HAProxy 高级应用
================================================================================
概述:
本章将继续上章的内容介绍haprosy代理配置段的相关参数,具体如下:
ACL控制访问列表;
4层检测机制:dst,dst_port,src,src_port
7层检查机制:path、req.hdr、res.hdr;
http层访问控制相关的参数:
block,http-request
TCP层的访问控制参数
================================================================================
10.修改请求或响应报文首部相关:
★option forwardfor [ except
] [ header ] [ if-none ] ⊙作用:
AProxy把请求报文发往后端主机之前在请求报文添加“X-Forwared-For”首部;其值为客户端地址,
⊙范围:都可以使用
⊙参数:
[ except
]: 除了xxx不添加外,如从本地访问[ header
]:可以自定义首部名称; [ if-none ]:没有首部时才添加
Examples :
# Public HTTP address also used by stunnel on the same machine frontend www mode http option forwardfor except 127.0.0.1 # stunnel already adds the header # Those servers want the IP Address in X-Client backend www mode http option forwardfor header X-Client★添加或删除请求,响应报文的首部
⊙reqadd
[{if | unless} ]
在请求报文添加一个首部信息
⊙rspadd
[{if | unless} ]
在响应报文添加一个首部信息
⊙reqdel
[{if | unless} ] reqidel
[{if | unless} ] (ignore case)忽略大小写
删除请求报文首部
⊙rspdel
[{if | unless} ] rspidel
[{if | unless} ] (ignore case)
删除响应报文首部
注意:
添加或者删除请求响应报文首部的参数的使用范围是frontend、listen和backend
演示1:HAProxy把请求报文发往后端主机之前在请求报文添加“X-Forwared-For”首部;
1.首先编辑haproxy的配置文件,定义除了本机之外,所有的请求报文均添加X-Forwared-For,首部记录客户端信息发往后端主机,如下:
2.编辑后端主机RS1的httpd服务的配置文件/etc/httpd/conf/httpd.conf,修改日志的格式,如下:
3.在启动RS1后端主机,在浏览器中访问,在RS1中查看日志,可以看到记录的日志为用户远端地址,而非haproxy的代理地址;
[root@centos7 ~]# tail -5 /var/log/httpd/access_log 192.168.1.105 - - [21/Nov/2016:23:48:54 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36" 192.168.1.105 - - [21/Nov/2016:23:49:39 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36" 192.168.1.105 - - [21/Nov/2016:23:50:29 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36" 192.168.1.105 - - [21/Nov/2016:23:50:30 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36" 192.168.1.105 - - [21/Nov/2016:23:50:30 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36"
------------------------------------------------------------------------------------------
演示2:
1.添加响应客户端报文的首部为经由haproxy转发的首部信息,如下:
重载haproxy服务,请求查看首部信息如下:
[root@centos7 ~]# curl -I http://192.168.1.111 HTTP/1.1 200 OK Date: Mon, 21 Nov 2016 16:31:02 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 Last-Modified: Fri, 18 Nov 2016 16:09:35 GMT ETag: "1a-54195883a68b2" Accept-Ranges: bytes Content-Length: 26 Content-Type: text/html; charset=UTF-8 X-Via: HAProxy/1.5
2.删除响应首部信息Server,编辑配置文件如下:
重载haproxy服务,请求查看首部信息,发现已经删除了Server的首部,如下:
[root@centos7 ~]# curl -I http://192.168.1.111 HTTP/1.1 200 OK Date: Mon, 21 Nov 2016 16:33:59 GMT Last-Modified: Fri, 18 Nov 2016 16:09:35 GMT ETag: "1a-54195883a68b2" Accept-Ranges: bytes Content-Length: 26 Content-Type: text/html; charset=UTF-8 X-Via: HAProxy/1.5
11.超时时长:
★timeout client
:
作用:设置客户端连接最大非活动时长,默认单位是毫秒;
★timeout server
作用:设置服务端连接最大非活动时长,默认单位是毫秒;
★timeout connect
作用:向服务端建立连接时的超时时长;
★timeout http-keep-alive
作用:面向客户端一侧启用保持连接功能的超时时长,默认单位为ms;
★timeout client-fin
作用:客户端一侧的半连接超时时长;
★timeout server-fin
作用:服务端一侧的半连接超时时长;
12.ACL控制访问列表
★语法格式:
acl
[flags] [operator] [ ] ... ⊙
:
ACL names must be formed from upper and lower case letters, digits, '-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are case-sensitive. ACL名称可由,大小写字母,数字,'-','_','.'和':' 并且区分大小写。
⊙
的类型:
- boolean //布尔型值
- integer or integer range //整数或整数范围
- IP address / network //ip地址
- string (exact, substring, suffix, prefix, subdir, domain) //字符串
- regular expression //正则表达式
- hex block
⊙[flags]
-i : 被模式匹配时忽略字符大小写,比较常用
-f : load patterns from a file.
-m : use a specific pattern matching method
-n : forbid the DNS resolutions
-M : load the file pointed by -f like a map file.
-u : force the unique id of the ACL
-- : force end of flags. Useful when a string looks like one of the flags. //转义
⊙[operator]
◆数值匹配:
eq : true if the tested value equals at least one value
ge : true if the tested value is greater than or equal to at least one value
gt : true if the tested value is greater than at least one value
le : true if the tested value is less than or equal to at least one value
lt : true if the tested value is less than at least one value
◆字符串匹配:
- exact match (-m str) : 字符串精确匹配
- substring match (-m sub) : 子串匹配
- prefix match (-m beg) : 前缀匹配
- suffix match (-m end) : 后缀匹配
- subdir match (-m dir) : 子目录匹配
- domain match (-m dom) : 域匹配
⊙条件的逻辑连接
- AND (implicit)
- OR (explicit with the "or" keyword or the "||" operator)
- Negation with the exclamation mark ("!")
★
: ⊙4层检测机制:
dst : ip
dst_port : integer
src : ip
src_port : integer
⊙block { if | unless }
作用:条件匹配就阻断一个7层请求
Example:
acl invalid_src src 0.0.0.0/7 224.0.0.0/3 acl invalid_src src_port 0:1023 acl local_dst hdr(host) -i localhost block if invalid_src || local_dst
演示:
1.阻断来自非 10.1.250.25 的ip(浏览器地址)请求,编辑配置文件,如下:
重载haproxy服务,在浏览器中访问可以发现,拒绝访问
在本机使用curl命令可以正常访问,说明仅拒绝了来自10.1.250.25的ip的请求。
[root@centos7 haproxy]# curl http://10.1.252.153Backend Server 1
[root@centos7 haproxy]# curl http://10.1.252.153Backend Server 1
[root@centos7 haproxy]# curl http://10.1.252.153Backend Server 2
-------------------------------------------------------------------------------------------
2.仅允许本浏览器(10.1.250.25)可以访问8080端口,编辑配置文件如下:
重载haproxy服务,在浏览器中访问可以发现,可以正常访问
在本机使用curl命令访问8080端口,拒绝访问,如下:
[root@centos7 haproxy]# curl http://10.1.252.153:8080403 Forbidden
Request forbidden by administrative rules.