NOTE: This documentation is obsolete. We have migrated all use of static webserving and backend loadbalancing to nginx, considering that it is a part of stock OpenBSD 5.3+ installations, and nginx supplies a strict superset of thttpd and haproxy.

This document is for historical reference only.

Creating a frontend

Creating and running frontends can be done on pretty much any machine. The frontend can be seen as a passthrough server, which relays HTTP requests from clients to an available backend in one or more pool(s), based on a config file. It will health check the backends and remove them from the pool(s) if they are unreachable, or unhealthy.

Depending on how complicated and feature rich the frontend should be (it's always a trade off between complexity/features, speed, cost and reliability), one can choose for a complex NGINX or a more simple HA Proxy (this document).

As with most howto's in the user guide, this one assumes that you have a host set up using one of the methods described in the Host Setup guide. Once the machine is up and has the necessary access, we install the required packages and introduce the machine into our provisioning system, which is represented on your admin machine by an RCS, of which you can read more here.

We installed a few OpenBSD and Ubuntu LTS machines and put them at three different hosting providers in Europe: BIT bv in Ede, the Netherlands; Coloclue in Amsterdam, the Netherlands; and Saitis in Lausanne, Switzerland. You can use existing machines as long as (a) you have root access to this machine using ssh(1), and (b) you are able and allowed to bind port 80 and 443 on this machine.

A1) Using OpenBSD

1. Install needed ports (packages)

export PKG_PATH=`uname -r`/packages/`uname -m`/
sudo pkg_add -vr haproxy
sudo pkg_add -vr rsync

2. Put haproxy in rc{.conf,}.local

sudo su -
cat << EOF >>/etc/rc.local
if [ X$"{haproxy}" = X"YES" -a -x /usr/local/sbin/haproxy ];
        /usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg
        echo -n ' haproxy'
echo haproxy=\"YES\" >> /etc/rc.conf.local

mkdir -p /etc/haproxy
ln -s /etc/haproxy/haproxy.cfg /etc/haproxy.cfg
chown -R paphosting:paphosting /etc/haproxy/

A2) Using Ubuntu

1. Install needed packages

sudo apt-get update
sudo apt-get install haproxy rsync

2. Enable haproxy

sudo su -
cd /etc/default
sed -e 's,ENABLED=0,ENABLED=1,' haproxy > && \
  mv -f haproxy
mkdir -p /usr/local/sbin
mkdir -p /var/haproxy
ln -sf /usr/sbin/haproxy /usr/local/sbin/haproxy
mkdir -p /etc/haproxy
mv -f /etc/haproxy.cfg /etc/haproxy/haproxy.cfg
ln -sf /etc/haproxy/haproxy.cfg /etc/haproxy.cfg
chown -R paphosting:paphosting /etc/haproxy/

B) Configuring PAPFE

1. Add the machine to config/haproxy.hosts

On your client, add the hostname (any hostname or IPv4 or IPv6 address to which you can connect on the ssh port:
echo $HOSTNAME >> config/haproxy.hosts
# If your machine is Ubuntu Jaunty, then:
ln -s haproxy/jaunty haproxy/$HOSTNAME
svn add haproxy/$HOSTNAME
svn commit config/haproxy.hosts haproxy/$HOSTNAME

2. Ensure you can SSH into the machine as paphosting

From your client, try to SSH as paphosting into the machine. Your SSH keys should be in config/, and those should be in ~paphosting/.ssh/authorized_keys.
Now that you're here, you need to setup sudo access for the paphosting user, so that it can restart the haproxy:
cat << EOF >> /etc/sudoers
paphosting ALL = NOPASSWD: /usr/local/sbin/haproxy
paphosting ALL = NOPASSWD: /usr/bin/pkill -x haproxy

3. Force a push of the haproxy configs

On your client, try to do a haproxy push
scripts/ -v -n
# If this looks good, then:
scripts/ -f

4. Put the machine in DNS

Add IPv4 and IPv6 addresses of the machine to the http0 label, which will put the haproxy into the rotation within $TTL seconds (probably 300). Note: your frontend will go live as soon as DNS propagates!
$EDITOR dns/zones/paphosting/
scripts/ -v -n
# If this looks good, then:
scripts/ -f
EOF :)