Contents
2.17. Haproxy负载均衡安装配置详解¶
2.17.1. 简介¶
HAProxy提供高可用性、负载均衡以及基于TCP和HTTP应用的代理,支持虚拟主机,它是免费、快速并且可靠的一种解决方案。
HAProxy特别适用于那些负载特大的web站点,这些站点通常又需要会话保持或七层处理。
HAProxy运行在当前的硬件上,完全可以支持数以万计的并发连接。并且它的运行模式使得它可以很简单安全的整合进您当前的架构中, 同时可以保护你的web服务器不被暴露到网络上。
HAProxy实现了一种事件驱动, 单一进程模型,此模型支持非常大的并发连接数。多进程或多线程模型受内存限制 、系统调度器限制以及无处不在的锁限制,很少能处理数千并发连接。事件驱动模型因为在有更好的资源和时间管理的用户空间(User-Space) 实现所有这
些任务,所以没有这些问题。此模型的弊端是,在多核系统上,这些程序通常扩展性较差。这就是为什么他们必须进行优化以 使每个CPU时间片(Cycle)做更多的工作。
2.17.2. 安装¶
快速安装HAProxy集群软件
可以在HAProxy的官网http://haproxy.1wt.eu/下载HAProxy的源码包,这里以操作系统CentOS 6.3版本为例,下载的HAProxy是当前的稳定版本haproxy-1.4.24.tar.gz,安装过程如下:
[root@haproxy-server app]# tar zcvf haproxy-1.4.24.tar.gz
[root@haproxy-server app]#cd haproxy-1.4.24
[root@haproxy-server haproxy-1.4.24]#make TARGET=linux26 PREFIX=/usr/local/haproxy
# 将HAProxy安装到/usr/local/haproxy下
[root@haproxy-server haproxy-1.4.24]#make install PREFIX=/usr/local/haproxy
# HAProxy默认不创建配置文件目录,这里是创建HAProxy配置文件目录
[root@haproxy-server haproxy-1.4.24]#mkdir /usr/local/haproxy/conf
# HAProxy安装完成后,默认安装目录中没有配置文件,这里是将源码包里面的示例配置文件复制到配置文件目录
[root@haproxy-server haproxy-1.4.24]# cp examples/haproxy.cfg /usr/local/haproxy/conf
这样,HAProxy就安装完成了。
安装示例2
#下载
wget https://www.haproxy.org/download/1.9/src/haproxy-1.9.0.tar.gz
#解压
tar -zxvf haproxy-1.6.9.tar.gz
cd haproxy-1.6.9
#安装
make TARGET=linux2628 ARCH=x86_64 PREFIX=/usr/local/haproxy
make install PREFIX=/usr/local/haproxy
#参数说明
TARGET=linux26 #内核版本,使用uname -r查看内核,如:2.6.18-371.el5,此时该参数就为linux26;kernel 大于2.6.28的用:TARGET=linux2628
ARCH=x86_64 #系统位数
PREFIX=/usr/local/haprpxy #/usr/local/haprpxy为haprpxy安装路径
安裝步骤参考如下:
https://support.huaweicloud.com/prtg-kunpengwebs/kunpenghaproxy_02_0005.html
Centos7 安装haproxy
2.17.3. HAProxy日志配置详解¶
2.17.4. 配置(自己创建)¶
/usr/local/haproxy/haproxy.cfg
###########全局配置#########
global
log 127.0.0.1 local0 #[日志输出配置,所有日志都记录在本机,通过local0输出]
log 127.0.0.1 local1 notice #定义haproxy 日志级别[error warringinfo debug]
daemon #以后台形式运行harpoxy
nbproc 1 #设置进程数量
maxconn 4096 #默认最大连接数,需考虑ulimit-n限制
#user haproxy #运行haproxy的用户
#group haproxy #运行haproxy的用户所在的组
#pidfile /var/run/haproxy.pid #haproxy 进程PID文件
#ulimit-n 819200 #ulimit 的数量限制
#chroot /usr/share/haproxy #chroot运行路径
#debug #haproxy 调试级别,建议只在开启单进程的时候调试
#quiet
########默认配置############
defaults
log global
mode http #默认的模式mode { tcp|http|health },tcp是4层,http是7层,health只会返回OK
option httplog #日志类别,采用httplog
option dontlognull #不记录健康检查日志信息
retries 2 #两次连接失败就认为是服务器不可用,也可以通过后面设置
#option forwardfor #如果后端服务器需要获得客户端真实ip需要配置的参数,可以从Http Header中获得客户端ip
option httpclose #每次请求完毕后主动关闭http通道,haproxy不支持keep-alive,只能模拟这种模式的实现
#option redispatch #当serverId对应的服务器挂掉后,强制定向到其他健康的服务器,以后将不支持
option abortonclose #当服务器负载很高的时候,自动结束掉当前队列处理比较久的链接
maxconn 4096 #默认的最大连接数
timeout connect 5000ms #连接超时
timeout client 30000ms #客户端超时
timeout server 30000ms #服务器超时
#timeout check 2000 #心跳检测超时
#timeout http-keep-alive10s #默认持久连接超时时间
#timeout http-request 10s #默认http请求超时时间
#timeout queue 1m #默认队列超时时间
balance roundrobin #设置默认负载均衡方式,轮询方式
#balance source #设置默认负载均衡方式,类似于nginx的ip_hash
#balnace leastconn #设置默认负载均衡方式,最小连接数
########统计页面配置########
listen stats
bind 0.0.0.0:1080 #设置Frontend和Backend的组合体,监控组的名称,按需要自定义名称
mode http #http的7层模式
option httplog #采用http日志格式
#log 127.0.0.1 local0 err #错误日志记录
maxconn 10 #默认的最大连接数
stats refresh 30s #统计页面自动刷新时间
stats uri /stats #统计页面url
stats realm XingCloud\ Haproxy #统计页面密码框上提示文本
stats auth admin:admin #设置监控页面的用户和密码:admin,可以设置多个用户名
stats auth Frank:Frank #设置监控页面的用户和密码:Frank
stats hide-version #隐藏统计页面上HAProxy的版本信息
stats admin if TRUE #设置手工启动/禁用,后端服务器(haproxy-1.4.9以后版本)
########设置haproxy 错误页面#####
#errorfile 403 /home/haproxy/haproxy/errorfiles/403.http
#errorfile 500 /home/haproxy/haproxy/errorfiles/500.http
#errorfile 502 /home/haproxy/haproxy/errorfiles/502.http
#errorfile 503 /home/haproxy/haproxy/errorfiles/503.http
#errorfile 504 /home/haproxy/haproxy/errorfiles/504.http
#############frontend前端配置##############
frontend main
bind *:80 #这里建议使用bind *:80的方式,要不然做集群高可用的时候有问题,vip切换到其他机器就不能访问了。
acl web hdr(host) -i www.abc.com #acl后面是规则名称,-i为忽略大小写,后面跟的是要访问的域名,如果访问www.abc.com这个域名,就触发web规则,。
acl img hdr(host) -i img.abc.com #如果访问img.abc.com这个域名,就触发img规则。
use_backend webserver if web #如果上面定义的web规则被触发,即访问www.abc.com,就将请求分发到webserver这个作用域。
use_backend imgserver if img #如果上面定义的img规则被触发,即访问img.abc.com,就将请求分发到imgserver这个作用域。
default_backend dynamic #不满足则响应backend的默认页面
##############backend后端配置##############
backend webserver #webserver作用域
mode http
balance roundrobin #balance roundrobin 负载轮询,balance source 保存session值,支持static-rr,leastconn,first,uri等参数
option httpchk /index.html HTTP/1.0 #健康检查, 检测文件,如果分发到后台index.html访问不到就不再分发给它
server web1 10.16.0.9:8085 cookie 1 weight 5 check inter 2000 rise 2 fall 3
server web2 10.16.0.10:8085 cookie 2 weight 3 check inter 2000 rise 2 fall 3
#cookie 1表示serverid为1,check inter 1500 是检测心跳频率
#rise 2是2次正确认为服务器可用,fall 3是3次失败认为服务器不可用,weight代表权重
backend imgserver
mode http
option httpchk /index.php
balance roundrobin
server img01 192.168.137.101:80 check inter 2000 fall 3
server img02 192.168.137.102:80 check inter 2000 fall 3
backend dynamic
balance roundrobin
server test1 192.168.1.23:80 check maxconn 2000
server test2 192.168.1.24:80 check maxconn 2000
listen tcptest
bind 0.0.0.0:5222
mode tcp
option tcplog #采用tcp日志格式
balance source
#log 127.0.0.1 local0 debug
server s1 192.168.100.204:7222 weight 1
server s2 192.168.100.208:7222 weight 1
2.17.5. 负载均衡算法¶
一、roundrobin,表示简单的轮询,每个服务器根据权重轮流使用,在服务器的处理时间平均分配的情况下这是最流畅和公平的算法。该算法是动态的,对于实例启动慢的服务器权重会在运行中调整。
二、static-rr,表示根据权重,建议关注;每个服务器根据权重轮流使用,类似roundrobin,但它是静态的,意味着运行时修改权限是无效的。另外,它对服务器的数量没有限制。
三、leastconn,表示最少连接者先处理,建议关注;leastconn建议用于长会话服务,例如LDAP、SQL、TSE等,而不适合短会话协议。如HTTP.该算法是动态的,对于实例启动慢的服务器权重会在运行中调整。
四、source,表示根据请求源IP,建议关注;对请求源IP地址进行哈希,用可用服务器的权重总数除以哈希值,根据结果进行分配。
只要服务器正常,同一个客户端IP地址总是访问同一个服务器。如果哈希的结果随可用服务器数量而变化,那么客户端会定向到不同的服务器;
该算法一般用于不能插入cookie的Tcp模式。它还可以用于广域网上为拒绝使用会话cookie的客户端提供最有效的粘连;
该算法默认是静态的,所以运行时修改服务器的权重是无效的,但是算法会根据“hash-type”的变化做调整。
五、uri,表示根据请求的URI;表示根据请求的URI左端(问号之前)进行哈希,用可用服务器的权重总数除以哈希值,根据结果进行分配。
只要服务器正常,同一个URI地址总是访问同一个服务器。
一般用于代理缓存和反病毒代理,以最大限度的提高缓存的命中率。该算法只能用于HTTP后端;
该算法一般用于后端是缓存服务器;
该算法默认是静态的,所以运行时修改服务器的权重是无效的,但是算法会根据“hash-type”的变化做调整。
六、url_param,表示根据请求的URl参数'balance url_param' requires an URL parameter name
在HTTP GET请求的查询串中查找<param>中指定的URL参数,基本上可以锁定使用特制的URL到特定的负载均衡器节点的要求;
该算法一般用于将同一个用户的信息发送到同一个后端服务器;
该算法默认是静态的,所以运行时修改服务器的权重是无效的,但是算法会根据“hash-type”的变化做调整。
七、hdr(name),表示根据HTTP请求头来锁定每一次HTTP请求;
在每个HTTP请求中查找HTTP头<name>,HTTP头<name>将被看作在每个HTTP请求,并针对特定的节点;
如果缺少头或者头没有任何值,则用roundrobin代替;
该算法默认是静态的,所以运行时修改服务器的权重是无效的,但是算法会根据“hash-type”的变化做调整。
八、rdp-cookie(name),表示根据据cookie(name)来锁定并哈希每一次TCP请求。
为每个进来的TCP请求查询并哈希RDP cookie<name>;
该机制用于退化的持久模式,可以使同一个用户或者同一个会话ID总是发送给同一台服务器。
如果没有cookie,则使用roundrobin算法代替;
该算法默认是静态的,所以运行时修改服务器的权重是无效的,但是算法会根据“hash-type”的变化做调整。
#其实这些算法各有各的用法,我们平时应用得比较多的应该是roundrobin、source和lestconn。
2.17.6. ACL规则定义¶
########ACL策略定义#########################
1、#如果请求的域名满足正则表达式返回true -i是忽略大小写
acl denali_policy hdr_reg(host) -i ^(www.inbank.com|image.inbank.com)$
2、#如果请求域名满足www.inbank.com 返回 true -i是忽略大小写
acl tm_policy hdr_dom(host) -i www.inbank.com
3、#在请求url中包含sip_apiname=,则此控制策略返回true,否则为false
acl invalid_req url_sub -i sip_apiname=#定义一个名为invalid_req的策略
4、#在请求url中存在timetask作为部分地址路径,则此控制策略返回true,否则返回false
acl timetask_req url_dir -i timetask
5、#当请求的header中Content-length等于0时返回 true
acl missing_cl hdr_cnt(Content-length) eq 0
#########acl策略匹配相应###################
1、#当请求中header中Content-length等于0 阻止请求返回403
block if missing_cl
2、#block表示阻止请求,返回403错误,当前表示如果不满足策略invalid_req,或者满足策略timetask_req,则阻止请求。
block if !invalid_req || timetask_req
3、#当满足denali_policy的策略时使用denali_server的backend
use_backend denali_server if denali_policy
4、#当满足tm_policy的策略时使用tm_server的backend
use_backend tm_server if tm_policy
5、#reqisetbe关键字定义,根据定义的关键字选择backend
reqisetbe ^Host:\ img dynamic
reqisetbe ^[^\ ]*\ /(img|css)/ dynamic
reqisetbe ^[^\ ]*\ /admin/stats stats
6、#以上都不满足的时候使用默认mms_server的backend
default_backend mms
2.17.7. haproxy.cfg文件配置案例¶
配置案例¶
前端调度器IP:192.168.1.210
后端应用服务器IP: 192.168.1.111 和 192.168.1.112
1. 定义独立日志文件¶
[root@node1 haproxy]# vim /etc/rsyslog.conf #为其添加日志功能
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514 ------>启动udp,启动端口后将作为服务器工作
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514 ------>启动tcp监听端口
local2.* /var/log/haproxy.log
[root@node1 haproxy]# service rsyslog restart
[root@LB haproxy]# vim haproxy.cfg
log 127.0.0.1 local2 info --------->在global端中添加此行
2.一个最简单的http服务的配置¶
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend webser #webser为名称
option forwardfor
bind *:80
default_backend app
backend app
balance roundrobin #使拥roundrobin 算法
server app1 192.168.1.111:80 check
server app2 192.168.1.112:80 check
3. haproxy统计页面的输出机制¶
frontend webser
log 127.0.0.1 local3
option forwardfor
bind *:80
default_backend app
backend app
cookie node insert nocache
balance roundrobin
server app1 192.168.1.111:80 check cookie node1 intval 2 rise 1 fall 2
server app2 192.168.1.112:80 check cookie node2 intval 2 rise 1 fall 2
server backup 127.0.0.1:8010 check backup
listen statistics
bind *:8009 # 自定义监听端口
stats enable # 启用基于程序编译时默认设置的统计报告
stats auth admin:admin # 统计页面用户名和密码设置
stats uri /admin?stats # 自定义统计页面的URL,默认为/haproxy?stats
stats hide-version # 隐藏统计页面上HAProxy的版本信息
stats refresh 30s # 统计页面自动刷新时间
stats admin if TRUE #如果认证通过就做管理功能,可以管理后端的服务器
stats realm Hapadmin # 统计页面密码框上提示文本,默认为Haproxy\ Statistics
4. 动静分离示例¶
frontend webservs
bind *:80
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js .html
acl url_php path_end -i .php
acl host_static hdr_beg(host) -i img. imgs. video. videos. ftp. image. download.
use_backend static if url_static or host_static
use_backend dynamic if url_php
default_backend dynamic
backend static
balance roundrobin
server node1 192.168.1.111:80 check maxconn 3000
backend dynamic
balance roundrobin
server node2 192.168.1.112:80 check maxconn 1000
5. http服务器配置完整示例¶
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 30000
listen stats
mode http
bind 0.0.0.0:1080
stats enable
stats hide-version
stats uri /haproxyadmin?stats
stats realm Haproxy\ Statistics
stats auth admin:admin
stats admin if TRUE
frontend http-in
bind *:80
mode http
log global
option httpclose
option logasap #不等待响应结束就记录日志,表示提前记录日志,一般日志会记录响应时长,此不记录响应时长
option dontlognull #不记录空信息
capture request header Host len 20 #记录请求首部的前20个字符
capture request header Referer len 60 #referer跳转引用,就是上一级
default_backend servers
frontend healthcheck
bind :1099 #定义外部检测机制
mode http
option httpclose
option forwardfor
default_backend servers
backend servers
balance roundrobin
server websrv1 192.168.1.111:80 check maxconn 2000
server websrv2 192.168.1.112:80 check maxconn 200
6.用于4层端口转发¶
global
ulimit-n 51200
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
daemon
defaults
log global
mode tcp
option dontlognull
timeout connect 600
timeout client 5m
timeout server 5m
frontend 51-in
bind *:2222
default_backend 51-out
backend 51-out
server server1 192.168.122.51:22 maxconn 20480
frontend 101-in
bind *:8080
default_backend 101-out
backend 101-out
server server1 192.168.122.101:8080 maxconn 20480
迅投前置机(基于4层),端口转发配置如下:
global
log 127.0.0.1 local0
#log 127.0.0.1 local1 notice
#log loghost local0 info
maxconn 4096
ulimit-n 12288
chroot E:\\Agent01/
uid haproxy
gid haproxy
daemon
nbproc 4
pidfile E:\\Xt_agent/haproxy/haproxy.pid
#debug
#quiet
defaults
log 127.0.0.1 local3
mode tcp
option httplog
option dontlognull
option httpclose
option abortonclose
option forwardfor
option redispatch
option nolinger
retries 3
#maxconn 4096
#ulimit-n 12288
balance roundrobin
stats enable
stats uri /ha?stats #haproxy运行状态查看 自定义uri
contimeout 5000
clitimeout 50000
srvtimeout 50000
listen stock1 0.0.0.0:55300 #监听端口
mode tcp
#option httpchk HEAD /check.txt HTTP/1.0
server s1 210.14.136.66:55300 weight 1 check inter 10s
listen stock2 0.0.0.0:55400 #监听端口
mode tcp
#option httpchk HEAD /check.txt HTTP/1.0
server s2 210.14.136.67:55300 weight 1 check inter 10s
7.用于7层负载均衡和反向代理¶
global
maxconn 65535
chroot /usr/local/haproxy
uid 99
gid 99
#maxconn 4096
spread-checks 3
daemon
nbproc 1
pidfile /usr/local/haproxy/haproxy.pid
defaults
log 127.0.0.1 local3
mode http
option httplog
option httpclose
option dontlognull
option forwardfor
option redispatch
retries 10
maxconn 2000
stats uri /haproxy-stats
stats auth admin:admin
contimeout 5000
clitimeout 50000
srvtimeout 50000
frontend HAProxy
bind *:80
mode http
option httplog
acl cache_domain path_end .css .js .gif .png .swf .jpg .jpeg
acl cache_dir path_reg /apping
acl cache_jpg path_reg /theme
acl bugfree_domain path_reg /bugfree
use_backend varnish.offer99.com if cache_domain
use_backend varnish.offer99.com if cache_dir
use_backend varnish.offer99.com if cache_jpg
use_backend bugfree.offer99.com if bugfree_domain
default_backend www.offer99.com
backend bugfree.offer99.com
server bugfree 222.35.135.151:80 weight 5 check inter 2000 rise 2 fall 3
backend varnish.offer99.com
server varnish 222.35.135.152:81 weight 5 check inter 2000 rise 2 fall 3
backend www.offer99.com
balance source
option httpchk HEAD /index.php HTTP/1.0
server web1 222.35.135.154:80 weight 5 check inter 2000 rise 2 fall 3
server web2 222.35.135.155:80 weight 5 check inter 2000 rise 2 fall 3
2.17.8. 负载均衡示例1¶
[root@docker-test HAProxy]# cat haproxy.cfg
global
log 127.0.0.1 local0
maxconn 4096
chroot /usr/local/sbin
daemon
nbproc 4
pidfile /usr/local/sbin/haproxy.pid
defaults
log 127.0.0.1 local3
mode http
option dontlognull
option redispatch
retries 2
maxconn 2000
balance roundrobin
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
listen redis_proxy
bind 0.0.0.0:6301
stats enable
bind-process 2 #让它跑在两颗CPU上
stats uri /haproxy-stats
stats auth phil:NRG93012
server APP1 APP1:8001 check inter 2000 rise 2 fall 5
server APP2 APP2:8002 check inter 2000 rise 2 fall 5
2.17.9. 负载均衡示例2¶
global
log 127.0.0.1 local0 info
maxconn 4096
user nobody
group nobody
daemon
nbproc 1
pidfile /usr/local/haproxy/logs/haproxy.pid
defaults
mode http
retries 3
timeout connect 5s
timeout client 30s
timeout server 30s
timeout check 2s
listen admin_stats
bind 0.0.0.0:19088
mode http
log 127.0.0.1 local0 err
stats refresh 30s
stats uri /haproxy-status
stats realm welcome login\ Haproxy
stats auth admin:xxxxxx
stats hide-version
stats admin if TRUE
frontend www
bind *:80
mode http
option httplog
option forwardfor
log global
acl host_www hdr_dom(host) -i www.tb.com
acl host_img hdr_dom(host) -i img.tb.com
use_backend server_www if host_www
use_backend server_img if host_img
backend server_www
mode http
option redispatch
option abortonclose
balance roundrobin
option httpchk HEAD /index.php
server webapp1 192.168.66.31:80 weight 6 check inter 2000 rise 2 fall 3
server webapp2 192.168.66.32:80 weight 6 check inter 2000 rise 2 fall 3
backend server_img
mode http
option redispatch
option abortonclose
balance roundrobin
option httpchk HEAD /index.html
server webimg1 192.168.66.33:80 weight 6 check inter 2000 rise 2 fall 3
server webimg2 192.168.66.34:80 weight 6 check inter 2000 rise 2 fall 3
2.17.10. 负载均衡示例3¶
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode tcp
log global
retries 3
timeout connect 10s
timeout client 1m
timeout server 1m
frontend ingress80
bind *:80
mode tcp
default_backend ingress8880
backend ingress8880
balance roundrobin
server n1 10.0.0.213:8880 check maxconn 2000
server n2 10.0.0.38:8880 check maxconn 2000
frontend ingress443
bind *:443
mode tcp
default_backend ingress4443
backend ingress4443
balance roundrobin
server n1 10.0.0.213:4443 check maxconn 2000
server n2 10.0.0.38:4443 check maxconn 2000
frontend ingress22
bind *:22
mode tcp
default_backend ingress2222
backend ingress2222
balance roundrobin
server n1 10.0.0.213:2222 check maxconn 2000
server n2 10.0.0.38:2222 check maxconn 2000
2.17.11. 负载均衡MySQL服务的配置示例¶
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
defaults
mode tcp
log global
option httplog
option dontlognull
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 600
listen stats
mode http
bind 0.0.0.0:1080
stats enable
stats hide-version
stats uri /haproxyadmin?stats
stats realm Haproxy\ Statistics
stats auth admin:admin
stats admin if TRUE
frontend mysql
bind *:3306
mode tcp
log global
default_backend mysqlservers
backend mysqlservers
balance leastconn
server dbsrv1 192.168.1.111:3306 check port 3306 intval 2 rise 1 fall 2 maxconn 300
server dbsrv2 192.168.1.112:3306 check port 3306 intval 2 rise 1 fall 2 maxconn 300
2.17.12. 反向代理redis和mysql示例¶
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode tcp
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main *:5000
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
use_backend static if url_static
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend static
balance roundrobin
server static 127.0.0.1:4331 check
frontend main
bind *:3306
mode tcp
log global
default_backend mysqlservers
frontend redis6379
bind *:6379
mode tcp
log global
default_backend redis6379servers
frontend redis6380
bind *:6380
mode tcp
log global
default_backend redis6380servers
#---------------------------------------------------------------------
# round robin balancing between the various backends
backend mysqlservers
balance leastconn
server dbsrv1 192.168.1.30:13306 check
#server dbsrv2 192.168.1.112:3306 check port 3306 intval 2 rise 1 fall 2 maxconn 300
backend redis6379servers
balance leastconn
server r16379 192.168.1.30:16379 check
backend redis6380servers
balance leastconn
server r16380 192.168.1.30:16380 check
代理github示例¶
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
#stats socket /run/haproxy/admin.sock mode 660 level admin
stats socket /var/lib/haproxy/stats
stats timeout 30s
maxconn 100000
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
mode tcp
log global
retries 3
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
maxconn 100000
#---------------------------------------------------------------------
# gitee-proxy 30808 frontend which proxys to the backends
#---------------------------------------------------------------------
frontend giteeproxy
bind 0.0.0.0:30808
mode tcp
maxconn 60000
default_backend giteeproxy
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend giteeproxy
balance static-rr
server proxy1 141.164.53.201:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy2 141.164.42.149:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy3 141.164.59.220:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy4 158.247.200.100:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy5 158.247.201.180:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy6 158.247.195.237:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy7 141.164.63.7:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy8 141.164.59.21:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy9 158.247.211.2:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy10 141.164.61.234:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy11 158.247.209.23:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy12 141.164.37.87:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy13 141.164.42.188:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy14 141.164.47.132:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy15 158.247.213.86:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy16 158.247.198.157:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy17 141.164.60.88:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy18 158.247.198.78:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy19 141.164.44.175:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
server proxy20 141.164.42.247:30443 maxconn 2000 inter 5000 rise 2 fall 5 weight 2
2.17.13. 启动¶
/usr/local/haproxy/sbin/haproxy -f /usr/local/haproxy/haproxy.cfg
2.17.14. 查看状态¶
http://192.168.1.22:1080/stats
#说明:
#1080即haproxy配置文件中监听端口
s#tats 即haproxy配置文件中的监听名称
2.17.15. openstack高可用haproxy配置¶
#openstack高可用haproxy配置
###########全局配置#########
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
daemon
#nbproc 1 #进程数量
maxconn 4096 #最大连接数
user haproxy #运行用户
group haproxy #运行组
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
########默认配置############
defaults
log global
mode http #默认模式{ tcp|http|health }
option httplog #日志类别,采用httplog
option dontlognull #不记录健康检查日志信息
retries 2 #2次连接失败不可用
option forwardfor #后端服务获得真实ip
option httpclose #请求完毕后主动关闭http通道
option abortonclose #服务器负载很高,自动结束比较久的链接
maxconn 4096 #最大连接数
timeout connect 5m #连接超时
timeout client 1m #客户端超时
timeout server 31m #服务器超时
timeout check 10s #心跳检测超时
balance roundrobin #负载均衡方式,轮询
########统计页面配置########
listen stats
bind 0.0.0.0:1080
mode http
option httplog
log 127.0.0.1 local0 err
stats refresh 30s
maxconn 10 #最大连接数
stats uri /admin #状态页面 http//ip:1080/admin访问
stats realm Haproxy\ Statistics
stats auth admin:admin #用户和密码:admin
stats hide-version #隐藏版本信息
stats admin if TRUE #设置手工启动/禁用
########以下为openstack高可用配置############
#dashboard_cluster
listen dashboard_cluster
bind controller:80
balance roundrobin
#balance source
option tcpka
option httpchk
option tcplog
server controller1 controller1:8080 check port 8080 inter 2000 rise 2 fall 5
server controller2 controller2:8080 check port 8080 inter 2000 rise 2 fall 5
server controller3 controller3:8080 check port 8080 inter 2000 rise 2 fall 5
#mariadb_cluster
listen mariadb_cluster
mode tcp
bind controller:3306
balance leastconn
option mysql-check user haproxy
server controller1 controller1:3306 weight 1 check inter 2000 rise 2 fall 5
server controller2 controller2:3306 weight 1 check inter 2000 rise 2 fall 5
server controller3 controller3:3306 weight 1 check inter 2000 rise 2 fall 5
#RabbitMQ_cluster
listen RabbitMQ-Server
bind controller:5673
mode tcp
balance roundrobin
option tcpka
timeout client 30m
timeout server 30m
option clitcpka
server controller1 controller1:5672 check inter 5s rise 2 fall 3
server controller2 controller2:5672 check inter 5s rise 2 fall 3
server controller3 controller3:5672 check inter 5s rise 2 fall 3
#RabbitMQ
listen RabbitMQ-Web
bind controller:15673
balance roundrobin
mode tcp
option tcpka
server controller1 controller1:15672 check inter 5s rise 2 fall 3
server controller2 controller2:15672 check inter 5s rise 2 fall 3
server controller3 controller3:15672 check inter 5s rise 2 fall 3
#
#keystone
listen keystone_admin_cluster
bind controller:35357
#balance source
option tcpka
option httpchk
option tcplog
server controller1 controller1:35356 check inter 2000 rise 2 fall 5
server controller2 controller2:35356 check inter 2000 rise 2 fall 5
server controller3 controller3:35356 check inter 2000 rise 2 fall 5
listen keystone_public_cluster
bind controller:5000
#balance source
option tcpka
option httpchk
option tcplog
server controller1 controller1:4999 check inter 2000 rise 2 fall 5
server controller2 controller2:4999 check inter 2000 rise 2 fall 5
server controller3 controller3:4999 check inter 2000 rise 2 fall 5
#glance_api_cluster
listen glance_api_cluster
bind controller:9292
#balance source
option tcpka
option httpchk
option tcplog
server controller1 controller1:9292 check inter 2000 rise 2 fall 5
server controller2 controller2:9292 check inter 2000 rise 2 fall 5
server controller3 controller3:9292 check inter 2000 rise 2 fall 5
#
listen glance_registry_cluster
bind controller:9191
balance source
option tcpka
option tcplog
server controller1 controller1:9191 check inter 2000 rise 2 fall 5
server controller2 controller2:9191 check inter 2000 rise 2 fall 5
server controller3 controller3:9191 check inter 2000 rise 2 fall 5
##nova_compute
listen nova_compute_api_cluster
bind controller:8774
#balance source
option tcpka
option httpchk
option tcplog
server controller1 controller1:8774 check inter 2000 rise 2 fall 5
server controller2 controller2:8774 check inter 2000 rise 2 fall 5
server controller3 controller3:8774 check inter 2000 rise 2 fall 5
#Nova-api-metadata
listen Nova-api-metadata_cluster
bind controller:8775
balance source
option tcpka
option httpchk
option tcplog
server controller1 controller1:8775 check inter 2000 rise 2 fall 5
server controller2 controller2:8775 check inter 2000 rise 2 fall 5
server controller3 controller3:8775 check inter 2000 rise 2 fall 5
#nova_placement
listen nova_placement_cluster
bind controller:8778
#balance source
option tcpka
option tcplog
server controller1 controller1:9778 check inter 2000 rise 2 fall 5
server controller2 controller2:9778 check inter 2000 rise 2 fall 5
server controller3 controller3:9778 check inter 2000 rise 2 fall 5
#nova_vncproxy
listen nova_vncproxy_cluster
bind controller:6080
#balance source
option tcpka
option tcplog
server controller1 controller1:6080 check inter 2000 rise 2 fall 5
server controller2 controller2:6080 check inter 2000 rise 2 fall 5
server controller3 controller3:6080 check inter 2000 rise 2 fall 5
#Neutron_API
listen Neutron_API_cluster
bind controller:9696
#balance source
option tcpka
option tcplog
server controller1 controller1:9696 check inter 2000 rise 2 fall 5
server controller2 controller2:9696 check inter 2000 rise 2 fall 5
server controller3 controller3:9696 check inter 2000 rise 2 fall 5
#Cinder_API_cluster
listen Cinder_API_cluster
bind controller:8776
#balance source
option tcpka
option httpchk
option tcplog
server controller1 controller1:8776 check inter 2000 rise 2 fall 5
server controller2 controller2:8776 check inter 2000 rise 2 fall 5
server controller3 controller3:8776 check inter 2000 rise 2 fall 5
#
文章来源文献: https://www.cnblogs.com/MacoLee/p/5853413.html
haproxy1.7编译安装配置 https://www.cnblogs.com/elvi/p/7717582.html
2.17.16. haproxy ssl 配置方式¶
参考文献: