HAProxy
使用C語言編寫的開放源代碼軟件,提供高可用性、負載均衡,以及基於TCP(4層)和HTTP(7層)的應用程序代理;
藉助HAProxy可以快速並可靠的提供基於TCP和HTTP應用的代理解決方案,並支持虛擬主機;
HAProxy實現了一種時間驅動,單一進程模型,此模型支持非常大的鏈接數;
HAProxy支持拒絕連接:維護連接開銷低,可以限制***蠕蟲(attack bots),該功能拯救了很多被DDos***的小型站點;
HAProxy支持全透明代理(具備防火牆的典型特點):可以用客戶端IP地址或者任何其他地址來連接後端服務器. 這個特性僅在Linux 2.4/2.6內核打了cttproxy補丁後纔可以使用. 這個特性也使得爲某特殊服務器處理部分流量同時又不修改服務器的地址成爲可能。
HAProxy的主要功能
1 - route HTTP requests depending on statically assigned cookies
2 - spread load among several servers while assuring server persistence
3 - through the use of HTTP cookies
4 - switch to backup servers in the event a main server fails
5 - accept connections to special ports dedicated to service monitoring
6 - stop accepting connections without breaking existing ones
7 - add, modify, and delete HTTP headers in both directions
8 - block requests matching particular patterns
9 - report detailed status to authenticated users from a URI intercepted by the application
程序環境
主程序:/usr/sbin/haproxy
配置文件: /etc/haproxy/haproxy.cfg
Unit file: /usr/lib/systemd/system/haproxy.service
配置段
global:全局配置段\
進程及安全配置相關的參數
性能調整相關參數
Debug參數
proxies:代理配置段
defaults:爲frontend, listen, backend提供默認配置;
frontend:前端,相當於nginx, server {}
backend:後端,相當於nginx, upstream {}
listen:同時擁前端和後端
簡單的配置示例: frontend web bind *:80 default_backend websrvs backend websrvs balance roundrobin server srv1 172.16.100.6:80 check server srv2 172.16.100.7:80 check
global配置詳解
全局配置段
1 Process management and security
* 1.1 ca-base * 1.2 chroot * 1.3 crt-base * 1.4 deamon:守護進程; * 1.5 gid 用戶組ID,需設置; * 1.6 uid 用戶ID,需設置; * 1.7 group * 1.8 log:<address> [len <length>] <facility> [max level] [min level] * 1.8.0 至多可以使用兩次log功能 * 1.8.1 length:收集日誌服務器的地址; * 1.8.2 address:最長爲1024個字節; * 1.8.3 facility:共24種:kern,user,mail,deamon,auth,syslog,lpr,news,uucp,cron,ftp,ntp..... * 1.8.4 level:emerg、alert、crit、error、warning、notice、info、dubeg; * 1.9 log-send-hostname * 1.10 nbproc:小於等於CPU核心數即可,官方建議採用默認值; * 1.11 ulimit-n:設定當前用戶可以打開多少文件數,可以自動設定,官方建議無需設定該值; * 1.12 user * 1.13 stats * 1.14 ssl-server-verify * 1.15 node * 1.16 description * 1.17 unix-bind
設置log,需開啓本機的rsyslog服務,可編輯/etc/rsyslog.conf進行定義,配置以下兩行
$InputTCPServerRun 514local2.* /var/log/haproxy.log
Performance tuning
系統調整
- max-spread-checks- maxconn:最大併發鏈接數,一般需要調整;- maxconnrate:每個進程每秒鐘可以生成的最大鏈接數;即每秒鐘可以接受最多的鏈接;- maxcomprate- maxcompcpuusage:最大CPU使用量- maxpipes- maxse***ate:最大會話速率,一旦達到最大速率不在接受新的請求;- maxsslconn:每個進程的最大ssl連接數;- maxsslrate:ssl連接速率;- noepoll- nokqueue- nopoll- nosplice- nogetaddrinfo- spread-checks:<0..50 in percent> 狀態檢查分散開- tune.bufsize- tune.chksize- tune.comp.maxlevel- tune.http.cookielen- tune.http.maxhdr- tune.idletimer- tune.maxaccept- tune.maxpollevents- tune.maxrewrite- tune.pipesize- tune.rcvbuf.client- tune.rcvbuf.server- tune.sndbuf.client- tune.sndbuf.server- tune.ssl.cachesize- tune.ssl.lifetime- tune.ssl.force-private-cache- tune.ssl.maxrecord- tune.ssl.default-dh-param- tune.zlib.memlevel- tune.zlib.windowsize
Debugging
- debug:調試模式- quiet:靜默模式
Proxies配置詳解
代理配置段
Proxy configuration can be located in a set of sections :
defaults <name>
frontend <name>
backend <name>
listen <name>
A "defaults" section sets default parameters for all other sections following its declaration. Those default parameters are reset by the next "defaults"section. See below for the list of parameters which can be set in a "defaults"section. The name is optional but its use is encouraged for better readability. A "frontend" section describes a set of listening sockets accepting clientconnections. A "backend" section describes a set of servers to which the proxy will connectto forward incoming connections. A "listen" section defines a complete proxy with its frontend and backend parts combined in one section. It is generally useful for TCP-only traffic. All proxy names must be formed from upper and lower case letters, digits,'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names arecase-sensitive, which means that "www" and "WWW" are two different proxies.
bind
綁定ip及端口
bind [<address>]:<port_range> [, ...] [param*]
bind /<path> [, ...] [param*]
Define one or several listening addresses and/or ports in a frontend.
sections : defaults frontend listen backend no yes yes no 例:listen http_proxy bind :80,:443 bind 10.0.0.1:10080,10.0.0.1:10443 bind /var/run/ssl-frontend.sock user root mode 600 accept-proxylisten http_https_proxy bind :80 bind :443 ssl crt /etc/haproxy/site.pemlisten http_https_proxy_explicit bind ipv6@:80 bind ipv4@public_ssl:443 ssl crt /etc/haproxy/site.pem bind [email protected] user root mode 600 accept-proxylisten external_bind_app1 bind fd@${FD_APP1}
balance
定義調度類型
balance <algorithm> [ <arguments> ]
balance url_param <param> [check_post]
Define the load balancing algorithm to be used in a backend.
May be used in sections : defaults frontend listen backendyes no yes yes
1 roundrobin:輪詢;
2 static-rr:根據權重輪流使用,但是靜態的,對服務器數量無限制,不支持平滑切換;
3 leastconn:連接數量最少的服務器優先,當連接數相同時使用roundrobin,不適用http;
4 frist:將第一臺連接滿,開始連接第二臺,第二臺連接滿連接第三臺;
5 source:基於源IP的綁定,相當於Nginx的hash_ip,相當於LVS的Source ip hashing;
6 URI:對URI進行hash,將同一個URI發送至同一個服務器,適用於緩存服務器,hash方式取決於hash_type;
7 url_param:根據指定參數進行調度,對參數進行hash,將統一用戶的信息都發送至同一臺服務器,hash方式取決於hash_type;
8 hdr(name):在每個HTTP請求中查找HTTP頭<name>,然後根據hash HTTP頭的name來進行調度,hash方式取決於hash_type;
9 rdp-cookie(name):查詢每個進來的TCP請求並hash,該機制用於退化的持久連接,hash方式取決於hash_type;
hash-type:哈希算法
hash-type <method> <function> <modifier>
Specify a method to use for mapping hashes to servers
May be used in sections : defaults frontend listen backend yes no yes yes <method> map-based:除權取餘法,哈希數據結構是靜態的數組; consistent:一致性哈希,哈希數據結構是一個樹; <function> is the hash function to be used : 哈希函數 sdbm djb2 wt6 <modifier> avalanche
default_backend
default_backend <backend>\
Specify the backend to use when no "use_backend" rule has been matched.
May be used in sections : defaults frontend listen backend yes yes yes no 例 use_backend dynamic if url_dyn use_backend static if url_css url_img extension_img default_backend dynamic
server
server <name> <address>[:[port]] [param*]
Declare a server in a backend 定義後端主機及其各種選項
May be used in sections : defaults frontend listen backend no no yes yes