- haproxy配置文档https://cbonte.github.io/haproxy-dconv/
HAporxy简介
HAProxy 是一款高性能TCP/HTTP 反向代理负载均衡服务器,具有如下功能:
- 根据静态分配的cookies完成HTTP请求转发
- 在多个服务器间实现负载均衡,并且根据HTTP cookies 实现会话粘性
- 主备服务器切换
- 接受访问特定端口实现服务监控
- 实现平滑关闭服务,不中断已建立连接的请求响应,拒绝新的请求
- 在请求或响应HTTP报文中添加,修改,或删除首部信息
- 根据正则规则阻断请求
- 提供带有用户认证机制的服务状态报告页面
HAProxy特别适用于那些负载特大的web站点,这些站点通常又需要会话保持或七层处理。HAProxy运行在时下的硬件上,完全可以支持数以万计的 并发连接。并且它的运行模式使得它可以很简单安全的整合进您当前的架构中, 同时可以保护你的web服务器不被暴露到网络上。
HAProxy 实现了一种事件驱动、单一进程模型,此模型支持非常大的并发连接数。多进程或多线程模型受内存限制 、系统调度器限制以及无处不在的锁限制,很少能处理数千并发连接。事件驱动模型因为在有更好的资源和时间管理的用户端(User-Space) 实现所有这些任务,所以没有这些问题。此模型的弊端是,在多核系统上,这些程序通常扩展性较差。这就是为什么他们必须进行优化以 使每个CPU时间片(Cycle)做更多的工作。
HAProxy实际工作中,它占用用户空间时间要比内核运行时间少20倍,所以对系统参数调优是十分必要的一项工作。
HAproxy功能配置
环境
前端HAProxy 172.16.253.108
后端web1 172.16.253.105
后端web2 172.16.252.1
client 172.16.253.177
安装HAproxy
HAproxy
[root@HAProxy ~]# yum install haproxy -y
[root@HAProxy ~]# rpm -ql haproxy
[root@HAProxy ~]# iptables -F
[root@HAProxy ~]# setenforce 0
[root@HAProxy ~]# systemctl enable haproxy
[root@HAProxy ~]# cp /etc/haproxy/haproxy.cfg{,.bak}
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
web1
[root@web1 ~]# yum -y install httpd
[root@web1 ~]# vim /var/www/html/index.html
Backend Server 1
[root@web1 ~]# cd /var/www/html/
[root@web1 html]# for i in {1..10}; do echo "Test Page $i @BES 1" > test$i.html;done
[root@web1 html]# ls
index.php test1.html test3.html test5.html test7.html test9.html
index.html test10.html test2.html test4.html test6.html test8.html
[root@web1 ~]# systemctl start httpd
[root@web1 ~]# setenforce 0
[root@web1 ~]# iptables -F
web2
[root@web2 ~]# yum -y install httpd
[root@web2 ~]# vim /var/www/html/index.html
Backend Server 2
[root@web2 ~]# cd /var/www/html/
[root@web2 html]# for i in {1..10}; do echo "Test Page $i @BES 1" > test$i.html;done
[root@web2 html]# ls
index.html test1.html test3.html test5.html test7.html test9.html
test10.html test2.html test4.html test6.html test8.html
[root@web2 ~]# service httpd start
[root@web2 ~]# setenforce 0
[root@web2 ~]# iptables -F
启用HAproxy的日志功能
HAproxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
log 127.0.0.1 local2 \\日志的设备管道为local2,需在rsyslog配置文件中定义local2的日志设备
[root@HAProxy ~]# vim /etc/rsyslog.conf
$ModLoad imudp \\启用UDP协议接收日志
$UDPServerRun 514 \\UDP端口为514
local2.* /var/log/haproxy.log \\定义local2日志设备的文件为/var/log/haproxy.log
[root@HAProxy ~]# systemctl restart rsyslog.service
- 重新配置frontend和backend字段
配置HAproxy
roundrobin算法
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb \\定义HAProxy前段主机为myweb
bind *:80 \\监听主机上所有IP的80端口
default_backend websrvs \\默认后端主机为websrvs
backend websrvs \\定义后端主机组
balance roundrobin \\调度算法为动态轮询
server srv1 172.16.253.105:80 check maxconn 3 \\172.16.253.105:80端口为后端主机srv1,check为检查服务器健康状态,maxconn 3最大并发连接数为3
server srv2 172.16.252.1:80 check \\定义172.16.252.1为websrv后端主机组中的srv2主机
uri算法
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb \\定义HAProxy前段主机为myweb
bind *:80 \\监听主机上所有IP的80端口
default_backend websrvs \\默认后端主机为websrvs
backend websrvs \\定义后端主机组
balance uri \\调度算法为uri
server srv1 172.16.253.105:80 check maxconn 3 \\172.16.253.105:80端口为后端主机srv1,check为检查服务器健康状态,maxconn 3最大并发连接数为3
server srv2 172.16.252.1:80 check \\定义172.16.252.1为websrv后端主机组中的srv2主机
hash-type consistent \\hash算法一致性
hdr算法(同一个浏览器访问相同的后端服务器)
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb
frontend myweb
bind *:80
default_backend websrvs
backend websrvs
balance hdr(User-Agent)
server srv1 172.16.253.105:80 check
server srv2 172.16.252.1:80 check
hash-type consistent
[root@HAProxy ~]# systemctl start haproxy
[root@HAProxy ~]# systemctl enable haproxy
[root@HAProxy ~]# ss -tnl \\80端口以打开
client
访问HAProxy代理服务端
roundrobin算法
[root@client ~]# for i in {1..10};do curl http://172.16.253.108;done
Backend Server 1
Backend Server 2
Backend Server 1
Backend Server 2
Backend Server 1
Backend Server 2
Backend Server 1
Backend Server 2
Backend Server 1
Backend Server 2
uri算法,consistent hash类型
[root@client ~]# for i in {1..10};do curl 172.16.253.108/test1.html;done
Test Page 1 @BES 1
Test Page 1 @BES 1
Test Page 1 @BES 1
Test Page 1 @BES 1
Test Page 1 @BES 1
Test Page 1 @BES 1
Test Page 1 @BES 1
Test Page 1 @BES 1
Test Page 1 @BES 1
Test Page 1 @BES 1
[root@client ~]# for i in {1..10};do curl 172.16.253.108/test3.html;done
Test Page 2 @BES 1
Test Page 2 @BES 1
Test Page 2 @BES 1
Test Page 2 @BES 1
Test Page 1 @BES 1
启用压缩功能
HAproxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb
bind *:80
default_backend websrvs
compression algo gzip \\启动压缩功能,压缩类型为gzip
compression type text/html text/plainhtml, application/xml\\压缩文件的类型为文本文件,plainhtml纯文本文件
backend websrvs
balance roundrobin
server srv1 172.16.253.105:80 check
server srv2 172.16.252.1:80 check
定义check检查的时间间隔
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb
bind *:80
default_backend websrvs
backend websrvs
balance roundrobin
# option httpchk \\启用七层代理向主页发送请求
option httpchk GET /test1.html HTTP/1.0 \\启用七层代理,当使用GET命令,使用HTTP1.0协议向test1.txt页面发送请求时检查页面健康状态
server srv1 172.16.253.105:80 check inter 3000ms rise 1 fall 2 \\inter定义为每3s检查一次,rise为检查成功一次即为成功,fall为检查失败两次即为故障
server srv2 172.16.252.1:80 check backup \\backup为备用服务端,当其他主机故障时启用
[root@HAProxy ~]# systemctl restart haproxy
web1
后端主机的httpd访问日志中可以看到每隔2秒都有一次主页检查记录日志
[root@web2 ~]# tail -f /var/log/httpd/access_log
实现网页重定向
HAproxy
访问172.16.253.105后端主机srv1的网页将自动跳转到指定的网页,eg redir http://www.baidu.com 跳转到www.baidu.com
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb
bind *:80
default_backend websrvs
backend websrvs
balance roundrobin
server srv1 172.16.253.105:80 check inter 3000ms rise 1 fall 2 redir http://www.baidu.com \\将访问172.16.253.105主页面重定向访问www.baidu.com
server srv2 172.16.252.1:80 check backup
weight权重选项
HAproxy
root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb
bind *:80
default_backend websrvs
backend websrvs
balance roundrobin
server srv1 172.16.253.105:80 check weight 2 \\权重为2
server srv2 172.16.252.1:80 check weight 1 \\权重为1
client
[root@client ~]# for i in {1..10};do curl 172.16.253.108;done
Backend Server 1
Backend Server 2
Backend Server 1
Backend Server 1
Backend Server 2
Backend Server 1
Backend Server 1
Backend Server 2
Backend Server 1
Backend Server 1
stats状态页面
HAproxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb
stats enable
bind *:80
default_backend websrvs
backend websrvs
balance roundrobin
server srv1 172.16.253.105:80 check weight 2
server srv2 172.16.252.1:80 check weight 1
[root@HAProxy ~]# systemctl restart haproxy.service
浏览器访问http://172.16.253.108/haproxy?stats
- 自定义stats状态页面的uri路径
HAproxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb
stats enable
stats uri /myproxy?admin
bind *:80
default_backend websrvs
backend websrvs
balance roundrobin
server srv1 172.16.253.105:80 check weight 2
server srv2 172.16.252.1:80 check weight 1
[root@HAProxy ~]# systemctl restart haproxy
浏览器访问http://172.16.253.108/myproxy?admin
- stats页面的用户访问控制
HAproxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb
stats enable \\启用stats
stats uri /myproxy?admin \\自定义stats页面uri的路径为/myproxy?admin
stats realm "HAProxy Stats Page" \\认证提示
stats auth admin:admin \\stats页面用户访问控制,用户admin,密码admin
bind *:80
default_backend websrvs
backend websrvs
balance roundrobin
server srv1 172.16.253.105:80 check weight 2
server srv2 172.16.252.1:80 check weight 1
[root@HAProxy ~]# systemctl restart haproxy
浏览器输入http://172.16.253.108/myproxy?admin访问
- 启用stats的管理能力
HAproxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb *:80
stats enable \\启用stats
stats uri /myproxy?admin \\自定义stats页面uri的路径为/myproxy?admin
stats realm "HAProxy Stats Page" \\认证提示
stats auth admin:admin \\stats页面用户访问控制,用户admin,密码admin
stats admin if TRUE \\总是允许访问stats的用户管理stats页面
default_backend websrvs
backend websrvs
balance roundrobin
server srv1 172.16.253.105:80 check weight 2
server srv2 172.16.252.1:80 check weight 1
[root@HAProxy ~]# systemctl restart haproxy
浏览器访问http://172.16.253.108/myproxy?admin
- 单独定义stats的管理页面
HAproxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb
bind *:80
default_backend websrvs
backend websrvs
balance roundrobin
server srv1 172.16.253.105:80 check weight 2
server srv2 172.16.252.1:80 check weight 1
listen stats
bind *:9000 \\定义stats页面的监听端口为9000
stats enable \\开启stats状态界面
stats uri /myproxy?admin \\自定义stats的uri路径
stats realm "HAProxy Stats Page" \\stats页面的提示信息
stats auth admin:admin \\ststs状态界面的admin用户认证
stats admin if TRUE \\允许所有登录stats的用户管理stats界面
[root@HAProxy ~]# systemctl restart haproxy
浏览器访问http://172.16.253.108/myproxy?admin
server 字段 含义
Status Server的状态
LastCHK 显示httd的是四层检查还是七层检查
Wght 权重
Act 活动主机数量
Bck 备用主机数量
Chk 失败检测次数
Dwn 离线主机数量
Dwntme 主机离线时间
定义HAproxy的工作模式为tcp,实现layer4层代理
HAproxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
listen sshsrvs
mode tcp
bind *:2222
balance leastconn
server sshsrv1 172.16.253.105:22 check
server sshsrv2 172.16.252.1:22 check
[root@HAProxy ~]# systemctl restart haproxy.service
client
[root@client ~]# ssh [email protected] -p 2222
设置cookie
HAproxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb *:80
default_backend websrvs
backend websrvs
cookie WEBSRV insert indirect nocache \\WEBSRV为自定义的cookie键名
balance roundrobin
server srv1 172.16.253.105:80 check weight 2 cookie srv1 \\srv1为自定义的srv1服务器的cookie信息
server srv2 172.16.252.1:80 check weight 1 cookie srv2 \\srv2为自定义的srv2服务器的cookie信息
client
[root@client ~]# curl -I 172.16.253.108
HTTP/1.1 200 OK
Date: Fri, 26 May 2017 03:30:41 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Thu, 25 May 2017 11:26:46 GMT
ETag: "40801-1c-550577f03843e"
Accept-Ranges: bytes
Content-Length: 28
Content-Type: text/html; charset=UTF-8
Set-Cookie: WEBSRV=srv2; path=/ \\Cookie信息为WEBSRV=srv2
Cache-control: private
[root@client ~]# curl -I 172.16.253.108/test3.html
HTTP/1.1 200 OK
Date: Tue, 29 Aug 2017 04:41:00 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
Last-Modified: Mon, 28 Aug 2017 14:02:09 GMT
ETag: "13-557d0bda20453"
Accept-Ranges: bytes
Content-Length: 19
Content-Type: text/html; charset=UTF-8
Set-Cookie: WEBSRV=srv1; path=/ \\Cookie信息为WEBSRV=srv1
Cache-control: private
forwardfor请求报文首部信息
HAproxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
defaults
option forwardfor except 127.0.0.0/8 if-none
除了本机127.0.0.0/8发出去的请求报文不予添加X-Forwarded-For信息,其他报文都要判断是否含有X-Forwarded-For信息,若没有,则添加X-Forwarded-For信息
web1
[root@web1 ~]# vim /etc/httpd/conf/httpd.conf \\修改日志记录格式如下
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
[root@web1 ~]# systemctl restart rsyslog
errorfile错误本地文件路径
HAproxy
[root@HAProxy ~]# mkdir /etc/haproxy/errorfile
[root@HAProxy ~]# vim /etc/haproxy/errorfile/403.html
Forbidden,No way;
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb *:80
default_backend websrvs
backend websrvs
errorfile 403 /etc/haproxy/errorfile/403.html
balance roundrobin
server srv1 172.16.253.105:80 check weight 2 cookie srv1
server srv2 172.16.252.1:80 check weight 1 cookie srv2
errorloc错误网页url重定向到本地的web
HAproxy服务端安装nginx服务
[root@HAProxy ~]# yum -y install nginx
[root@HAProxy ~]# vim /etc/nginx/conf.d/errserver.conf
server {
listen 10080;
server_name error.danran.com;
root /data/nginx/errorhtml;
}
[[root@HAProxy ~]# mkdir -pv /data/nginx/errorhtml
[root@HAProxy ~]# vim /data/nginx/errorhtml/403.html
403 from nginx
[root@HAProxy ~]# vim /etc/nginx/nginx.conf
server {
listen 8089 default_server;
} \\默认80端口与HAYproxy冲突,故修改nginx的默认端口
[root@HAProxy ~]# systemctl start nginx
配置error错误网页重定向到本地web服务
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb *:80
default_backend websrvs
backend websrvs
errorloc 403 http://172.16.253.108:10080/403.html
balance roundrobin
server srv1 172.16.253.105:80 check weight 2 cookie srv1
server srv2 172.16.252.1:80 check weight 1 cookie srv2
[root@HAProxy ~]# systemctl restart haproxy
reqadd添加请求报文首部信息
HAproxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb *:80
default_backend websrvs
backend websrvs
reqadd X-Proxy-By:\ HAProxy
balance roundrobin
server srv1 172.16.253.105:80 check weight 2
server srv2 172.16.252.1:80 check weight 1
[root@HAProxy ~]# systemctl restart haproxy
web1
[root@web1 ~]# vim /etc/httpd/conf/httpd.conf
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{X-Proxy-By}i" combined
[root@web1 ~]# systemctl restart rsyslog
通过访问HAYproxy代理服务器查看web1的访问日志信息
reqadd添加响应报文首部信息
HAproxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb *:80
default_backend websrvs
backend websrvs
rsqadd X-Proxy-By:\ HAProxy-1.5
balance roundrobin
server srv1 172.16.253.105:80 check weight 2
server srv2 172.16.252.1:80 check weight 1
[root@HAProxy ~]# systemctl restart haproxy
reqdel删除响应报文的指定信息
HAproxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfg
frontend myweb *:80
default_backend websrvs
backend websrvs
rspidel ^Server:.* \\删除响应报文中Server开头的信息
balance roundrobin
server srv1 172.16.253.105:80 check weight 2
server srv2 172.16.252.1:80 check weight 1
[root@HAProxy ~]# systemctl restart haproxy