HAProxy的高级配置选项-ACL篇之基于策略的访问控制

          HAProxy的高级配置选项-ACL篇之基于策略的访问控制

                                       作者:尹正杰

版权声明:原创作品,谢绝转载!否则将追究法律责任。

 

 

一.安装Apache Httpd及准备测试数据

1>.试验架构说明

  node102.yinzhengjie.org.cn:
    Haproxy服务器

  node105.yinzhengjie.org.cn:
    测试服务器,模拟客户端

  node106.yinzhengjie.org.cn:     Apache httpd服务器   node107.yinzhengjie.org.cn:     Apache httpd服务器   node108.yinzhengjie.org.cn:     Apache httpd服务器

2>.安装Apache httpd服务

  此过程相对简单,我这里就直接略过了,可参考我之前的笔记:https://www.cnblogs.com/yinzhengjie/p/12114195.html

 

二.基于源地址访问控制案例实战

1>.编写haproxy的配置文件

[[email protected] ~]# cat /etc/haproxy/haproxy.cfg
global
    maxconn 100000
    chroot /yinzhengjie/softwares/haproxy
    stats socket /yinzhengjie/softwares/haproxy/haproxy.sock mode 600 level admin
    user haproxy
    group haproxy
    daemon
    nbproc 2
    cpu-map 1 0
    cpu-map 2 1
    nbthread 2
    pidfile /yinzhengjie/softwares/haproxy/haproxy.pid
    log 127.0.0.1 local5 info

defaults
    option http-keep-alive
    option  forwardfor
    option redispatch
    option abortonclose
    maxconn 100000
    mode http
    timeout connect 300000ms
    timeout client  300000ms
    timeout server  300000ms
    errorloc 503 http://node107.yinzhengjie.org.cn/monitor/503.html

listen status_page
    bind 172.30.1.102:8888
    stats enable
    stats uri /haproxy-status
    stats auth    admin:yinzhengjie
    stats realm "Welcome to the haproxy load balancer status page of YinZhengjie"
    stats hide-version
    stats admin if TRUE
    stats refresh 5s

frontend WEB_PORT_80
    bind 172.30.1.102:80
    mode http
    acl hacker_deny src 172.30.1.254
    http-request deny if hacker_deny
    http-request allow
    default_backend backup_web

backend web_server
    server web01 172.30.1.104:80  check inter 3000 fall 3 rise 5  backup
    server web02 172.30.1.106:80  check inter 3000 fall 3 rise 5
    server web03 172.30.1.107:80  check inter 3000 fall 3 rise 5

backend backup_web
    server web01 172.30.1.108:80  check inter 3000 fall 3 rise 5 
[[email protected] ~]# 
[[email protected] ~]# systemctl restart haproxy
[[email protected] ~]# 

2>.查看haproxy的监听端口和进程信息

[[email protected] ~]# ss -ntl
State       Recv-Q Send-Q                           Local Address:Port                                          Peer Address:Port              
LISTEN      0      128                               172.30.1.102:80                                                       *:*                  
LISTEN      0      128                                          *:22                                                       *:*                  
LISTEN      0      128                               172.30.1.102:8888                                                     *:*                  
LISTEN      0      128                                         :::22                                                      :::*                  
[[email protected] ~]# 
[[email protected] ~]# ps -ef | grep haproxy | grep -v grep
root     20704     1  0 20:25 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid
haproxy  20708 20704  0 20:25 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid
haproxy  20709 20704  0 20:25 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /yinzhengjie/softwares/haproxy/haproxy.pid
[[email protected] ~]# 
[[email protected] ~]# 

3>.查看haproxy的状态页(http://node102.yinzhengjie.org.cn:8888/haproxy-status)

HAProxy的高级配置选项-ACL篇之基于策略的访问控制_第1张图片

 

三.验证haproxy的配置

1>.IP地址为"172.30.1.254"的客户端访问haproxy的地址:"http://node102.yinzhengjie.org.cn",如下图所示    

HAProxy的高级配置选项-ACL篇之基于策略的访问控制_第2张图片

2>.使用"node105.yinzhengjie.org.cn"节点访问haproxy的地址:"http://node102.yinzhengjie.org.cn",如下图所示    

HAProxy的高级配置选项-ACL篇之基于策略的访问控制_第3张图片

 

你可能感兴趣的:(HAProxy的高级配置选项-ACL篇之基于策略的访问控制)