AK Blogs
  1. Home
    2.  » 
  2. Posts
    3.  » 

HAProxy: How Ceph Found L3 Balance

#haproxy
#ceph

haproxy In a lab far away, Ceph lived across three nodes — ceph-node01, ceph-node02, and ceph-node03. Each node was a diligent guardian, managing storage and services on port 8443. But there was a problem: access was restricted, and only one gateway, a single door at IP 192.168.99.61 on port 9000, was open to outsiders. No one could knock on port 80’s door anymore — it was locked tight.

Ceph needed a wise gatekeeper to direct visitors fairly among the three nodes, so none got overwhelmed. Enter HAProxy, a simple but powerful load balancer, ready to bring harmony.

The Challenge

  • The Ceph nodes spoke securely on port 8443.
  • Only port 9000 was reachable from outside.
  • SELinux guarded the system fiercely, preventing rogue processes from binding unusual ports or making unexpected connections.

HAProxy to the Rescue

HAProxy was installed quietly with:

dnf -y install haproxy

To convince SELinux to trust HAProxy’s new role, the magic command was cast:

setsebool -P haproxy_connect_any=1

With trust secured, HAProxy configured its front door by listening on 192.168.99.61:9000 and redirecting incoming visitors to the three Ceph nodes in a balanced, round-robin dance.

The Configuration Story

A little script was written to tell HAProxy exactly how to guide visitors:

#!/bin/bash

# frontend_ip="192.168.99.61"
# frontend_port="9000"

# backend_ips=("192.168.99.61" "192.168.99.62" "192.168.99.63")
# backend_hostnames=("ceph-node01" "ceph-node02" "ceph-node03")
# backend_port="8443"

cat > /etc/haproxy/haproxy.cfg << EOF
frontend ceph_front
    bind 192.168.99.61:9000
    default_backend ceph_back

backend ceph_back
    balance roundrobin
    server ceph-node01 192.168.99.61:8443 check
    server ceph-node02 192.168.99.62:8443 check
    server ceph-node03 192.168.99.63:8443 check
EOF


systemctl restart haproxy

This script is HAProxy’s map and guide, balancing load and checking if each Ceph node is ready to receive guests.

The Happy Ending

Visitors came knocking on https://192.168.99.61:9000, unaware of the careful orchestration behind the scenes. HAProxy gracefully sent each visitor to a Ceph node in turn, ensuring no one node was overwhelmed.

SELinux nodded approvingly, and the lab stayed secure.

You can test this harmony yourself:

curl -k https://192.168.99.61:9000

Lessons from Ceph’s Story

ProblemSolution
Restricted port accessUse HAProxy on an allowed port (9000)
Multiple backend serversRound-robin load balancing
SELinux blocking connectionsEnable haproxy_connect_any boolean
Dynamic backend managementScripted configuration for easy updates

In your own labs, think of HAProxy as the wise gatekeeper, balancing requests with fairness, security, and simplicity — just like Ceph needed.

This story shows how small tweaks and a simple tool can solve network puzzles and keep services running smoothly.

thank you