Haproxy基于ACL做访问控制
生活随笔
收集整理的這篇文章主要介紹了
Haproxy基于ACL做访问控制
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
author:JevonWei
版權聲明:原創(chuàng)作品
- haproxy配置文檔 https://cbonte.github.io/haproxy-dconv/
基于ACL做訪問控制(四層代理)
網絡拓撲
環(huán)境
安裝HAProxy
HAProxy
[root@HAProxy ~]# yum install haproxy -y [root@HAProxy ~]# rpm -ql haproxy [root@HAProxy ~]# iptables -F [root@HAProxy ~]# setenforce 0 [root@HAProxy ~]# systemctl enable haproxy [root@HAProxy ~]# cp /etc/haproxy/haproxy.cfg{,.bak} [root@HAProxy ~]# vim /etc/haproxy/haproxy.cfgweb1
[root@web1 ~]# yum -y install httpd [root@web1 ~]# vim /var/www/html/index.html <h1> Backend Server 1 </h1> [root@web1 ~]# systemctl start httpd [root@web1 ~]# setenforce 0 [root@web1 ~]# iptables -Fweb 2
[root@web2 ~]# yum -y install httpd [root@web2 ~]# vim /var/www/html/index.html <h1> Backend Server 2 </h1> [root@web2 ~]# service httpd start [root@web2 ~]# setenforce 0 [root@web2 ~]# iptables -F- block阻塞主機訪問
172.16.251.196用戶訪問stats狀態(tài)界面,并顯示錯誤網頁http://172.16.253.108:10080/403.html
HAProxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfgfrontend myweb *:80default_backend websrvsbackend websrvsbalance roundrobinserver srv1 172.16.253.105:80 check weight 2server srv2 172.16.252.1:80 check weight 1listen statsbind *:9000acl allowstats src 172.16.251.196block if allowstats \\阻塞allowstats中的IP訪問stats界面errorloc 403 http://172.16.253.108:10080/403.htmlstats enablestats uri /myproxy?adminstats realm "HAProxy Stats Page"stats auth admin:adminstats admin if TRUE [root@HAProxy ~]# systemctl restart haproxy訪問測試
172.16.251.196使用瀏覽器訪問測試http://172.16.253.108:10080/403.html- http-request允許某主機訪問stats狀態(tài)界面
允許172.16.251.196用戶訪問http://172.16.253.108服務器的HAProxy的狀態(tài)界面
HAProxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfgfrontend myweb *:80default_backend websrvsbackend websrvsbalance roundrobinserver srv1 172.16.253.105:80 check weight 2server srv2 172.16.252.1:80 check weight 1listen statsbind *:9000acl allowstats src 172.16.251.196# http-request allow if allowstats \\允許allowstats中的IP訪問stats狀態(tài)界面http-request deny unless allowstats \\除了allowstats之外全部拒絕訪問,即僅允許allowstats訪問# http-request deny if allowstats \\拒絕allowstats訪問errorloc 403 http://172.16.253.108:10080/403.html \\錯誤網頁文件stats enablestats uri /myproxy?adminstats realm "HAProxy Stats Page"stats auth admin:adminstats admin if TRUE [root@HAProxy ~]# systemctl restart haproxy訪問測試
圖形化瀏覽器172.16.251.196使用瀏覽器訪問測試http://172.16.253.108:10080/403.html 字符界面 [root@client ~]# curl --basic --user admin:admin http://172.16.253.108:9000/myproxy?admin基于ACL做訪問控制(七層代理)
動態(tài)網頁存放在動態(tài)服務器組中,靜態(tài)網頁存放在靜態(tài)服務器組中
拓撲環(huán)境
環(huán)境
- web1使用虛擬主機技術搭建兩個web server,用來存放動態(tài)網頁內榮容
- web2使用虛擬主機搭建兩個web server用來替代靜態(tài)網頁內容
web1創(chuàng)建虛擬主機
[root@web1 ~]# yum -y install php httpd [root@web1 ~]# mkdir /data/web/vhost{1,2} -pv [root@web1 ~]# vim /data/web/vhost1/index.php <h1> Application Server 1</h1> <?phpphpinfo(); ?> [root@web1 ~]# vim /data/web/vhost2/index.php <h1> Application Server 2</h1> <?phpphpinfo(); ?>虛擬主機1的配置文件 [root@web1 ~]# vim /etc/httpd/conf.d/vhost1.conf \\編輯vhost1虛擬主機的配置文件 <VirtualHost *:80>ServerName www1.danran.comDocumentRoot "/data/web/vhost1"<Directory "/data/web/vhost1">Options FollowSymLinks \\允許使用連接文件目錄AllowOverride None \\不允許其他配置文件覆蓋此文件中的設置Require all granted</Directory> </VirtualHost>虛擬主機2的配置文件 [root@web1 ~]# vim /etc/httpd/conf.d/vhost2.conf [root@web1 ~]# vim /etc/httpd/conf.d/vhost2.conf Listen 8080 <VirtualHost *:8080>ServerName www2.danran.comDocumentRoot "/data/web/vhost2"<Directory "/data/web/vhost2">Options FollowSymLinksAllowOverride NoneRequire all granted</Directory> </VirtualHost>[root@web1 ~]# systemctl restart httpd.service [root@web1 ~]# ss -ntlweb2創(chuàng)建虛擬主機
[root@web2 ~]# yum -y install httpd [root@web2 ~]# mkdir -pv /data/web/vhost{1,2} [root@web2 ~]# find /usr/share/ -iname "*.jpg" -exec cp {} /data/web/vhost1/ \; [root@web2 ~]# find /usr/share/ -iname "*.jpg" -exec cp {} /data/web/vhost2/ \; [root@web2 ~]# vim /data/web/vhost1/index.html <h1> Image Server 1 </h1> [root@web2 ~]# vim /data/web/vhost2/index.html <h1> Image Server 2 </h1>編輯虛擬主機1的配置文件 [root@web2 ~]# vim /etc/httpd/conf.d/vhost1.conf <VirtualHost *:80>ServerName www1.danran.comDocumentRoot "/data/web/vhost1"<Directory "/data/web/vhost1">Options FollowSymLinksAllowOverride NoneRequire all granted</Directory> </VirtualHost>編輯虛擬主機2的配置文件 [root@web2 ~]# vim /etc/httpd/conf.d/vhost2.conf Listen 8080 <VirtualHost *:8080>ServerName www2.danran.comDocumentRoot "/data/web/vhost1"<Directory "/data/web/vhost1">Options FollowSymLinksAllowOverride NoneRequire all granted</Directory> </VirtualHost>[root@web2 ~]# systemctl start httpd.serviceHAProxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfgfrontend myweb *:80cookie WEBSRV indirect nocacheacl static path_end .jpg .jpeg .png .gif .txt .html \\定義ACL的組static以.jpg .jpeg .png .gif .txt .html結尾的文件use_backend staticsrvs if static \\當符合條件時使用static主機組default_backend dynsrvs \\當不符合use_bckend條件時使用默認default_backend主機組backend dynsrvs \\定義動態(tài)主機組balance roundrobinserver dynsrv1 172.16.253.105:80 check cookie dynsrv1server dynsrv2 172.16.253.105:8080 check cookie dynsrv2backend staticsrvs \\定義靜態(tài)主機組balance roundrobinserver staticsrv1 172.16.253.191:80 checkserver staticsrv2 172.16.253.191:8080 check [root@HAProxy ~]# systemctl restart haproxyclient
[root@client ~]# curl http://172.16.253.108/index.html <h1> Image Server 1 </h1> [root@client ~]# curl http://172.16.253.108/index.html <h1> image Server 2 </h1> [root@client ~]# curl http://172.16.253.108/index.php <h1> Application Server 2</h1> [root@client ~]# curl http://172.16.253.108/index.php <h1> Application Server 2</h1>拒絕curl訪問web
HAProxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfgfrontend myweb *:80cookie WEBSRV indirect nocacheacl static path_end .jpg .jpeg .png .gif .txt .html \\定義ACL的組static以.jpg .jpeg .png .gif .txt .html結尾的文件use_backend staticsrvs if static \\當符合條件時使用static主機組default_backend dynsrvs \\當不符合use_bckend條件時使用默認default_backend主機組acl bad_browsers hdr_reg(User-Agent) .*curl.* \\定義請求報文中包含curl的ACL組為bad_browsersblock if bad_browsers \\阻塞bad_browsers組的訪問backend dynsrvs \\定義動態(tài)主機組balance roundrobinserver dynsrv1 172.16.253.105:80 check cookie dynsrv1server dynsrv2 172.16.253.105:8080 check cookie dynsrv2backend staticsrvs \\定義靜態(tài)主機組balance roundrobinserver staticsrv1 172.16.253.191:80 checkserver staticsrv2 172.16.253.191:8080 check [root@HAProxy ~]# systemctl restart haproxyclient
[root@client ~]# curl http://172.16.253.108/index.html <html><body><h1>403 Forbidden</h1> Request forbidden by administrative rules. </body></html>定義僅允許danran.com域內的的主機訪問
HAProxy
[root@HAProxy ~]# vim /etc/haproxy/haproxy.cfgfrontend myweb *:80cookie WEBSRV indirect nocacheacl static path_end .jpg .jpeg .png .gif .txt .html \\定義ACL的組static以.jpg .jpeg .png .gif .txt .html結尾的文件use_backend staticsrvs if static \\當符合條件時使用static主機組default_backend dynsrvs \\當不符合use_bckend條件時使用默認default_backend主機組acl valid_referers hdr_reg(Referer) \.danran\.comblock unless valid_referers \\阻塞除了valid_referers組之外的所有人的訪問backend dynsrvs \\定義動態(tài)主機組balance roundrobinserver dynsrv1 172.16.253.105:80 check cookie dynsrv1server dynsrv2 172.16.253.105:8080 check cookie dynsrv2backend staticsrvs \\定義靜態(tài)主機組balance roundrobinserver staticsrv1 172.16.253.191:80 checkserver staticsrv2 172.16.253.191:8080 check [root@HAProxy ~]# systemctl restart haproxyclient
模擬www.danran.com主機訪問 [root@client ~]# curl -e "http://www.danran.com/index.php" http://172.16.253.108/index.php <h1> Application Server 2</h1>轉載于:https://www.cnblogs.com/JevonWei/p/7468486.html
總結
以上是生活随笔為你收集整理的Haproxy基于ACL做访问控制的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Java笔记第七篇 数据类型初了解(下,
- 下一篇: spark报错处理