ufw is stands for Uncomplicated Firewall, this program is for managing a Linux firewall and aims to provide an easy to use interface for the user, as well as support package integration and dynamic-detection of open ports. ufw  is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to  add  or  remove simple rules. It is currently mainly used for host-based firewalls.

Installation

$ sudo apt-get install ufw

For help use

$ man ufw

To enable firewall

$ sudo ufw enable

When we enable the firewall it will set firewall with default settings, it will deny ssh ports, telnet and many other services. So when we enable firewall on the remort servers we must enable ssh ports first, this can done using.

$ ufw allow proto tcp from any to any port 22

To disable a firewall

$ sudo sfw disable

Examples

Deny all access to port 53:

$ sudo ufw deny 53

Allow all access to tcp port 80:

$ sudo ufw allow 80/tcp

Allow all access from RFC1918 networks to this host:

$ sudo ufw allow from 10.0.0.0/8
$ sudo ufw allow from 172.16.0.0/12
$ sudo ufw allow from 192.168.0.0/16

Deny access to udp port 514 from host 1.2.3.4:

$ sudo ufw deny proto udp from 1.2.3.4 to any port 514

Allow access to udp 1.2.3.4 port 5469 from 1.2.3.5 port 5469:

$ sudo ufw allow proto udp from 1.2.3.5 port 5469 to 1.2.3.4 port 5469

First method is to use  set req.http.host and set req.url in the vcl.conf file. Using these two methods we perform normal redirection. Using these method we will redirect the url to some other URL on the same host. For example say the URL http://example.com/error500.php will be redirect to the URL http://example.com/redirect.php. We specify 301/302 redirection to the URL http://foo.com/index.php in the redirect.php file using header method.

• In the sub vcl_recv method use the following code.

sub vcl_recv {
   if (req.http.host ~ "example.com") {
      if (req.url ~ "error500.php") {
         set req.http.host = "example.com";
         set req.url = "/redirect.php";
      }
   }
}

• In the redirect.php file use the following method.

<?php
header("HTTP/1.1 302 Moved Temperarly");
header('Location:http://foo.com/index.php');
exit;
?>

Second method is to use vcl_error error method. In this error method we can specify HTML tags, so using meta tags we can implement redirection. This option is available with the latest version of varnish.

• In the sub vcl_recv method use the following code.

sub vcl_recv {
   if (req.http.host ~ "example.com") {
      if (req.url ~ "error500.php")
         error;
      }
   }
}
sub vcl_error {
        set obj.http.Content-Type = "text/html; charset=utf-8";
        if (req.http.host ~ "example.com") {
                if (req.url ~ "error500.php") {
                        synthetic {"
                                <?xml version="1.0" encoding="utf-8"?>
                                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
                                <html>
                                        <head>
                                                <meta http-equiv="refresh" content="0;url=http://foo.com/index.php">
                                        </head>
                                </html>
                        "};
                }
        }
        deliver;
}

Varnish is a reverse proxy or http accelerator that uses serverside caching to increase the speed of servicing HTTP requests for use in things such as websites. The varnishd daemon accepts HTTP requests from clients, passes them on to a backend server and caches the returned documents to better satisfy future requests for the same document.

Varnish uses Varnish Configuration Language (VCL). The VCL language is a small domain-specific language designed to be used to define request handling and document caching policies for the Varnish HTTP accelerator. When a new configuration is loaded, the varnishd management process translates the VCL code to C and compiles it to a shared object which is then dynamically linked into the server process.

Varnish uses two configuration file one is VCL and another one contains the values which will be passed as parametes to the varnishd.

/etc/default/varnish

# Configuration file for varnish

# Main configuration file. You probably want to change it 
VARNISH_VCL_CONF=/etc/varnish/vcl.conf

# Default address and port to bind to
VARNISH_LISTEN_ADDRESS=0.0.0.0
VARNISH_LISTEN_PORT=80

# Telnet admin interface listen address and port
VARNISH_ADMIN_LISTEN_ADDRESS=127.0.0.1
VARNISH_ADMIN_LISTEN_PORT=6082

# The minimum number of threads to start
VARNISH_MIN_WORKER_THREADS=1

# Maximum number of worker threads or INF for unlimited
VARNISH_MAX_WORKER_THREADS=2048

# Timeout value in seconds for threads to return
VARNISH_WORKER_THREAD_TIMEOUT=5

# Hash algorithm to be used
VARNISH_HASHOPTION=classic

# Maximum size of the backend storagefile in bytes
VARNISH_BACKEND_STORAGE_SIZE=10240000
VARNISH_BACKEND_STORAGE_FILE=/var/lib/varnish/varnish_storage.bin

# Backend storage specification
VARNISH_BACKEND_STORAGE="file,${VARNISH_BACKEND_STORAGE_FILE},${VARNISH_BACKEND_STORAGE_SIZE}"

# Set default ttl in secounds
VARNISH_TTL=120

/etc/varnish/vcl.conf

      backend default {
        # Our default backend, i.e. the web server
        # You can use more than 1. See docs.
        set backend.host = "0.0.0.0";
        set backend.port = "8080";  # Web Server Port
        }
        sub vcl_recv {
           if ((req.http.host ~ "^backend1..varnish.com") || (req.http.host ~ "^backend2.varnish.com")) {
             pass;
           } else {
             if (req.request != "GET" && req.request != "HEAD") {
                 pipe;
             }
             if (req.request == "POST") {
                 pass;
             }
             if (req.request == "GET" && req.url ~ "\.(jpg|jpeg|gif|ico)$") {
                 lookup;
             }
             if (req.request == "GET" && req.url ~ "\.(css|js)$") {
                 lookup;
             }
             if (req.request == "GET" && req.url ~ "\.(php|html)$") {
                 lookup;
             }
             if (req.request == "GET") {
                 lookup;
             }
             lookup;
          }
        }
         sub vcl_pipe {
             pipe;
         }

         sub vcl_pass {
             pass;
         }

         sub vcl_hit {
             if (!obj.cacheable) {
                 pass;
             }
             if (req.http.Cookie) {
                pass;
             }
             deliver;
         }

         sub vcl_miss {
             fetch;
         }

         sub vcl_fetch {
             if (!obj.valid) {
                 error;
             }
             if (!obj.cacheable) {
                 pass;
             }
             insert;
         }

         sub vcl_deliver {
             deliver;
         }

         sub vcl_timeout {
             discard;
         }

         sub vcl_discard {
             discard;
         }

You can use varnishstat to see the status of varnish

$ varnishstat
client_conn                 0         0.00 Client connections accepted
client_req                  0         0.00 Client requests received
cache_hit                   0         0.00 Cache hits
cache_hitpass               0         0.00 Cache hits for pass
cache_miss                  0         0.00 Cache misses
backend_conn                0         0.00 Backend connections success
backend_fail                0         0.00 Backend connections failures
backend_reuse               0         0.00 Backend connections reuses
backend_recycle             0         0.00 Backend connections recycles
backend_unused              0         0.00 Backend connections unused
n_srcaddr                   0          .   N struct srcaddr
n_srcaddr_act               0          .   N active struct srcaddr
n_sess_mem                  1          .   N struct sess_mem
n_sess                      1          .   N struct sess
n_object                    0          .   N struct object
n_objecthead                0          .   N struct objecthead
n_smf                       1          .   N struct smf
n_smf_frag                  0          .   N small free smf
n_smf_large                 1          .   N large free smf
n_vbe_conn                  0          .   N struct vbe_conn
n_wrk                       0          .   N worker threads
n_wrk_create                0         0.00 N worker threads created
n_wrk_failed                0         0.00 N worker threads not created
n_wrk_max                   0         0.00 N worker threads limited
n_wrk_queue                 0         0.00 N queued work requests
n_wrk_overflow              0         0.00 N overflowed work requests
n_wrk_drop                  0         0.00 N dropped work requests
n_expired                   0          .   N expired objects
n_deathrow                  0          .   N objects on deathrow
losthdr                     0         0.00 HTTP header overflows
n_objsendfile               0         0.00 Objects sent with sendfile
n_objwrite                  0         0.00 Objects sent with write
s_sess                      0         0.00 Total Sessions
s_req                       0         0.00 Total Requests
s_pipe                      0         0.00 Total pipe
s_pass                      0         0.00 Total pass
s_fetch                     0         0.00 Total fetch
s_hdrbytes                  0         0.00 Total header bytes
s_bodybytes                 0         0.00 Total body bytes
sess_closed                 0         0.00 Session Closed
sess_pipeline               0         0.00 Session Pipeline
sess_readahead              0         0.00 Session Read Ahead
sess_herd                   0         0.00 Session herd
shm_records              3480         0.67 SHM records
shm_writes               3480         0.67 SHM writes
shm_cont                    0         0.00 SHM MTX contention
sm_nreq                     0         0.00 allocator requests
sm_nobj                     0          .   outstanding allocations
sm_balloc                   0          .   bytes allocated
sm_bfree             10240000          .   bytes free
backend_req                 0         0.00 Backend requests made

error_reporting - Sets which PHP errors are reported.

int error_reporting ([ int $level] )

error_reporting() level constants

<?php error_reportinng(E_ALL);?>

error_log - Sends an error message to the web server’s error log, a TCP port or to a file.

bool error_log ( string $message  [, int $message_type  [, string $destination  [, string $extra_headers ]]] )

Parameters

$message - The error message that should be logged.

$message_type - Says where the error should go. The possible message types are as follows:

$extra_headers - The extra headers. It’s used when the message_type parameter is set to 1. This message type uses the same internal function as mail() does.

restore_error_handler - Restores the previous error handler function

bool restore_error_handler ( void )

<?phprestore_error_handler();?>

set_error_handler - Sets a user-defined error handler function

mixed set_error_handler ( callback $error_handler  [, int $error_types] )

Example:

 <?php 
error_reporting(E_ALL); 
function on_error($num, $str, $file, $line) {
    print "Encountered error $num in $file, line $line: $str\n"; 
    error_log("Error: Encountered error $num in $file, line $line: $st",1,  "dev@gmail.com","From: sys@gmail.com"); 
} 
set_error_handler("on_error"); 
restore_error_handler();?>

OpenNTPD is a Unix system daemon implementing the Network Time Protocol to synchronize the local clock of a computer system with remote NTP servers.

OpenNTPD is primarily developed by Henning Brauer as part of the OpenBSD project. Its design goals include being secure (non-exploitable), easy to configure, accurate enough for most purposes and with source code that can be distributed under a BSD license.

This tool helped me a lot. Using openntpd we can set the same time on multiple system.

Installation

$ sudo apt-get install openntpd

Openntp configuration file /etc/openntpd/ntpd.conf

To set the time use the command ntpdate-debian

$ sudo ntpdate-debian
[sudo] password for shahid:
 7 Aug 00:20:33 ntpdate[26597]: adjust time server 59.165.131.82 offset -0.089443 sec

httperf is a tool to measure web server  performance.

Example

$ httperf --server haproxy.com --port=80 --uri /frontend_dev.php --num-conns=25
httperf --client=0/1 --server=haproxy.com --port=80 --uri=/frontend_dev.php --send-buffer=4096 --recv-buffer=16384 --num-conns=25 --num-calls=1
Maximum connect burst length: 1

Total: connections 25 requests 25 replies 25 test-duration 0.528 s

Connection rate: 47.4 conn/s (21.1 ms/conn, <=1 concurrent connections)
Connection time [ms]: min 4.9 avg 21.1 max 408.2 median 4.5 stddev 80.6
Connection time [ms]: connect 0.3
Connection length [replies/conn]: 1.000

Request rate: 250 req/s (3.1 ms/req)
Request size [B]: 78.0

Reply rate [replies/s]: min 250 avg 319.6 max 250 stddev 0.0 (1 samples)
Reply time [ms]: response 0.7 transfer 5.1
Reply size [B]: header 487.0 content 34774.0 footer 0.0 (total 35261.0)
Reply status: 1xx=0 2xx=25 3xx=0 4xx=0 5xx=0

CPU time [s]: user 0.07 system 0.42 (user 12.9% system 80.4% total 93.2%)
Net I/O: 2124.7 KB/s (17.4*10^6 bps)

Errors: total 0 client-timo 0 socket-timo 0 connrefused 0 connreset 0
Errors: fd-unavail 0 addrunavail 0 ftab-full 0 other 0

In the above output you can see the line ”

Total: connections 25 requests 25 replies 25 test-duration 0.528 s

This line means httperf gave request  for 25 connection (means 25 connections) and it get replies for all the 25 request. And time took to 25 request and 25 replies is the test-duration and in the above example it took 0.528 seconds.

The bellow line means

Reply rate [replies/s]: min 250 avg 250 max 250 stddev 0.0 (1 samples)

Replay rate gives various statistics for the  reply  rate.   In  the  example  above,  the minimum  (‘‘min’’)  reply  rate was 250 replies per second, the verage (‘‘avg’’) was 250 replies per second,  and  the  maximum (‘‘max’’) rate was 250 replies per second.  The standard deviation was 0.3 replies per second.  The number enclosed in parentheses  shows  that  60  reply  rate  samples were acquired.

You can test whether the Replay rates where correct by using the argument –rate with the httperf command.

$ httperf --server haproxy.com --port=80 --uri /frontend_dev.php --num-conns=25 --rate 250

The the line Replay Time means

Reply time [ms]: response 0.7 transfer 5.1

The line labeled ‘‘Reply Time’’ gives information on how long it took for the server to respond and how long it took  to  receive the  reply. In the above example, it took on average 0.7 milliseconds between sending the first byte of the request and receiving  the first byte of the reply.  The time  to ‘‘transfer’’, or read, the reply was 5.1 milliseconds.

For more help

$ man  httperf

httperf

Port forwarding is a feature of the IPTables system. It allows one computer to forward connections made to it so that another computer can actually process the request. If you want a very simple metaphor you can think of it as mail forwarding. Each computer has a number of addresses called ports, and IPTables allows connections to these ports to be sent to another computer. With port forwarders, you can redirect data connections from the Internet to an internal, privately addressed machine behind your IP MASQ server. This forwarding ability includes network protocols such as TELNET, WWW, and SMTP. Protocols such as FTP, legacy ICQ, and others require special handling via kernel modules.

Setup

On Ubuntu you need to enable port forwarding. For doing this you have to be the root user.

root@shahid-laptop:~# echo 1 > /proc/sys/net/ipv4/ip_forward

After this you need to write iptable rule.

root@shahid-laptop:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@shahid-laptop:~# iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.10 --dport 555 -j DNAT --to 192.168.0.12:22
root@shahid-laptop:~# iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.12 --dport 22 -j ACCEPT

In this rule, when we tries to connect to the IP 192.168.0.10 through the port 555 this system redirects the connection to the IP and 192.168.0.12 and port 22.

To see the iptables rule use the command ‘iptables -L’

root@shahid-laptop:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             192.168.0.12        tcp dpt:ssh 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Saving Data

When you reboot the system the iptables rules will be removed from the kernel module , so either you need to use iptables-save and iptables-restorefor saving and restoring iptable rules or you need to write a script which will execut on every boot for enabling and create the iptable rule.

Writting iptables rules

The IP addresses in this article are modified from the real addresses. We’ll use the private IP space 192.168.0.0/16, subnetted into smaller blocks.

In this example, the FORWARD chain will only provide the global counters.

$ sudo iptables -N system-1

The rule will match any source and any destination. Everything that is being passed through this router matches this rule and will provide the total of combined downloaded and uploaded data.

# System-1 Downloads
  iptables -A FORWARD -d 192.168.1.0/26 -j system-1
# System-1 Uploads
  iptables -A FORWARD -s 192.168.1.0/26 -j system-1

The rules created above give us separate totals for all downloads to and uploads for system-1. This is accomplished by matching the source and destination of all traffic through the router for target-1’s specific subnet. After a rule is matched, the -j option invokes a jump to one of the custom chains. These custom chains can then be used to add additional rules pertaining to the subnet. For instance, rules can be created for each individual IP address in that subnet to track bandwidth on a per-host basis:

# Town A, Host 192.168.1.10 Download
  iptables -A town-a -d 192.168.1.10
# Town A, Host 192.168.1.10 Upload
  iptables -A town-a -s 192.168.1.10

You could repeat this process for every IP address for all systems within the subnet.

Bandwidth statistics

Viewing the current bandwidth usage is a matter of running iptables with the -L and -v options. The -L outputs the statistics for a chain (or all chains if none is provided). The -v option provides verbose output, including the packet and byte counters that we are interested in. I recommend using the -n option as well to prevent DNS lookups, meaning iptables will show the IP addresses without attempting to resolve the hostnames for the IP addresses, which would put additional and unnecessary load on the router.

$ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 311K packets, 48M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 system-1   all  --  *      *       0.0.0.0/0            192.168.1.0/26
    0     0 system-1   all  --  *      *       192.168.1.0/26       0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 325K packets, 29M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain system-1 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0            all  --  *      *       0.0.0.0/0            192.168.1.10
    0     0            all  --  *      *       192.168.1.10         0.0.0.0/0

Saving data across reboots

If you reboot the machine or remove the iptables kernel modules, you’ll lose all of your packet and byte counters. So you want to make backups of the running counters, and in the event of a reboot, restore the counters rather than starting from zero.

The iptables package comes with two programs that aid in this: iptables-save and iptables-restore. Both programs need to be told to explicitly use the packet and byte counters during backup and restore using the -c command line option.

The backup and restore process is fairly straightforward. To back up your iptables data, use

$ sudo iptables-save -c > iptables-backup.txt.

To restore the data, after reboot, use

$ sudo iptables-restore -c < iptables-backup.txt.

Conclution

The flexibility and power of iptables allows for more complex onitoring scenarios. You can create rules to not only track different subnets, but also to track specific ports and protocols, which lets you rack exactly how much of each customer’s traffic is Web, email, file
sharing, etc.

In addition, these bandwidth monitoring rules can also become blocking rules. If a host has used too much bandwidth, its rule in a town’s specific chain can be modified by adding -j DROP to both the download and upload rules. This effectively stops traffic being routed to and from that host.

Log files are important for Linux system security and trouble shooting.  Log files tend to grow, and if a log grows too much you compress it and takes the backup. Logrotate enables you to do this in a much better way. The process that is in charge of compressing and rotating these logfiles is called logrotate and it is executed once per day upon Debian installations.

Here you will find the logrotate driver script. Every day this script runs and examines two things:

• The configuration file /etc/logrotate.conf
• The configuration directory /etc/logrotate.d/

A typical logrotate configuration file looks like this:

/var/log/apache/*.log {
        weekly
        missingok
        rotate 52
        compress
        delaycompress
        notifempty
        create 640 root adm
        sharedscripts
        postrotate
                if [ -f /var/run/apache.pid ]; then
                        /etc/init.d/apache restart > /dev/null
                fi
        endscript
}

If you want to add new log rotate for any other file you can new logrotate configuration file to /etc/logrotate.d 

Assuming we have a new service “mon” which produces its output in /var/log/mon/mon.log we can cause this to be rotated every day with a script like this:

/var/log/mon/*.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  create 640 mon mon
  sharedscripts
     /etc/init.d/mon restart
  endscript
}

For more help man logrotate

HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing. Supporting tens of thousands of connections is clearly realistic with todays hardware. Its mode of operation makes its integration into existing architectures very easy and riskless, while still offering the possibility not to expose fragile web servers to the Net.

1. Preperation

For configuring haproxy you need the following setups. Here I used ACL.

1.1. Using ACL

The use of Access Control Lists (ACL) provides a flexible solution to perform content switching and generally to take decisions based on content extracted from the request, the response or any environmental status. The principle is simple

1.2. Load Balancer

Hostname: lb.example.com

IP: 192.168.0.110

1.3 Web Server 1

Hostname: http1.example.com

IP: 192.168.0.111

1.4. Web Server 2

Hostname: http2.example.com

IP: 192.168.0.112

1.5. First download and install haproxy

To get latest version click here

$ wget  http://haproxy.1wt.eu/download/1.2/src/haproxy-1.2.18.tar.gz
$ tar -xzvf haproxy-1.2.18.tar.gz
$ cd  haproxy-1.2.18
$ sudo make  TARGET=linux24

 1.6. Configuring Load Balancer System IP : 192.168.0.110

set ENABLED to 1 in /etc/default/haproxy

 $ sudo vim /etc/default/haproxy

# Set ENABLED to 1 if you want the init script to start haproxy.

ENABLED=1

# Add extra flags here.
#EXTRAOPTS="-de -m 16"

We back up the original /etc/haproxy.cfg and create a new one like this

cp /etc/haproxy.cfg /etc/haproxy.cfg_orig
cat /dev/null > /etc/haproxy.cfg
vi /etc/haproxy.cfg

Sample haproxy configuration file /etc/haproxy.cfg which uses ACL. In the below example if you use the domain example.com haproxy always uses web server 1,if you use loadbalancer.com

global
global
        log 127.0.0.1   local0
        log 127.0.0.1   local1 notice
        #log loghost    local0 info
        pidfile /var/run/haproxy.pid
        daemon
#       debug           # If you want to start haproxy in debugging mode uncomment this line and comment the above line.
        nbproc      4   # Number of processing cores. Dual Dual-core Opteron i    s 4 cores for example.
defaults
        log     global
        mode    http
        option  httplog
        option  httpchk
        option  dontlognull
        retries 3
        option          redispatch
        maxconn 2000
        contimeout      50000
        clitimeout      500000
        srvtimeout      500000

backend back_std
        balance roundrobin
        option redispatch
        cookie JSESSIONID prefix
        option httpclose
        option forwardfor
        option httpchk HEAD /check.txt HTTP/1.0
        server ws4 192.168.0.111:82 weight 1 check
#      stats uri /status   # Custom status URI
        stats auth username:password
        stats enable
        stats refresh 10

backend back_lb
        balance roundrobin
        option redispatch
        cookie JSESSIONID prefix nocache indirect
        option httpchk HEAD /check.txt HTTP/1.0
        server ws1 192.168.0.111:81 cookie ws1 weight 1 check
        server ws2 192.168.0.112:81 cookie ws2 weight 1 check
        option httpclose
        option forwardfor
        stats enable
        stats refresh 10

frontend http-in
        bind :80
        acl hosts_std hdr_end(host) -i example1..com          # Which is not load balanced
        acl hosts_std hdr_end(host) -i example1.com:80

        acl hosts_lb hdr_end(host) -i loadbalancer.com      # Which is load balanced
        acl hosts_lb hdr_end(host) -i loadbalancer.com:80

        use_backend back_std if hosts_std       # If requests comes to the domain which is in host_std then that URL will use back_std
        use_backend back_lb if hosts_lb          # If requests comes to the domain which is in host_lb then that URL will use back_lb

To allow HAProxy to bind to the shared IP address, we add the following line to /etc/sysctl.conf:

$ sudo vim /etc/sysctl.conf

[...]
net.ipv4.ip_nonlocal_bind=1
[...]

and run

$ sudo sysctl -p

1.7 Start haproxy

$ sudo /etc/init.d/haproxy start

1.8. Configuring Web Server 1 & Web Server2

We will configure HAProxy as a transparent proxy, i.e., it will pass on the original user’s IP address in a field called X-Forwarded-For to the backend web servers. Of course, the backend web servers should log the original user’s IP address in their access logs instead of the IP addresses of our load balancers. Therefore we must modify the LogFormat line in /etc/apache2/apache2.conf and replace %h with %{X-Forwarded-For}i:

 $ sudo vim /etc/apache2/apache2.conf

#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
#LogFormat "%h %l %u %t \"%r\" %>s %b" common
#LogFormat "%{Referer}i -> %U" referer
#LogFormat "%{User-agent}i" agentLogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

Also, we will configure HAProxy to check the backend servers health by continuously requesting the file check.txt (translates to /var/www/check.txt if /var/www is your document root) from the backend servers. Of course, these requests would totally bloat the access logs and mess up your page view statistics (if you use a tool like Webalizer or AWstats that generates statistics based on the access logs).

Therefore we open our virtualhost configuration (in this example it’s in /etc/apache2/sites-available/default) and put these two lines into it (comment out all other CustomLog directives in your vhost configuration):

$ sudo touch /var/www/check.txt
$ sudo vi /etc/apache2/sites-available/default

[...]
SetEnvIf Request_URI "^/check\.txt$" dontlog
CustomLog /var/log/apache2/access.log combined env=!dontlog
[...]

Adds the ports to /etc/apache2/ports.conf file.

Listen 81
Listen 82
<IfModule mod_ssl.c>
    Listen 443
</IfModule>

Afterwards we restart Apache:

$ sudo /etc/init.d/apache2 restart

Now to check the status of haproxy use the custom URI or use http://example1.com/haproxy?stats

I hope it helped, a comment with your questions are welcome