基于 Cookie 的会话保持
cookie value:为当前server指定cookie值,实现基于cookie的会话黏性
注意:不支持 tcp mode,使用 http mode --> 属于七层协议
案例:
#配置选项
cookie name [ rewrite | insert | prefix ][ indirect ] [ nocache ][ postonly ] [preserve ][ httponly ] [ secure ][ domain ]* [ maxidle <idle> ][ maxlife ]
#常用
name: #cookie 的 key名称,用于实现持久连接
insert: #插入新的cookie,默认不插入cookie
indirect: #如果客户端已经有cookie,则不会再发送cookie信息
nocache: #当client和hapoxy之间有缓存服务器(如:CDN)时,不允许中间缓存器缓存cookie,因为这会导致很多经过同一个CDN的请求都发送到同一台后端服务器
例:
[root@haproxy ~]#vim /etc/haproxy/conf.d/www.mooreyxia.org.cfg
[root@haproxy ~]#cat /etc/haproxy/conf.d/www.mooreyxia.org.cfg
listen www.mooreyxia.org
balance roundrobin
cookie cookie_mooreyxia.org insert nocache indirect
bind 192.168.10.200:80
server 10.0.0.202 10.0.0.202:80 weight 1 check inter 3000 fall 3 rise 5 cookie web202
server 10.0.0.203 10.0.0.203:80 weight 1 check inter 3000 fall 3 rise 5 cookie web203
[root@haproxy ~]#systemctl restart haproxy.service
#测试
[root@internet ~]#curl --help|grep cookie
-b, --cookie <data> Send cookies from string/file
-c, --cookie-jar <filename> Write cookies to <filename> after operation
-j, --junk-session-cookies Ignore session cookies read from file
#保存cookie到本地
[root@internet ~]#curl -c cookie.txt http://www.mooreyxia.org
10.0.0.202 _web01-www.mooreyxia.org
[root@internet ~]#cat cookie.txt
# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
www.mooreyxia.org FALSE / FALSE 0 cookie_mooreyxia.org web202
#使用保存的cookie访问,会话绑定的原因调度到同一台服务器
[root@internet ~]#curl -b cookie.txt -v http://www.mooreyxia.org
* Rebuilt URL to: http://www.mooreyxia.org/
* Trying 192.168.10.200...
* TCP_NODELAY set
* Connected to www.mooreyxia.org (192.168.10.200) port 80 (#0)
> GET / HTTP/1.1
> Host: www.mooreyxia.org
> User-Agent: curl/7.61.1
> Accept: */*
> Cookie: cookie_mooreyxia.org=web202
>
< HTTP/1.1 200 OK
< server: nginx/1.18.0 (Ubuntu)
< date: Wed, 18 Jan 2023 08:01:04 GMT
< content-type: text/html
< content-length: 36
< last-modified: Tue, 17 Jan 2023 07:13:41 GMT
< etag: "63c64aa5-24"
< accept-ranges: bytes
<
10.0.0.202 _web01-www.mooreyxia.org
* Connection #0 to host www.mooreyxia.org left intact
[root@internet ~]#curl -b cookie.txt -v http://www.mooreyxia.org
* Rebuilt URL to: http://www.mooreyxia.org/
* Trying 192.168.10.200...
* TCP_NODELAY set
* Connected to www.mooreyxia.org (192.168.10.200) port 80 (#0)
> GET / HTTP/1.1
> Host: www.mooreyxia.org
> User-Agent: curl/7.61.1
> Accept: */*
> Cookie: cookie_mooreyxia.org=web202
>
< HTTP/1.1 200 OK
< server: nginx/1.18.0 (Ubuntu)
< date: Wed, 18 Jan 2023 08:01:17 GMT
< content-type: text/html
< content-length: 36
< last-modified: Tue, 17 Jan 2023 07:13:41 GMT
< etag: "63c64aa5-24"
< accept-ranges: bytes
<
10.0.0.202 _web01-www.mooreyxia.org
* Connection #0 to host www.mooreyxia.org left intact
#当会话绑定的服务器下线,会自动调度到另外的服务器直到会话绑定服务上线为止
#202下线
[root@web01-mooreyxia html]#systemctl stop nginx
#自动调度到203
[root@internet ~]#curl -b cookie.txt -v http://www.mooreyxia.org
* Rebuilt URL to: http://www.mooreyxia.org/
* Trying 192.168.10.200...
* TCP_NODELAY set
* Connected to www.mooreyxia.org (192.168.10.200) port 80 (#0)
> GET / HTTP/1.1
> Host: www.mooreyxia.org
> User-Agent: curl/7.61.1
> Accept: */*
> Cookie: cookie_mooreyxia.org=web202
>
< HTTP/1.1 200 OK
< server: nginx/1.18.0 (Ubuntu)
< date: Wed, 18 Jan 2023 08:05:49 GMT
< content-type: text/html
< content-length: 36
< last-modified: Tue, 17 Jan 2023 07:14:14 GMT
< etag: "63c64ac6-24"
< accept-ranges: bytes
* Replaced cookie cookie_mooreyxia.org="web203" for domain www.mooreyxia.org, path /, expire 0
< set-cookie: cookie_mooreyxia.org=web203; path=/
< cache-control: private
<
10.0.0.203 _web02-www.mooreyxia.org
* Connection #0 to host www.mooreyxia.org left intact
#202上线
[root@web01-mooreyxia html]#systemctl start nginx
#自动调度到202
[root@internet ~]#curl -b cookie.txt -v http://www.mooreyxia.org
* Rebuilt URL to: http://www.mooreyxia.org/
* Trying 192.168.10.200...
* TCP_NODELAY set
* Connected to www.mooreyxia.org (192.168.10.200) port 80 (#0)
> GET / HTTP/1.1
> Host: www.mooreyxia.org
> User-Agent: curl/7.61.1
> Accept: */*
> Cookie: cookie_mooreyxia.org=web202
>
< HTTP/1.1 200 OK
< server: nginx/1.18.0 (Ubuntu)
< date: Wed, 18 Jan 2023 08:06:07 GMT
< content-type: text/html
< content-length: 36
< last-modified: Tue, 17 Jan 2023 07:13:41 GMT
< etag: "63c64aa5-24"
< accept-ranges: bytes
<
10.0.0.202 _web01-www.mooreyxia.org
配置HAProxy 状态页
- 状态页配置项
stats enable #基于默认的参数启用stats page
stats hide-version #将状态页中haproxy版本隐藏
stats refresh <delay> #设定自动刷新时间间隔,默认不自动刷新,以秒为单位
stats uri <prefix> #自定义stats page uri,默认值:/haproxy?stats
stats realm <realm> #账户认证时的提示信息,示例:stats realm HAProxy\Statistics
stats auth <user>:<passwd> #认证时的账号和密码,可定义多个用户,每行指定一个用户.默认:no authentication
stats admin { if | unless } <cond> #启用stats page中的管理功能
案例:自定义haproxy状态页
[root@haproxy ~]#vim /etc/haproxy/haproxy.cfg
[root@haproxy ~]#cat /etc/haproxy/haproxy.cfg
...
#listen stats
# mode http
# bind 0.0.0.0:9999
# stats enable
# log global
# stats uri /haproxy-status
# stats auth admin:123456
listen status
stats enable
bind 10.0.0.200:8888
stats uri /haproxy
stats auth admin:123456
[root@haproxy ~]#systemctl restart haproxy.service
查看状态页信息
登录状态页说明
pid = 27134 (process #1, nbproc = 1, nbthread = 1) #pid为当前pid号,process为当前进程号,nbproc和nbthread为一共多少进程和每个进程多少个线程
uptime = 0d 0h00m04s #启动了多长时间
system limits: memmax = unlimited; ulimit-n = 200029 #系统资源限制:内存/最大打开文件数/
maxsock = 200029; maxconn = 100000; maxpipes = 0 #最大socket连接数/单进程最大连接数/最大管道数maxpipes
current conns = 2; current pipes = 0/0; conn rate = 2/sec; bit rate = 0.000 kbps#当前连接数/当前管道数/当前连接速率
Running tasks: 1/14; idle = 100 % #运行的任务/当前空闲率
active UP: #在线服务器
backup UP: #标记为backup的服务器
active UP, going down: #监测未通过正在进入down过程
backup UP, going down: #备份服务器正在进入down过程
active DOWN, going up: #down的服务器正在进入up过程
backup DOWN, going up: #备份服务器正在进入up过程
active or backup DOWN: #在线的服务器或者是backup的服务器已经转换成了down状态
not checked: #标记为不监测的服务器
active or backup DOWN for maintenance (MAINT) #active或者backup服务器人为下线的
active or backup SOFT STOPPED for maintenance #active或者backup被人为软下线(人为将weight改成0)
IP透传
web服务器中需要记录客户端的真实IP地址,用于做访问统计、安全防护、行为分析、区域排行等场景。
主要有两种方案:四层ip透传和七层ip透传
这里主要说七层ip透传
案例:
[root@haproxy ~]#vim /etc/haproxy/haproxy.cfg
[root@haproxy ~]#cat /etc/haproxy/haproxy.cfg
...
defaults
option http-keep-alive
option forwardfor --> 默认设置了透传选项
...
#测试
[root@internet ~]#curl http://www.mooreyxia.org/
10.0.0.202 _web01-www.mooreyxia.org
#配置在后端服务器记录透传信息
[root@web01-mooreyxia html]#vim /etc/nginx/nginx.conf
[root@web01-mooreyxia html]#cat /etc/nginx/nginx.conf
...
##
# Logging Settings
##
log_format main '"$proxy_add_x_forwarded_for" - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_For';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
[root@web01-mooreyxia html]#nginx -s reload
#测试
[root@internet ~]#curl http://www.mooreyxia.org/
10.0.0.202 _web01-www.mooreyxia.org
[root@web01-mooreyxia html]#tail -f /var/log/nginx/access.log
"192.168.10.8, 10.0.0.200" - - [18/Jan/2023:16:52:08 +0800] "GET / HTTP/1.1" 200 36 "-" "curl/7.61.1" 192.168.10.8
报文修改
- 在http模式下,基于实际需求修改客户端的请求报文与响应报文,通过reqadd和reqdel在请求报文添加删除字段,通过rspadd与rspidel在响应报文中添加与删除字段。
配置说明:
#修改请求host首部,默认host首部会保留客户端原首部haproxy不会修改
http-request set-header host www.mooreyxia.com
#添加向后端服务器发送的请求报文首部
http-request add-header <name> <fmt> [ { if | unless } <condition> ]
#示例:http-request add-header X-Haproxy-Current-Date %T
#删除向后端服务器发送的请求报文首部
http-request del-header <name> [ { if | unless } <condition> ]
#修改响应首部
http-response set-header server mooreyxia
#添加向客户端发送的响应报文首部
http-response add-header <name> <fmt> [ { if | unless } <condition> ]
#删除向客户端发送的响应报文首部
http-response del-header <name>
#示例:http-response del-header Server
案例:添加向后端服务器发送的请求报文首部,内容为请求发送时间
[root@haproxy ~]#
[root@haproxy ~]#vim /etc/haproxy/conf.d/www.mooreyxia.org.cfg
[root@haproxy ~]#cat /etc/haproxy/conf.d/www.mooreyxia.org.cfg
listen www.mooreyxia.org
balance roundrobin
cookie cookie_mooreyxia.org insert nocache indirect
http-request add-header X-Haproxy-Current-Date %T
bind 192.168.10.200:80
server 10.0.0.202 10.0.0.202:80 weight 1 check inter 3000 fall 3 rise 5 cookie web202
server 10.0.0.203 10.0.0.203:80 weight 1 check inter 3000 fall 3 rise 5 cookie web203
[root@haproxy ~]#systemctl restart haproxy.service
观察发送数据
后端配置接受报文字段
[root@web01-mooreyxia html]#vim /etc/nginx/nginx.conf
[root@web01-mooreyxia html]#cat /etc/nginx/nginx.conf
...
##
# Logging Settings
##
log_format main '"$proxy_add_x_forwarded_for" - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $http_x_forwarded_For "$http_X_Haproxy_Current_Date" ';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
[root@web01-mooreyxia html]#nginx -s reload
[root@web01-mooreyxia html]#tail -f /var/log/nginx/access.log
"192.168.10.8, 10.0.0.200" - - [18/Jan/2023:17:09:07 +0800] "GET / HTTP/1.1" 200 36 "-" "curl/7.61.1" 192.168.10.8 "18/Jan/2023:09:09:07 +0000"
自定义日志格式
- option httplog 可以采用 http 格式记录下来,并且可以使用相关指令将特定信息记录在haproxy的日志中
注意:一般不建议开启,这会加重 HAProxy 负载
配置选项
log global #开启记录日志,默认不开启
option httplog #开启记录httplog日志格式选项
capture cookie <name> len <length> #捕获请求和响应报文中的 cookie及值的长度,将之记录到日志
capture request header <name> len <length> #捕获请求报文中指定的首部内容和长度并记录日志
capture response header <name> len <length> #捕获响应报文中指定的内容和长度首部并记录日志
案例:
[root@haproxy ~]#vim /etc/haproxy/conf.d/www.mooreyxia.org.cfg
[root@haproxy ~]#cat /etc/haproxy/conf.d/www.mooreyxia.org.cfg
listen www.mooreyxia.org
balance roundrobin
log global
option httplog
capture request header Host len 256
capture request header User-Agent len 512
capture request header Referer len 15
capture request header X-Forwarded-For len 15
bind 192.168.10.200:80
server 10.0.0.202 10.0.0.202:80 weight 1 check inter 3000 fall 3 rise 5 cookie web202
server 10.0.0.203 10.0.0.203:80 weight 1 check inter 3000 fall 3 rise 5 cookie web203
[root@haproxy ~]#systemctl restart haproxy.service
#测试
[root@internet ~]#curl http://www.mooreyxia.org/
10.0.0.202 _web01-www.mooreyxia.org
[root@haproxy ~]#tail -f /var/log/haproxy.log
Jan 18 18:29:03 localhost haproxy[1761]: 192.168.10.8:38438 [18/Jan/2023:18:29:03.877] www.mooreyxia.org www.mooreyxia.org/10.0.0.202 0/0/1/1/2 200 244 - - ---- 1/1/0/0/0 0/0 {www.mooreyxia.org|curl/7.61.1||} "GET / HTTP/1.1"
压缩功能
- 对响应给客户端的报文进行压缩,以节省网络带宽,但是会占用部分CPU性能
注意:建议在后端服务器开启压缩功能,而非在HAProxy上开启压缩
配置选项
compression algo <algorithm> ... #启用http协议中的压缩机制,常用算法有gzip,deflate
#压缩算法<algorithm>支持下面类型:
identity #debug调试使用的压缩方式
gzip #常用的压缩方式,与各浏览器兼容较好
deflate #有些浏览器不支持
raw-deflate #新式的压缩方式
compression type <mime type> ... #要压缩的文件类型
案例:
[root@haproxy ~]#vim /etc/haproxy/conf.d/www.mooreyxia.org.cfg
[root@haproxy ~]#cat /etc/haproxy/conf.d/www.mooreyxia.org.cfg
listen www.mooreyxia.org
balance roundrobin
compression algo gzip deflate #启用压缩和指定算法
compression type compression type text/plain text/html text/css text/xml text/javascript application/javascript #指定压缩文件类型
bind 192.168.10.200:80
server 10.0.0.202 10.0.0.202:80 weight 1 check inter 3000 fall 3 rise 5 cookie web202
server 10.0.0.203 10.0.0.203:80 weight 1 check inter 3000 fall 3 rise 5 cookie web203
[root@haproxy ~]#systemctl restart haproxy.service
#测试
[root@web01-mooreyxia html]#ll -h
总用量 6.4M
-rw-r--r-- 1 root root 6.3M 1月 18 18:40 1.txt
后端服务器健康性监测
- 三种状态监测方式
- 基于四层的传输端口做状态监测,此为默认方式
- 基于指定 URI 做状态监测,需要访问整个页面资源,占用更多带宽
- 基于指定 URI 的 request 请求头部内容做状态监测,占用较少带宽,建议使用此方式
案例:基于应用层http协议进行健康性检测
#基于应用层http协议,采有不同的监测方式,对后端real server进行状态监测
#注意: 此方式会导致在后端服务器生成很多的HAProxy发起
配置:
option httpchk #启用七层健康性检测,对tcp 和 http 模式都支持,默认为:OPTIONS /HTTP/1.0
option httpchk <uri>
option httpchk <method> <uri>
option httpchk <method> <uri> <version>
#期望以上检查得到的响应码
http-check expect [!] <match> <pattern>
#示例:
http-check expect status 200
http-check expect ! rstatus ^5 #支持正则表达式
例:
[root@haproxy ~]#vim /etc/haproxy/conf.d/www.mooreyxia.org.cfg
[root@haproxy ~]#cat /etc/haproxy/conf.d/www.mooreyxia.org.cfg
listen www.mooreyxia.org
balance roundrobin
bind 192.168.10.200:80
option httpchk GET /
server 10.0.0.202 10.0.0.202:80 weight 1 check inter 3000 fall 3 rise 5 cookie web202
server 10.0.0.203 10.0.0.203:80 weight 1 check inter 3000 fall 3 rise 5 cookie web203
[root@haproxy ~]#systemctl restart haproxy.service
注意:此方式会导致在后端服务器生成很多的HAProxy发起,消耗带宽
基于指定 URI 的 request 请求头部内容做状态监测,占用较少带宽,建议使用此方式
[root@haproxy ~]#vim /etc/haproxy/conf.d/www.mooreyxia.org.cfg
[root@haproxy ~]#cat /etc/haproxy/conf.d/www.mooreyxia.org.cfg
listen www.mooreyxia.org
balance roundrobin
bind 192.168.10.200:80
option httpchk HEAD HTTP/1.1\r\nHost:\ www.mooreyxia.org
server 10.0.0.202 10.0.0.202:80 weight 1 check inter 3000 fall 3 rise 5 cookie web202
server 10.0.0.203 10.0.0.203:80 weight 1 check inter 3000 fall 3 rise 5 cookie web203
[root@haproxy ~]#systemctl restart haproxy.service
ACL
作为反向代理,性能优于nginx的一大特性
访问控制列表(ACL,Access Control Lists)是一种基于包过滤的访问控制技术,它可以根据设定的条件对经过服务器传输的数据包进行过滤(条件匹配),即对接收到的报文进行匹配和过滤,基于请求报文头部中的源地址、源端口、目标地址、目标端口、请求方法、URL、文件后缀等信息内容进行匹配并执行进一步操作,比如允许其通过或丢弃。
#配置
acl <aclname> <criterion> [flags] [operator] [<value>]
acl 名称 匹配规范 匹配模式 具体操作符 操作对象类型
ACL-criterion - 定义ACL匹配规范,即:判断条件
hdr string,提取在一个HTTP请求报文的首部
hdr([<name> [,<occ>]]):完全匹配字符串,header的指定信息,<occ> 表示在多值中使用的值的出
现次数
hdr_beg([<name> [,<occ>]]):前缀匹配,header中指定匹配内容的begin
hdr_end([<name> [,<occ>]]):后缀匹配,header中指定匹配内容end
hdr_dom([<name> [,<occ>]]):域匹配,header中的domain name
hdr_dir([<name> [,<occ>]]):路径匹配,header的uri路径
hdr_len([<name> [,<occ>]]):长度匹配,header的长度匹配
hdr_reg([<name> [,<occ>]]):正则表达式匹配,自定义表达式(regex)模糊匹配
hdr_sub([<name> [,<occ>]]):子串匹配,header中的uri模糊匹配
例:
hdr(<string>) 用于测试请求头部首部指定内容
hdr_dom(host) 请求的host名称,如 www.mooreyxia.com,m.mooreyxia.com
hdr_beg(host) 请求的host开头,如 www. img. video. download. ftp.
hdr_end(host) 请求的host结尾,如 .com .net .cn
案例:设置ACL策略拒绝使用curl wget命令访问
acl bad_agent hdr_sub(User-Agent) -i curl wget
http-request deny if bad_agent
ACL-flags - ACL匹配模式
-i 不区分大小写
-m 使用指定的pattern匹配方法
-n 不做DNS解析
-u 禁止acl重名,否则多个同名ACL匹配或关系
ACL-operator - ACL 操作符
整数比较:eq、ge、gt、le、lt
字符比较:
- exact match (-m str) :字符串必须完全匹配模式
- substring match (-m sub) :在提取的字符串中查找模式,如果其中任何一个被发现,ACL将匹配
- prefix match (-m beg) :在提取的字符串首部中查找模式,如果其中任何一个被发现,ACL将匹配
- suffix match (-m end) :将模式与提取字符串的尾部进行比较,如果其中任何一个匹配,则ACL进行匹配
- subdir match (-m dir) :查看提取出来的用斜线分隔(“/")的字符串,如其中任一个匹配,则ACL进行匹配
- domain match (-m dom) :查找提取的用点(“.")分隔字符串,如果其中任何一个匹配,则ACL进行匹配
ACL-value - value的类型
The ACL engine can match these types against patterns of the following types :
- Boolean #布尔值
- integer or integer range #整数或整数范围,比如用于匹配端口范围
- IP address / network #IP地址或IP范围, 192.168.0.1 ,192.168.0.1/24
- string--> www.mooreyxia.com
exact #精确比较
substring #子串
suffix #后缀比较
prefix #前缀比较
subdir #路径, /wp-includes/js/jquery/jquery.js
domain #域名,www.mooreyxia.com
- regular expression #正则表达式
- hex block #16进制
多个ACL的组合调用方式
#示例:
if valid_src valid_port #与关系,ACL中A和B都要满足为true,默认为与
if invalid_src || invalid_port #或,ACL中A或者B满足一个为true
if ! invalid_src #非,取反,不满足ACL才为true
案例:访问控制案例
案例一:根据域名匹配服务器
[root@centos7 ~]#cat /etc/haproxy/conf.d/test.cfg
frontend mooreyxia_http_port
bind 10.0.0.7:80
mode http
balance roundrobin
log global
option httplog
###################### acl setting ###############################
acl pc_domain hdr_dom(host) -i www.mooreyxia.org
acl mobile_domain hdr_dom(host) -i mobile.mooreyxia.org
###################### acl hosts #################################
use_backend pc_hosts if pc_domain
use_backend mobile_hosts if mobile_domain
default_backend pc_hosts #所有ACL都不匹配,则使用的默认backend
###################### backend hosts #############################
backend mobile_hosts
mode http
server web1 10.0.0.17 check inter 2000 fall 3 rise 5
backend pc_hosts
mode http
server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5
案例二:根据IP地址匹配服务器
[root@centos7 ~]#cat /etc/haproxy/conf.d/test.cfg
frontend mooreyxia_http_port
bind 10.0.0.7:80
mode http
balance roundrobin
log global
option httplog
###################### acl setting ###############################
acl pc_domain hdr_dom(host) -i www.mooreyxia.org
acl mobile_domain hdr_dom(host) -i mobile.mooreyxia.org
acl ip_range_test src 172.18.0.0/16 10.0.0.6 #基于源地址的ACL,定义多个ACL的顺序无关
acl ip_range_test2 src 172.18.0.200
###################### acl hosts #################################
use_backend pc_hosts if ip_range_test #放在前面的ACL规则优先生效,引用ACL时,严格的ACL应放在前面
use_backend pc_hosts if pc_domain
use_backend mobile_hosts if mobile_domain
default_backend pc_hosts
###################### backend hosts #############################
backend mobile_hosts
mode http
server web1 10.0.0.17 check inter 2000 fall 3 rise 5
backend pc_hosts
mode http
server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5
案例三:拒绝指定IP或者IP范围访问
listen web_host
bind 10.0.0.7:80
mode http
balance roundrobin
log global
option httplog
###################### acl setting ###############################
acl acl_deny_src src 10.0.0.6 192.168.0.0/24
###################### acl hosts #################################
http-request deny if acl_deny_src #2.1版本后,不再支持block
#block if acl_deny_src
#http-request allow
default_backend default_web
###################### backend hosts #############################
backend mooreyxia_host
mode http
server web1 10.0.0.17 check inter 2000 fall 3 rise 5
backend default_web
mode http
server web1 10.0.0.27:80 check inter 2000 fall 3 rise 5
案例三:基于文件后缀名实现动静分离
[root@centos7 ~]#cat /etc/haproxy/conf.d/test.cfg
frontend mooreyxia_http_port
bind 10.0.0.7:80
mode http
balance roundrobin
log global
option httplog
###################### acl setting ###############################
acl acl_static path_end -i .jpg .jpeg .png .gif .css .js .html #基于文件后缀名
的ACL
acl acl_php path_end -i .php
###################### acl hosts #################################
use_backend mobile_hosts if acl_static
use_backend app_hosts if acl_php
default_backend pc_hosts
###################### backend hosts #############################
backend mobile_hosts
mode http
server web1 10.0.0.17 check inter 2000 fall 3 rise 5
backend pc_hosts
mode http
server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5
backend app_hosts
mode http
server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5
案例四:匹配访问路径实现动静分离
[root@centos7 ~]#cat /etc/haproxy/conf.d/test.cfg
frontend mooreyxia_http_port
bind 10.0.0.7:80
mode http
balance roundrobin
log global
option httplog
###################### acl setting ###############################
acl acl_static path_beg -i /static /images /javascript #基于路径的ACL
acl acl_static path_end -i .jpg .jpeg .png .gif .css .js .html .htm #ACL同名为或关系
acl acl_app path_beg -i /api
###################### acl hosts #################################
use_backend static_hosts if acl_static
use_backend app_hosts if acl_app
default_backend app_hosts
###################### backend hosts #############################
backend static_hosts
mode http
server web1 10.0.0.17 check inter 2000 fall 3 rise 5
backend app_hosts
mode http
server web2 10.0.0.27:80 check inter 2000 fall 3 rise 5
自定义HAProxy错误页面文件
案例:
[root@centos7 ~]#vim /etc/haproxy/haproxy.cfg
defaults
...
errorfile 503 /apps/haproxy/html/503.http
listen
.......
[root@centos7 ~]#vim /apps/haproxy/html/503.http
HTTP/1.1 503 Service Unavailable
Content-Type:text/html;charset=utf-8
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>报错页面</title>
</head>
<body>
<center><h1>网站维护中......请稍候再试</h1></center>
<center><h2>联系电话:400-123-4567</h2></center>
<center><h3>503 Service Unavailable</h3></center>
</body>
[root@centos7 ~]#systemctl restart haproxy
#将后端服务器down,可以观察到以下页面
HAProxy Https 实现
- Haproxy 可以实现 Https 的证书安全,即从用户到haproxy为https,从haproxy到后端服务器用http通信
- haproxy支持https,基于性能考虑,证书是在后端服务器比如nginx上实现,即用户到haproxy利用tcp模式再到后端服务器
案例:基于tcp 模式实现
#配置haproxy
[root@haproxy certs]#vim /etc/haproxy/conf.d/www.mooreyxia.org.cfg
[root@haproxy certs]#cat /etc/haproxy/conf.d/www.mooreyxia.org.cfg
frontend www.mooreyxia.org
bind 192.168.10.200:80
bind 192.168.10.200:443 ssl crt /etc/haproxy/certs/haproxy.pem
redirect scheme https if !{ ssl_fc } --> 如果非https访问则跳转至https验证
use_backend www.mooreyxia.org_servers
backend www.mooreyxia.org_servers
server web01 10.0.0.202:80 check inter 3000 fall 3 rise 5
server web02 10.0.0.203:80 check inter 3000 fall 3 rise 5
[root@haproxy certs]#systemctl restart haproxy
#haproxy服务器证书制作
[root@haproxy ~]#mkdir /etc/haproxy/certs/
[root@haproxy ~]#cd /etc/haproxy/certs/
#生成密钥
[root@haproxy certs]#openssl genrsa -out haproxy.key 2048
#生成自签名证书
[root@haproxy certs]#openssl req -new -x509 -key haproxy.key -out haproxy.crt -subj "/CN=www.mooreyxia.org"
[root@haproxy certs]#ls
haproxy.crt haproxy.key
[root@haproxy certs]#sz haproxy.crt
[root@haproxy certs]#sz haproxy.crt
#把密钥和证书合成一份文件 - 类似nginx做https安全访问时需要的文件
[root@haproxy certs]#cat haproxy.key haproxy.crt > haproxy.pem
[root@haproxy certs]#ls
haproxy.crt haproxy.key haproxy.pem
[root@haproxy certs]#cat haproxy.pem
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDOQRsy0rhKCXTA
NP9a8y97RtRbVpYmv5CLv2/m9I5JjsaZDkE9kYA10+h8nSTyPu/CDxjfxnkc6jAG
SngPfggxL/VCDm25AhkeU2sNtlkWSUexkutHylorxcLySNQ6uusUw+KPJrvQFg6R
6kb3Slz+gjuol3Y3b0Hs8CplPcvEsP2CEV2W9zYLa7iLJkyJUza7o9G83kc2cq2U
ff+qr1pJbhDWvSu+de/uhZiKCEnTdVuWFS6nvomSyFehmtmKjiHfHmkC68lOj6Kn
Im4gBWk3W9gAiZ5H3bsW19E2sCVtqT4r7Z8EWgfpaH3l5Apfgev1lGkNHUu3Z5U8
byMOmHpPAgMBAAECggEAUGegH0F3V2F1UqK2c3G/Llsv2MWZ9lQSmPARwyLOP026
DRu6AjLxHMrV5JJsP0WauPeitkXMnCGNhD5OrJdwwSAVh+FRE+EGAsT5RFi0RRRf
LxH7x7pSSaMoOsR6e8S3dRph/XVXnSikGG0QqkGinBMQB8q36qdkN2Zu2JXtFGlJ
0GsLYwAhElirdPMCYRlV8GNxfhHepsuM64mZsUxkBCjJQtbTeIbykeBsPEx8k00x
nBBJUlDjOXVd81GxV0loRbX6kqUxbU9eZ+8Tnt68vfps3k38Q6a+GNSi0OeqkGqn
v+58ZsG7Cuhab5w4jDWc8QIVtlqO4EsY015g7orFKQKBgQDqhyD9MsJAIjhhC9VA
FU/qjI/rD1egKsvjeJQgQToaNi/4Bm1wrVFjLDmd4BHLL4hRRxgBkBCnJ4el4v8V
xR1pvx3RzqG8TcDg/+w2+gvZKeSLYCq0c0sZL2EjIPCKF1SPLliED9yd9c/CkK4y
q60QHlTCqJsfQ+o99R0pZ/5tBwKBgQDhI000iarFmVetRhEXeWleF7oYu8BATVtP
fImpbzLfpUsZUD95lOnmoGN+zrrH48qumfsaZhwkDrsNJs6ADNtDUug+a14OKRNg
mZMToeaMX3/WiV2uI4/GMklq4RzdXT4U2DcEhwnUDwH+vmufy7Koj7rAGt4dxeki
9/0Tjwb+eQKBgEk2tAK3FNMGm8kX85OU06TqCoeb+4PhuFKjssI6+pNyNRldkE6r
nIu0I6x4ZbWjeg+9fO4H9lroST1tFqrKJTt80SdNNUpej4bt/eTPvGEn5dPoyowY
reoH03Au+UhyrhAgrLtVZE7fjOM1XVwuIdG1VkqKbhqdjgOXgGoLr+6DAoGAHTTt
MSGi69uGyk3KrdbsWm6Nj+PbfvwKGne3jCmG2gihg3krouQ0q9ymy66aAJCGnLwR
HU2d3PekQIKGS4pfb45z3pUjMIcXonKJ6AQa2p8RAI31fz/RyQ6BA8KMchNEmIOs
L4QtPDtuMNQXNjXAyalLutxBcG9aXVT6mez2JVECgYBl410zRdBxitSgxXusaEAZ
mN5HIcZ7/GjsCE9o2PYXBXo3LqEVdGylvdkLlDazA9f/ro4k1OGynkBFqH/09IvS
mU6LfZiT85JnEENZfZF2H4IFZNOKQvJrBesYOhgpD0V+DhySnRQwyg3DLk0fabWb
nXCpypE3MZ4iqw0fnngvSQ==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDGTCCAgGgAwIBAgIUdzvhFjupnPZc81pJrnx20vDdtw0wDQYJKoZIhvcNAQEL
BQAwHDEaMBgGA1UEAwwRd3d3Lm1vb3JleXhpYS5vcmcwHhcNMjMwMTE5MDUzMTIz
WhcNMjMwMjE4MDUzMTIzWjAcMRowGAYDVQQDDBF3d3cubW9vcmV5eGlhLm9yZzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM5BGzLSuEoJdMA0/1rzL3tG
1FtWlia/kIu/b+b0jkmOxpkOQT2RgDXT6HydJPI+78IPGN/GeRzqMAZKeA9+CDEv
9UIObbkCGR5Taw22WRZJR7GS60fKWivFwvJI1Dq66xTD4o8mu9AWDpHqRvdKXP6C
O6iXdjdvQezwKmU9y8Sw/YIRXZb3NgtruIsmTIlTNruj0bzeRzZyrZR9/6qvWklu
ENa9K7517+6FmIoISdN1W5YVLqe+iZLIV6Ga2YqOId8eaQLryU6PoqcibiAFaTdb
2ACJnkfduxbX0TawJW2pPivtnwRaB+lofeXkCl+B6/WUaQ0dS7dnlTxvIw6Yek8C
AwEAAaNTMFEwHQYDVR0OBBYEFJaEgnwnhp+xae0MJOp2IZJ8JE7yMB8GA1UdIwQY
MBaAFJaEgnwnhp+xae0MJOp2IZJ8JE7yMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBAJhivBWf040OWMIOTbaHvmirbzLC4QU3N8p0LuBFSVsUZqgc
zwF3HVDnGoh8DGpEn56XBahr4zMcG7tVEGgAQvBwq67m+1ceNog7pABKedcHGeLb
fT9XT7jldlpjYGOxKeisuHFWgsfp3UkDCWDVr5sMyF1cc6I3Xzu/9chIiCdQt30K
7tz2g9y8M7jGpYrQClOkdJwgsZsId2b8PEFOy8h+LHEXYQrxttnQPLBXwpOhUoYl
lkWEHXpuRtVfjBYSoy9wGgYbIQijh0b2IyEV1YtcaCIW8S/OM1Tm/cMd0Oe003ct
lmY6BDZjmtMfHx4aB3rMnM9X8/1kxKC+tc+pqT8=
-----END CERTIFICATE-----
测试访问
我是moore,新年快乐!!!
标签:HAProxy,haproxy,www,10.0,53,案例,mooreyxia,org,root From: https://blog.51cto.com/mooreyxia/6020093