|
|
Haproxy web reverse proxy
一 haproxy的配置:
1.1 haproxy配置文件分为两部分
global settings 全局配置信息
gloabl
proxy settings 代理配置
defaults <name> 默认的配置
frontend <name> 定义前端套接字,可以接受客户端的请求,并与之建立连接
backend <name> 定义后端服务器,可以将前端的连接调度到后端的服务器
listen <name> 定义监测界面
1.2 全局配置.
"global"配置段中的参数是进程级别的,并且与OS有关.
进程管理相关的参数.
* chroot dir 定义haproxy工作的目录,安全
* daemon 让haproxy以守护进程的方式工作于后端
* gid GID 以指定的GID用户组运行haproxy
* uid UID 以指定的UID的用户运行haproxy
* group groupname 以指定的groupname 运行haproxy
* user username 以指定的username 运行haproxy
* log <address> <facility> [max level [min level]] 定义全局的syslog服务器,最多可以定义两个
* log-send-hostname [<string>] 在syslog信息的首部添加当前的主机名,可以使用string字符串代替,如果不写,那么就使用主机名代替,用于在多个主机记录日志的时候进行区分
* nbproc <number> 指定启动haproxy进程的个数 默认是1个 这个参数的值我们不建议修改.
* pidfile filename 指定锁文件的位置
* ulimit-n <number> 指定单个进程能够打开的文件的个数,这个参数的值是自动计算的,不建议修改.
* description <string> 描述信息
性能调整相关的信息.
* maxconn <number> 设定每个haproxy进程所能接受的最大并发连接数目 "ulimit-n" 这个参数的值就是根据这个参数的值计算的.
* tune.bufsize <size> 设定buffer的大小
* tune.chksize <number> 设定检查缓冲的大小
* tune.maxaccept <number> 设定haproxy进程内核调度运行时一次性可以接受的连接个数
* tune.rcvbuf.client 设定haproxy接受客户端的缓冲大小
* tune.rcvbuf.server 设定haproxy请求后端服务器缓冲大小
* tune.sndbuf.client 设定haproxy发送客户端响应缓冲大小
* tune.sndbuf.server 设定haproxy接受后端服务器缓冲大小
二 proxy配置
2.1 bind
bind [<address>]:<port_range>
定义监听的套接字.
2.2 balance
balance <algorithm> [<auguments>]
balance url_param <param> [check_post [<max_wait>]]
定义负载均衡的算法:
roundrobin
Each server is used in turns,according to their weights
This algorithm is dynamic,which means that server weights may be adjusted on the fly for slow starts for instance
It is limited by design to 4095 acrive serves per backends
static-rr
Each server is used in turns,accroding to their weights
This algorithm is static,which means that changing a server's weight on the fly will have no affect.
it has no design limitation on the number of servers,and when a server goes up, it is always immediately reintroduces into the farm, ince the full map is recomputed
leastconn
The server with the lowest number of connections receives the connection.
Use of this algorithum is recommended where very long sessions are excpet such as sql but is not very well suited for protocol using short sessions such as HTPP
This algorithm is dynamic.
source
The source ip address is hashed and divided by the total weight of the running servers to designate which server will receive the request.
This algorithm is generally use in TCP mode where no cookie may be inserted
This algorithm is static by default but this can be changed usering "hash-type"
在不支持cookie插入,有需要保持会话的时候使用该算法.
uri
广泛用于后端upstream是缓存服务器.基于将同一个uri的请求定位到同一个服务器,增加缓存命中率.
This algorithm hashes the left part of the URI and divides the hash value by total weight of the running server.
This ensures that the same URI will always be directed th the same server as long as no server goes up or down.
This is used with proxy caches
This algorithm is static by default,but this can be changed useing "hash-type'
会话保持机制:
IP层 source
位于同一个NAT服务器的后面的所有主机都会定位到同一个主机
应用层 cookie
有更好的负载均衡
1 调度会话比较长的MySQL服务器.
leastconn
2 调度web静态资源服务器组.
roundrobin
3 调度web应用程序组.
source
session 保持的机制:
session绑定:
源IP绑定
ngxin ip_hash
haproxy source
ipvs sh
cookie绑定
session复制
session服务器
4 调度web缓存服务器组
uri ( hash-type:map-based | consistent)
2.3 cookie
cookie <name> [ rewrite | insert | prefix ] [nocache]
Enable cookie-based persistence in a backend.
<name> 这个是保存cookie的键值
rewrite表示重写cookie值
insert 表示插入一个新的cookie值
prefix 表示在已有的cookie值加入一个前缀 加上描述符 这个不影响后端服务器取得cooke值,haproxy在将cookie发往后端服务器的时候会将这些新消息去除了.
<nocache> 在响应头信息中加入Cache-Control : private 表示如果在客户端和haproxy服务器之间有缓存服务器,告诉这些缓存服务器不要缓存这个数据
2.4 hash-type
hash-type {map-based | consistent}
Specify a method to use for mapping hashes to servers.
map-based 是默认的参数
The hashes will be static in that weight changes while a server is up will be ignored. This means that there will be no slow start.
consistent
This hash is dynamic. is supports changing weights while the servers are up, so it is compatable with the slow start feature
2.5 mode
mode {tcp | http | health} 默认是tcp
set the running mode or protocol of the instance.
tcp
The instance will work in TCP mode. A full-duplex connection will be established between clients and servers,and no layer 7 examination will be performed.This is the default mode.It should ube used for SSL SSH...
http
The instace will work in HTTP mode. The client request wil be analyzed in depth before connecting be any server.Any request which is not RPC-compliant will be rejected.Layer 7 filering.
2.6 log
log global 表示使用全局定义的日志格式
log <address> <facility> [<level> <minlevel>]
2.7 capture cookie <name> len <length>
capture and log a cookie in the request and in the response.
2.8 capture request header <name> len <length>
capture and log the last occurrence of the specified request header.
2.9 capture response header <name> len <length>
capture and log the last occurrence of the specified response header.
2.10 default_backend
default_backend <backend>
Specified the backend to use when no "use_backend" rule has been matched.
只能在listen和frontend段中定义.
2.11 use_backend
user_backend <backend>
2.12 server
server <name> <address>:port [param]
Declare a server in a backend.
<name> is the internal name assigned ti this server. This name will apper in logs and alerts. If "http-send-name-header" is set,it will be added to the request header sent to the server.
<address> IP地址
param:
backup : 设定为备用服务器,仅在负载均衡中其他的server都不能使用的时候才启用.
check 启动对server执行健康状况检查,可以借助额外参数配置.
inter <delay> 设定健康检查的时间间隔 默认2000
rise <count> 某离线的主机从离线到正常需要成功检查的次数
fall <count> 确认server从正常到不可用状态检查的次数
cookie <value>设定服务器的cookie值,往cookie中加的值
maxconn <maxconn> 指定次服务器接受最大的并发请求数目,如果大于了请求的次数,那么加入请求队列.
maxqueue <maxqueue> 服务器等待队列的大小.
weight <weight> 指定服务器的权重
2.13 option httpchk 指定检测方法
option httpchk
option httpchk <url>
option httpchk <method> <url>
option httpchk <method> <url> <version>
Enable Http protocol to check on the server health
option httpchk /test1.html
2.14 stats enable
Enable statistics reporting with default settings
- stats uri /haproxy?stats
- stats realm "Haprocy Statistics"
- stats auth no authentication
- stats scope no restriction
尽管"stats enable"的默认
2.15 stats hide-version
影藏haproxy的版本的.
2.16 stats auth <user>:<pasword>
启用statistics认证,可以有多个.
2.17 stats admin
stats admin { if | unless } <cond>
stats admin if LOCALHOST 本机访问
stats admin if TRUE 表示如果通过就可以管理功能
2.18 errorfile
errorfile <code> <file>
Return a file contents instead of errors generated by Haproxy
2.19 option forwardfor
option forwardfor [ except <network> ] [ header <name> ] [if-none]
Enable insertion of the X-Forwarded-For header to request sent to servers
<network> is an optional argument used to disabled this option for source matching
<name> an optional argument to specify a different "X-Forwarded-For"header name.
Note:
Only the first request will have the header appended
In Order to fix this ensure that any of the "httpclose","forceclose" or "http-server-close" options is set when using this option
2.20 option http-server-close
option http-server-close
no option http-server-close
Enable or disable HTTP connection closing on the server side.
2.21 option httpclose
option httpclose
no option httpclose
2.22 option redispatch
option redispatch
no option redispatch
定义如果使用cookie定向的服务器出现了故障,是否将请求调度到其他的服务器
2.23 timeout http-request <timeout>
Set the maximun allowed time to wait for a complete HTTP request
This helps protecting against established connection on which nothing is sent.
就是建立TCP连接之后等待接受请求数据的超时时间,默认的单位是毫秒,
如果建立连接超过了这个时间那么就关闭连接.
2.24 timeout queue <timeout>
Set the maxinum time to wait in the queue for a connection slot th be free.
When a server's maxconn is reached, connections are left pending in a queue which may be server-specific or global to the backend.
In order not to wait indefinitely, a timeout is applied to requests pending in the queue.
If the timeout is reached ,it is considered that the request will almost never be served , so it is dropped and a 503 error is returned to the client.
就是在haproxy将请求调度到后端的服务器的时候,如果调度的请求的数目超过了后端服务器一次并发的请求数目,那么就将待在等待队列中等待处理,这个参数就是定义在这个队列中等待的时间,如果等待时间过长,那么认为服务器没有处理,返回503
2.25 timeout connect <timeout>
Set the maxinum time to wait for a connection attempt to a server to succeed.
If the server is located on the same LAN as haproxy,the connection should be immediate(less than a few milliseconds)
定义haproxy连接后端服务器的时间
2.26 timeout client <timeout>
Set the maxumum inactivity time on the client side
The inactivity timeout applies when the client is expected to acknowledge or send data.
就是在客户端在与服务器建立连接之后,处于非活动状态的时间.超过了这个时间,那么连接断开.
2.27 timeout server <timeout>
Set the maximum inactivity time on the server side
The inactivity timeout applies when the server is expeced to acknowledge or send data.
就是在haproxy与后端服务器建立连接后端服务器处理非活动状态的超时时间
2.28 timeout http-keep-alive <timeout>
Set the maximum allowd time to wait for a new HTTP request to appear
定义保持连接的时间.
三 ACL
acl <aclname> <criterion> [flag] [operator] <value>
flag
-i 忽略字符大小写.
type of values
- integers or integer ranges
ranges 1024:2000
operators eq ge gt le lt
- string
- regular expressions
- IP address and network
criterion 检查标准:
- dst <ip_address>
- dst_port <interger>
- src <ip_address>
- src_port <interfer>
- hdr(header) <string> 精确匹配首部字段的值
acl aaaa hdr(Connection) -i close
- hdr_reg(headet) <regex> 正则表达式匹配首部的值
acl aaaa hdr(Host) -i .*\.magedu.com
- method <string> 匹配请求的方法
- path <string> 匹配url中的path部分
acl indexacl path /index.html
- path_beg <string> 匹配url中的path以什么开始
acl admin_page path_beg /admin
- path_end <string> 匹配URL中的path以什么结束
acl phpacl path_end .php
acl htmlacl path_end .html
- path_reg <regex> 对path进行正则匹配
acl phpacl path_reg .php$
acl htmlacl path_reg .html$
- url <string> 对URL精确匹配 path+query
- url_beg <string>
- url_end <string>
- url_reg <string>
实现访问控制:
- http-request if | unless conndation 基于7layer过滤
- tcp-request content accept if | unless condation 基于4layer过滤
An Example:
acl url_static path_beg /static /images /img /css
acl url_static path_end .gif .png .jpg .css .js
acl host_www hdr_beg(host) -i www
acl host_static hdr_beg(host) -i img. video. download.
use_backend static if host_static or host_www
配置案例:
global
log 127.0.0.1 local2
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend webserver
bind *:80
acl php path_end .php
acl html path_end .html
acl image path_end .png .gif .jpg
acl jc path_end .js .css
use_backend dynamic if php
use_backend static if html
use_backend images if image
use_backend jscss if jc
default_backend static
backend dynamic
balance roundrobin
server php1 172.31.0.2:80 check inter 2000 rise 5 fall 2 weight 1
server php2 172.31.0.3:80 check inter 2000 rise 5 fall 2 weight 1
server error 127.0.0.1:80 backup weight 1
backend static
balance roundrobin
server html1 172.31.0.4:80 check inter 2000 rise 5 fall 2 weight 1
server html2 172.31.0.5:80 check inter 2000 rise 5 fall 2 weight 1
server error 127.0.0.1:80 backup weight 1
backend images
balance roundrobin
server image 172.31.0.6:80 check inter 2000 rise 5 fall 2 weight 1
server error 127.0.0.1:80 backup weight 1
backend jscss
balance roundrobin
server js_css 172.31.0.17:80 check inter 2000 rise 5 fall 2 weight 1
server error 127.0.0.1:80 backup weight 1 |
|
QQ群⑧:
窥视卡
雷达卡
发表于 2015-11-20 12:54:22
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡