centos7配置haproxy1.7.5支持https的ssl证书和http兼容web应用及访问日志统计

centos7配置haproxy1.7.5支持https的ssl证书和http兼容web应用

haproxy 代理 ssl 有两种方式
1、haproxy 本身提供ssl 证书，后面的web 服务器走正常的http（偷懒方式）
2、haproxy 本身只提供代理，后面的web服务器https

我们选择的模式，在haproxy这里设定SSL，这样我们可以继续使用七层负载均衡。SSL连接终止在负载均衡器haproxy --> 解码SSL连接并发送非加密连接到后端应用nginx，这意味着负载均衡器负责解码SSL连接，这与SSL穿透相反，它是直接向代理服务器发送SSL连接的。

1.安装依赖
yum install -y gcc glibc gcc-c++ make openssl openssl-devel readline-devel pcre-devel libssl-dev libpcre3

2.生成证书
cd /etc/ssl/certs/
cat chinasoft2017.key chinasoft2017.pem | tee chinasoft.pem

3.源码编译安装haproxy
cd /usr/local/src
wget http://www.haproxy.org/download/1.7/src/haproxy-1.7.5.tar.gz

tar -zxf haproxy-1.7.5.tar.gz 
cd haproxy-1.7.5
make TARGET=linux2628 USE_OPENSSL=1 ADDLIB=-lz PREFIX=/usr/local/haproxy
make install
cp /usr/local/sbin/haproxy /usr/sbin/

cp examples/haproxy.init /etc/init.d/haproxy
chmod 755 /etc/init.d/haproxy

# 修改启动脚本的26行为双中括号
vim /etc/init.d/haproxy
 26 [[ ${NETWORKING} = "no" ]] && exit 0

useradd -r haproxy
mkdir /etc/haproxy
mkdir /var/lib/haproxy
mkdir /var/run/haproxy

修改配置文件
# vim /etc/haproxy/haproxy.cfg

global
    log 127.0.0.1 local3 info
    chroot /var/lib/haproxy
    pidfile /var/run/haproxy.pid
    maxconn 20480
    user haproxy
    group haproxy
    tune.ssl.default-dh-param 2048
    daemon
    stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
    stats timeout 2m

defaults
    log global
    mode http
    option httplog
    option dontlognull
    option http-server-close
    option forwardfor except 127.0.0.1
    option redispatch
    retries 3
    option redispatch
    maxconn 20480
    timeout http-request 10s
    timeout queue 1m
    timeout connect 10s
    timeout client 1m
    timeout server 1m
    timeout http-keep-alive 10s
    timeout check 10s

frontend https_frontend
    bind *:443 ssl crt /etc/ssl/certs/chinasoft.pem
    mode http
    option httpclose
    option forwardfor
    reqadd X-Forwarded-Proto:\ https
    default_backend web_server

backend web_server
    mode http
    balance roundrobin
    cookie SERVERID insert indirect nocache
    server s1 192.168.3.13:8080 check cookie s1

frontend weblb
    bind *:80
    mode http
    option forwardfor
    reqadd X-Forwarded-Proto:\ http
    default_backend httpserver

backend httpserver
    balance source
    server web1 192.168.3.13:8080 maxconn 10240 weight 3 check inter 2000 rise 2 fall 3

4.开启rsyslog的haproxy日志记录功能

①编辑vim /etc/rsyslog.conf文件，将
$ModLoad imudp  
$UDPServerRun 514
两行前的#去掉

②在
local7.*  /var/log/boot.log  
之后添加
# Save haproxy log  
local3.* /var/log/haproxy/haproxy.log

③修改vim /etc/sysconfig/rsyslog 文件，将
SYSLOGD_OPTIONS=""  
改为
SYSLOGD_OPTIONS="-r -m 2 -c 2"

重启rsyslog和haproxy服务，haproxy就能记录日志了。
systemctl restart rsyslog
systemctl restart haproxy

[root@localhost haproxy]# tail -f  /var/log/haproxy/haproxy.log 

Dec 21 15:36:34 localhost haproxy[17336]: 192.168.3.22:9697 [21/Dec/2017:15:36:34.614] weblb httpserver/web1 0/0/0/0/0 304 175 - - ---- 4/4/0/0/0 0/0 "GET / HTTP/1.1"
Dec 21 15:36:34 localhost haproxy[17336]: 192.168.3.22:9697 [21/Dec/2017:15:36:34.620] weblb httpserver/web1 0/0/1/0/1 304 175 - - ---- 4/4/0/0/0 0/0 "GET /nginx-logo.png HTTP/1.1"
Dec 21 15:36:34 localhost haproxy[17336]: 192.168.3.22:9696 [21/Dec/2017:15:36:34.621] weblb httpserver/web1 0/0/1/0/1 304 175 - - ---- 4/4/0/0/0 0/0 "GET /poweredby.png HTTP/1.1"
Dec 21 15:36:42 localhost haproxy[17336]: 192.168.3.22:9699 [21/Dec/2017:15:36:42.804] https_frontend~ web_server/s1 0/0/0/1/1 304 175 - - --VN 5/1/0/0/0 0/0 "GET / HTTP/1.1"
...

 haproxy的日志格式

# 统计haproxy不同节点不同状态码和访问次数排序
# cat haproxy.log |awk '{print $8" " $11}'|sort -n |uniq -c |sort -n -r

# 统计haproxy节点不同状态码不同url访问次数排序
# cat haproxy.log |awk '{print $8" " $11 " "$19}'|sort -n |uniq -c |sort -n -r