Haproxy web reverse proxy

一 haproxy的配置：

1.1 haproxy配置文件分為兩部分

global settings 全局配置信息

gloabl

proxy settings 代理配置

defaults <name> 默認的配置

frontend <name> 定義前端套接字,可以接受客戶端的請求,并與之建立連接

backend <name> 定義后端服務器,可以將前端的連接調度到后端的服務器

listen <name> 定義監測界面

1.2 全局配置.

"global"配置段中的參數是進程級別的,并且與OS有關.

? 進程管理相關的參數.
* chroot dir 定義haproxy工作的目錄,安全
* daemon 讓haproxy以守護進程的方式工作于后端
* gid GID 以指定的GID用戶組運行haproxy
* uid UID 以指定的UID的用戶運行haproxy
* group groupname 以指定的groupname 運行haproxy
* user username 以指定的username 運行haproxy
* log <address> <facility> [max level [min level]] 定義全局的syslog服務器,最多可以定義兩個
* log-send-hostname [<string>] 在syslog信息的首部添加當前的主機名,可以使用string字符串代替,如果不寫,那么就使用主機名代替,用于在多個主機記錄日志的時候進行區分
* nbproc <number> 指定啟動haproxy進程的個數 默認是1個 這個參數的值我們不建議修改.
* pidfile filename 指定鎖文件的位置
* ulimit-n <number> 指定單個進程能夠打開的文件的個數,這個參數的值是自動計算的,不建議修改.
* description <string> 描述信息

? 性能調整相關的信息.
* maxconn <number> 設定每個haproxy進程所能接受的最大并發連接數目 "ulimit-n" 這個參數的值就是根據這個參數的值計算的.
* tune.bufsize <size> 設定buffer的大小
* tune.chksize <number> 設定檢查緩沖的大小
* tune.maxaccept <number> 設定haproxy進程內核調度運行時一次性可以接受的連接個數
* tune.rcvbuf.client 設定haproxy接受客戶端的緩沖大小
* tune.rcvbuf.server 設定haproxy請求后端服務器緩沖大小
* tune.sndbuf.client 設定haproxy發送客戶端響應緩沖大小
* tune.sndbuf.server 設定haproxy接受后端服務器緩沖大小

二 proxy配置

2.1 bind?

bind [<address>]:<port_range>?

定義監聽的套接字.

2.2 balance

balance <algorithm> [<auguments>]

balance url_param <param> [check_post [<max_wait>]]

定義負載均衡的算法:

roundrobin?

?Each server is used in turns,according to their weights
?This algorithm is dynamic,which means that server weights may be adjusted on the fly for slow starts for instance
?It is limited by design to 4095 acrive serves per backends

static-rr

?Each server is used in turns,accroding to their weights
?This algorithm is static,which means that changing a server's weight on the fly will have no affect.
?it has no design limitation on the number of servers,and when a server goes up, it is always immediately reintroduces into the farm, ince the full map is recomputed

leastconn

?The server with the lowest number of connections receives the connection.
?Use of this algorithum is recommended where very long sessions are excpet such as sql but is not very well suited for protocol using short sessions such as HTPP

?This algorithm is dynamic.

source
?
? ? ? ? ? The source ip address is hashed and divided by the total weight of the running servers to designate which server will receive the request.
? ? ? ? ? This algorithm is generally use in TCP mode where no cookie may be inserted
?This algorithm is static by default but this can be changed usering "hash-type"
? ? ? ? ?
?在不支持cookie插入,有需要保持會話的時候使用該算法.

uri
?廣泛用于后端upstream是緩存服務器.基于將同一個uri的請求定位到同一個服務器,增加緩存命中率.
?This algorithm hashes the left part of the URI and divides the hash value by total weight of the running server.
?This ensures that the same URI will always be directed th the same server as long as no server goes up or down.
?This is used with proxy caches
?This algorithm is static by default,but this can be changed useing "hash-type'

會話保持機制:
IP層 source
位于同一個NAT服務器的后面的所有主機都會定位到同一個主機
應用層 cookie
有更好的負載均衡

1 調度會話比較長的MySQL服務器.
leastconn
2 調度web靜態資源服務器組.
roundrobin
3 調度web應用程序組.
source

session 保持的機制:
session綁定:
源IP綁定
ngxin ip_hash
haproxy source
ipvs sh
cookie綁定
session復制
session服務器
4 調度web緩存服務器組
uri ( hash-type:map-based | consistent)

2.3 cookie?

cookie <name> [ rewrite | insert | prefix ] [nocache]

Enable cookie-based persistence in a backend.

<name> 這個是保存cookie的鍵值

rewrite表示重寫cookie值
insert 表示插入一個新的cookie值
prefix 表示在已有的cookie值加入一個前綴 加上描述符 這個不影響后端服務器取得cooke值,haproxy在將cookie發往后端服務器的時候會將這些新消息去除了.

<nocache> 在響應頭信息中加入Cache-Control : private 表示如果在客戶端和haproxy服務器之間有緩存服務器,告訴這些緩存服務器不要緩存這個數據

2.4 hash-type?

hash-type {map-based | consistent}

Specify a method to use for mapping hashes to servers.

map-based 是默認的參數

The hashes will be static in that weight changes while a server is up will be ignored. This means that there will be no slow start.

consistent?

This hash is dynamic. is supports changing weights while the servers are up, so it is compatable with the slow start feature

2.5 mode

mode {tcp | http | health} 默認是tcp

set the running mode or protocol of the instance.

tcp?
The instance will work in TCP mode. A full-duplex connection will be established between clients and servers,and no layer 7 examination will be performed.This is the default mode.It should ube used for SSL SSH...

http
The instace will work in HTTP mode. The client request wil be analyzed in depth before connecting be any server.Any request which is not RPC-compliant will be rejected.Layer 7 filering.

2.6 log?

log global 表示使用全局定義的日志格式

log <address> <facility> [<level> <minlevel>]

2.7 capture cookie <name> len <length>

capture and log a cookie in the request and in the response.

2.8 capture request header <name> len <length>

capture and log the last occurrence of the specified request header.

2.9 capture response header <name> len <length>

capture and log the last occurrence of the specified response header.

2.10 default_backend

default_backend <backend>

Specified the backend to use when no "use_backend" rule has been matched.

只能在listen和frontend段中定義.

2.11 use_backend

user_backend <backend>?

2.12 server?

server <name> <address>:port [param]

Declare a server in a backend.

<name> is the internal name assigned ti this server. This name will apper in logs and alerts. If "http-send-name-header" is set,it will be added to the request header sent to the server.

<address> IP地址

param:
? ?backup : 設定為備用服務器,僅在負載均衡中其他的server都不能使用的時候才啟用.
? ?check 啟動對server執行健康狀況檢查,可以借助額外參數配置.
inter <delay> 設定健康檢查的時間間隔 默認2000
rise <count> ?某離線的主機從離線到正常需要成功檢查的次數
fall <count> ?確認server從正常到不可用狀態檢查的次數
? ?cookie <value>設定服務器的cookie值,往cookie中加的值
? ?maxconn <maxconn> 指定次服務器接受最大的并發請求數目,如果大于了請求的次數,那么加入請求隊列.
? ?maxqueue <maxqueue> 服務器等待隊列的大小.
? ?weight <weight> 指定服務器的權重
? ?
2.13 option httpchk 指定檢測方法

option httpchk?
option httpchk <url>
option httpchk <method> <url>
option httpchk <method> <url> <version>

Enable Http protocol to check on the server health

option httpchk /test1.html

2.14 stats enable

Enable statistics reporting with default settings

?- stats uri /haproxy?stats
?- stats realm "Haprocy Statistics"
?- stats auth no authentication
?- stats scope no restriction

盡管"stats enable"的默認

2.15 stats hide-version?

影藏haproxy的版本的.

2.16 stats auth <user>:<pasword>

啟用statistics認證,可以有多個.

2.17 stats admin

stats admin { if | unless } <cond>

stats admin if LOCALHOST 本機訪問

stats admin if TRUE 表示如果通過就可以管理功能

2.18 errorfile

errorfile <code> <file>

Return a file contents instead of errors generated by Haproxy

2.19 option forwardfor?

option forwardfor [ except <network> ] [ header <name> ] [if-none]

Enable insertion of the X-Forwarded-For header to request sent to servers

<network> is an optional argument used to disabled this option for source matching?

<name> an optional argument to specify a different "X-Forwarded-For"header name.

Note:
? Only the first request will have the header appended
? In Order to fix this ensure that any of the "httpclose","forceclose" or "http-server-close" options is set when using this option

2.20 option http-server-close

option http-server-close
no option http-server-close

Enable or disable HTTP connection closing on the server side.

2.21 option httpclose

option httpclose
no option httpclose

2.22 option redispatch

option redispatch

no option redispatch

定義如果使用cookie定向的服務器出現了故障,是否將請求調度到其他的服務器

2.23 timeout http-request <timeout>

Set the maximun allowed time to wait for a complete HTTP request

This helps protecting against established connection on which nothing is sent.

就是建立TCP連接之后等待接受請求數據的超時時間,默認的單位是毫秒,
如果建立連接超過了這個時間那么就關閉連接.

2.24 timeout queue <timeout>

Set the maxinum time to wait in the queue for a connection slot th be free.

When a server's maxconn is reached, connections are left pending in a queue which may be server-specific or global to the backend.

In order not to wait indefinitely, a timeout is applied to requests pending in the queue.

If the timeout is reached ,it is considered that the request will almost never be served , so it is dropped and a 503 error is returned to the client.

就是在haproxy將請求調度到后端的服務器的時候,如果調度的請求的數目超過了后端服務器一次并發的請求數目,那么就將待在等待隊列中等待處理,這個參數就是定義在這個隊列中等待的時間,如果等待時間過長,那么認為服務器沒有處理,返回503

2.25 timeout connect <timeout>

Set the maxinum time to wait for a connection attempt to a server to succeed.

If the server is located on the same LAN as haproxy,the connection should be immediate(less than a few milliseconds)

定義haproxy連接后端服務器的時間

2.26 timeout client <timeout>

Set the maxumum inactivity time on the client side?

The inactivity timeout applies when the client is expected to acknowledge or send data.

就是在客戶端在與服務器建立連接之后,處于非活動狀態的時間.超過了這個時間,那么連接斷開.

2.27 timeout server <timeout>

Set the maximum inactivity time on the server side?

The inactivity timeout applies when the server is expeced to acknowledge or send data.

就是在haproxy與后端服務器建立連接后端服務器處理非活動狀態的超時時間

2.28 timeout http-keep-alive <timeout>

Set the maximum allowd time to wait for a new HTTP request to appear?
定義保持連接的時間.

三 ACL

acl <aclname> <criterion> [flag] [operator] <value>

flag?

-i 忽略字符大小寫.

type of values?

? - integers or integer ranges?
ranges 1024:2000
operators eq ge gt le lt

? - string?

? - regular expressions

? - IP address and network

criterion 檢查標準:

? - dst <ip_address>
? - dst_port <interger>
? - src <ip_address>
? - src_port <interfer>
??
? - hdr(header) <string> 精確匹配首部字段的值
acl aaaa hdr(Connection) -i close
? - hdr_reg(headet) <regex> 正則表達式匹配首部的值
? ? ? ? acl aaaa hdr(Host) -i .*\.magedu.com
? - method <string> 匹配請求的方法
? - path <string> 匹配url中的path部分
? acl indexacl path /index.html
? - path_beg <string> 匹配url中的path以什么開始
acl admin_page path_beg /admin
? - path_end <string> 匹配URL中的path以什么結束
acl phpacl path_end .php
acl htmlacl path_end .html
? - path_reg <regex> 對path進行正則匹配
acl phpacl path_reg .php$
acl htmlacl path_reg .html$

? - url <string> 對URL精確匹配 path+query
? - url_beg <string>
? - url_end <string>
? - url_reg <string>?

實現訪問控制:

?- http-request if | unless conndation 基于7layer過濾
?- tcp-request content accept if | unless condation 基于4layer過濾

An Example:

?acl url_static path_beg /static /images /img /css
?acl url_static path_end .gif .png .jpg .css .js
?acl host_www hdr_beg(host) -i www
?acl host_static hdr_beg(host) -i img. video. download.

?use_backend static if host_static or host_www

配置案例:

global?
log 127.0.0.1 local2
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000


frontend webserver?
bind *:80

acl php path_end .php
acl html path_end .html
acl image path_end .png .gif .jpg
acl jc path_end .js .css

use_backend dynamic if php
use_backend static if html
use_backend images if image
use_backend jscss if jc

default_backend static


backend dynamic
balance roundrobin
server php1 172.31.0.2:80 check inter 2000 rise 5 fall 2 weight 1
server php2 172.31.0.3:80 check inter 2000 rise 5 fall 2 weight 1
server error 127.0.0.1:80 backup weight 1


? ?
backend static?
balance roundrobin
server html1 172.31.0.4:80 check inter 2000 rise 5 fall 2 weight 1
server html2 172.31.0.5:80 check inter 2000 rise 5 fall 2 weight 1
server error 127.0.0.1:80 backup weight 1


backend images
balance roundrobin
server image 172.31.0.6:80 check inter 2000 rise 5 fall 2 weight 1
server error 127.0.0.1:80 backup weight 1


backend jscss
balance roundrobin
server js_css 172.31.0.17:80 check inter 2000 rise 5 fall 2 weight 1
server error 127.0.0.1:80 backup weight 1

總結

以上是生活随笔為你收集整理的web_reverse_proxy -- haproxy的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。