通过Haproxy的ACL规划实现智能负载均衡，并简述tcp、http、health的配置示例

实验环境

后端主机1

• 设置seLinux、取消防火墙和同步时间

yum install -y ntpdate
ntpdate time1.aliyun.com

[root@node-73 ~]# yum -y install httpd
[root@node-73 ~]# mkdir /data/web/vhost{1,2} -pv
mkdir: 已创建目录 "/data/web"
mkdir: 已创建目录 "/data/web/vhost1"
mkdir: 已创建目录 "/data/web/vhost2"
[root@node-73 ~]# find /usr/share -iname "*.jpg" -exec cp {} /data/web/vhost1/ \;
[root@node-73 ~]# find /usr/share -iname "*.jpg" -exec cp {} /data/web/vhost2/ \;

[root@node-73 ~]# vim /data/web/vhost1/test.txt
ImageServer 1
[root@node-73 ~]# vim /data/web/vhost2/test.txt
ImageServer 2
[root@node-73 ~]# vim /etc/httpd/conf.d/vhost1.conf
[root@node-73 ~]# vim /etc/httpd/conf.d/vhost2.conf
[root@node-73 ~]# systemctl start httpd
[root@node-73 ~]# ss -tnl                
LISTEN      0      128    :::8080               :::*                  
LISTEN      0      128    :::80                 :::*   

后端主机2：

• 设置seLinux、取消防火墙和同步时间

yum install -y ntpdate
ntpdate time1.aliyun.com

[root@node-74 ~]# yum -y install httpd
[root@node-74 ~]# mkdir /data/web/vhost{1,2} -pv
mkdir: 已创建目录 "/data/web"
mkdir: 已创建目录 "/data/web/vhost1"
mkdir: 已创建目录 "/data/web/vhost2"
[root@node-74 ~]# vim /data/web/vhost1/info.php

Application Server1
    
[root@node-74 ~]# cp  /data/web/vhost{1,2}/info.php #复制文件到vhsot2
[root@node-74 ~]# vim /data/web/vhost2/info.php

Application Server2
  #修改
  
[root@node-74 ~]# vim /etc/httpd/conf.d/vhost1.conf #配置虚拟主机1


         ServerName www1.hehe.com
         DocumentRoot "/data/web/vhost1"
         
               Options FollowSymLinks
               AllowOverride None
               Require all granted
         

[root@node-74 ~]# cp /etc/httpd/conf.d/vhost{1,2}.conf #拷贝配置
[root@node-74 ~]# vim /etc/httpd/conf.d/vhost2.conf #编辑虚拟主机2

listen 8080

         ServerName www1.hehe.com
         DocumentRoot "/data/web/vhost2"
         
               Options FollowSymLinks
               AllowOverride None
               Require all granted
         

[root@node-74 ~]# scp /etc/httpd/conf.d/vhost*.conf 192.168.1.73:/etc/httpd/conf.d/   #把配置拷贝到node1主机上

[root@node-74 ~]# systemctl start httpd.service #启动httpd
[root@node-74 ~]# ss -tnl                 
LISTEN      0      128    :::8080               :::*                  
LISTEN      0      128    :::80                 :::*      

haproxy主机

• 设置seLinux、取消防火墙和同步时间

yum install -y ntpdate
ntpdate time1.aliyun.com

• 创建CA自签证

[root@haproxy-75 ~]# cd /etc/pki/CA/
[root@haproxy-75 CA]# (umask 077; openssl genrsa -out private/cakey.pem 4096)
[root@haproxy-75 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
[root@haproxy-75 CA]# touch index.txt
[root@haproxy-75 CA]# echo 01 > serial

[root@haproxy-75 CA]# cd /etc/haproxy/
[root@haproxy-75 haproxy]# mkdir certs
[root@haproxy-75 haproxy]# cd certs

[root@haproxy-75 certs]# openssl genrsa -out haproxy.key 2048
[root@haproxy-75 certs]# openssl req -new -key haproxy.key -out haproxy.csr
[root@haproxy-75 certs]# ls
haproxy.csr  haproxy.key

[root@haproxy-75 certs]# openssl ca -in haproxy.csr -out haproxy.crt
[root@haproxy-75 certs]# cat haproxy.crt haproxy.key > haproxy.pem
[root@haproxy-75 certs]# ls
haproxy.crt  haproxy.csr  haproxy.key  haproxy.pem
[root@haproxy-75 certs]# chmod 600 haproxy.pem

[root@haproxy-75 ~]# vim /etc/haproxy/haproxy.cfg
frontend web *:80
   compression algo gzip
   compression type text/html text/plain /application/xml application/javascript
   acl static path_end .jpg .jpeg.png .gif .txt .html .css .javascript .
js  #定义静态acl匹配规则，后缀匹配
   acl static path_beg /imgs /css /javascripts #定义静态acl匹配规则，前缀匹配
   acl bad_browsers hdr_reg(User-Agent) .*curl.* #定义名为bad_browsers的acl规则，url中后缀匹配字符中有curl
   block if bad_browsers #调用bad_browsers规则 ，符合就阻塞
   acl valid_referers hdr_reg(Referer) \.hehe1\.com #定义一个名为valid_referers的acl，正则表达式匹配
   block unless valid_referers #调用acl，如果匹配则放行
   use_backend staticsrvs if static  #使用静态acl匹配规则
   default_backend dynsrvs #未匹配到acl的，使用默认后端主机，动态内容

frontend https
   bind *:443 ssl crt /etc/haproxy/certs/haproxy.pem #使用认证并指明pem认证文件路径
   acl static path_end .jpg .jpeg.png .gif .txt .html .css .javascript .js #定义后缀匹配规则
   acl static path_beg /imgs /css /javascripts
   use_backend staticsrvs if static
   default_backend dynsrvs

frontend http
    bind *.8080
    redirect scheme https if !{ ssl_fc } #把8080端口的请求重向定443

backend dynsrvs   #动态主机组
   cookie SRV insert indirect nocache #启用cookie绑定
   balance roundrobin
   server dynsrv1 192.168.1.74:80 check cookie dynsrv1
   server dynsrv2 192.168.1.74:8080 check cookie dynsrv2

backend staticsrvs  #静态主机组
   balance roundrobin
   server staticsrv1 192.168.1.73:80 check               
   server staticsrv2 192.168.1.73:8080 check 


listen stats
   bind *:9099
   stats enable
   stats uri /myproxy?admin #自定义信息页地址
   stats realm "HAProxy Stats Page" #认证提示
   stats auth admin:admin #认证时用的用户名和密码
   stats admin if TRUE  #启用信息页管理功能，总是为真
[root@haproxy-75 ~]# systemctl restart haproxy
[root@haproxy-75 ~]# ss -tnl
LISTEN     0      128                                                                           *:9099                                                                                      *:*                  
LISTEN     0      128                                                                           *:8080                                                                                      *:*                  
LISTEN     0      128                                                                           *:80                                                                                        *:*                         
LISTEN     0      128                                                                           *:443                                                                                       *:*  

访问测试

haproxy管理页

cookie绑定

image.png

图片访问

https访问