This is a text-only version of the following page on https://raymii.org: --- Title : Adding IPv6 to a keepalived and haproxy cluster Author : Remy van Elst Date : 24-09-2017 URL : https://raymii.org/s/articles/Adding_IPv6_to_a_keepalived_and_haproxy_cluster.html Format : Markdown/HTML --- At work I regularly build high-available clusters for customers, where the setup is distributed over multiple datacenters with failover software. If one component fails, the service doesn't experience issues or downtime due to the failure. Recently I was tasked with expanding a cluster setup to be also reachable via IPv6. This article goes over the settings and configuration required for haproxy and keepalived for IPv6. The internal cluster will only be IPv4, the loadbalancer terminates HTTP and HTTPS connections. <p class="ad"> <b>Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:</b><br><br> <a href="https://leafnode.nl">I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!</a><br><br> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a><br><br> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a><br><br> </p> ### Cluster setup ![cluster][2] This diagram gives a general idea of the clusters I often build at work. The CloudVPS network is fully redundant over multiple data centers, so I don't have to worry about that part. A setup often consist out of the following components per data center: a loadbalancer, multiple application servers (php, apache, rails, python, java), a database server (mysql/galera or postgresql). So you have three loadbalancer, three databaseservers and three or more application servers in total. Often there are extra components like DRBD/NFS for file storage, Redis as a key/value store, mongodb or elasticsearch. (All which can be clustered). Because we have three datacenters there is enough for a quorum. Sometimes customers choose just two datacenters for cost reasons, then we explain the issues without quorum and make them sign off the risks in the contract. The clusters are IPv4 internally, with keepalived or Corosync/Pacemaker handling the High Available IP addres (VIP). The loadbalancers all have their own IP and share one or more external VIP's via the cluster software. They also have a internal VIP because they function as a gateway for the internal servers. If one loadbalancer fails, VRRP detects that and the VIP becomes active on one of the other servers. For complex setups with depencencies and orders we use Corosync, for example with DRBD/NFS, so make sure the starting order is correct. First DRBD mount, then the VIP, then NFS. Most of the time keepalived is enough. Adding IPv6 is suprisingly easy, so this is a short article covering the following: * IPv6 on the OS * keepalived * haproxy The internal network stays the same, the load balancer terminates all traffic and sends it on over IPv4 to the application servers, which do not need to be configured with IPv6. In our case all serves come with a /64 IPv6 natively so there is no network configuration on switches or routers included in this guide. ### Operating System The clusters run Ubuntu (16.04) most of the time, so in `/etc/network/interfaces` there must be an IPv6 address: iface eth0 inet6 static address 2a02:123:45:67ab::1/48 netmask 48 gateway 2a02:123:45::1 This is not the IPv6 address you'll use as the VIP, but a local IPv6 address for the machine. You don't configure the VIP on the OS. We have ACL rules on the backend in our hypervisor environment so I added an extra IPv6 range to the cluster for use with high-availability: 2a02:123:45:67bb::1/48 (example range in this case, which will be used inside haproxy and keepalived as IPv6 VIP.) You also don't need to configure the following sysctl for ipv6: net.ipv4.ip_nonlocal_bind=1 We handle that inside of haproxy and keepalived. ### Keepalived This is tested with keepalived in ubuntu 16.04, version 1.2.19. Adding the IPv6 address to the `virtual_ipaddress` section and restarting keepalived is enough: vrrp_sync_group VG_1 { group { EXTERN INTERN } } vrrp_instance EXTERN { interface eth0 virtual_router_id 12 state EQUAL advert_int 1 smtp_alert notify /usr/local/bin/keepalived-extern.sh authentication { auth_type PASS auth_pass hunter2 } virtual_ipaddress { 1.2.3.4/32 2a02:123:45:67bb::1/32 } } ### haproxy haproxy is suprisingly easy with IPv6. Just add it to your `frontend` section as a `bind` option: frontend http-in mode http bind 1.2.3.4:80 bind 2a02:123:45:67bb::1:80 transparent option httplog option forwardfor option http-server-close option httpclose reqadd X-Forwarded-Proto:\ http http-request add-header X-Real-IP %[src] default_backend appserver You must add the `transparant` option. Otherwise, haproxy will not start if the VIP is not on the machine itself. (kind of like nonlocal.bind sysctl). haproxy is intelligent enough to understand the port number in the address. No need to screw around with brackets like `[2a02:123:45:67bb::1]:80` or special options. Restart haproxy and it's configured: netstat -tlpn | grep haproxy Output: tcp 0 0 1.2.3.4:80 0.0.0.0:* LISTEN 1163/haproxy tcp 0 0 1.2.3.4:443 0.0.0.0:* LISTEN 1163/haproxy tcp6 0 0 2a02:123:45:67bb::1:80 :::* LISTEN 1163/haproxy tcp6 0 0 2a02:124:45:67bb::1:443 :::* LISTEN 1163/haproxy The version of haproxy is the one from Ubuntu 16.04, 1.6.3. [1]: https://www.digitalocean.com/?refcode=7435ae6b8212 [2]: https://raymii.org/s/inc/img/cloudvps-cluster.png --- License: All the text on this website is free as in freedom unless stated otherwise. This means you can use it in any way you want, you can copy it, change it the way you like and republish it, as long as you release the (modified) content under the same license to give others the same freedoms you've got and place my name and a link to this site with the article as source. This site uses Google Analytics for statistics and Google Adwords for advertisements. You are tracked and Google knows everything about you. Use an adblocker like ublock-origin if you don't want it. All the code on this website is licensed under the GNU GPL v3 license unless already licensed under a license which does not allows this form of licensing or if another license is stated on that page / in that software: This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. Just to be clear, the information on this website is for meant for educational purposes and you use it at your own risk. I do not take responsibility if you screw something up. Use common sense, do not 'rm -rf /' as root for example. If you have any questions then do not hesitate to contact me. See https://raymii.org/s/static/About.html for details.