used on the Terminal Server of Dispatcher Paragon.

/etc/haproxy/haproxy.cfg
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
 
        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private
 
        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3
 
defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 15000
        timeout client  150000
        timeout server  150000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
 
 
listen stats
        bind :1936
        mode http
        stats enable
        stats hide-version
        stats realm Haproxy\ Statistics
        stats uri /stats
 
 
frontend paragon_ssl
        mode http
        option httplog
        option forwardfor
        bind *:443 ssl crt /etc/haproxy/haproxy.pem
        bind *:5012-5020 ssl crt /etc/haproxy/haproxy.pem
      bind *:5022-5025 ssl crt /etc/haproxy/haproxy.pem
        use_backend paragon_ssl
 
 
backend paragon_ssl
        mode http
        option forwardfor
        option http-server-close
        option tcp-check
 
## AFFINITY BASED ON SOURCE IP, CONSISTENT ROUTING TO SAME BACKEND SERVER UNTIL AVAILABILITY CHANGES
        hash-type consistent
        balance source
## BALANCING WITH ROUND ROBIN AND AFFINITY SET TO 30 MINUTES (replaces affinity above):
#balance roundrobin
#stick-table type ip size 5k expire 30m
#stick on src
 
        server site-server-2 10.0.125.3 check port 5022 on-marked-down shutdown-sessions ssl verify none
        server site-server-1 10.0.125.2 check port 5022 on-marked-down shutdown-sessions ssl verify none
        server mgmt-server-1 10.0.125.1 check port 5022 on-marked-down shutdown-sessions ssl verify none
 
 
frontend paragon_no_ssl
        mode http
        option httplog
        option forwardfor
        bind *:80
        bind *:5011
        bind *:5021
        use_backend paragon_no_ssl
 
 
backend paragon_no_ssl
        mode http
        option forwardfor
        option http-server-close
        option tcp-check
 
## AFFINITY BASED ON SOURCE IP, CONSISTENT ROUTING TO SAME BACKEND SERVER UNTIL AVAILABILITY CHANGES
        hash-type consistent
        balance source
## BALANCING WITH ROUND ROBIN AND AFFINITY SET TO 30 MINUTES (replaces affinity above):
#balance roundrobin
#stick-table type ip size 5k expire 30m
#stick on src
 
        server site-server-2 10.0.125.3 check port 5011 on-marked-down shutdown-sessions verify none
        server site-server-1 10.0.125.2 check port 5011 on-marked-down shutdown-sessions verify none
        server mgmt-server-1 10.0.125.1 check port 5011 on-marked-down shutdown-sessions verify none