五、Haproxy一些高级功能配置
一、基于cookie的会话保持
cookie value:为当前server指定cookie值,实现基于cookie的会话黏性
1、配置选项
cookie name [ rewrite | insert | prefix ][ indirect ] [ nocache ][ postonly ] [ preserve ][ httponly ] [ secure ][ domain ]* [ maxidle <idle> ][ maxlife ] name:cookie 的key名称,用于实现持久连接 insert:如果没有就插入新的cookie indirect:不会向客户端发送服务器已经处理过请求的cookie信息,间接 nocache:当client和hapoxy之间有缓存时,不缓存cookie
listen web_host bind 192.168.32.204:80 mode http log global balance roundrobin cookie SERVER-COOKIE insert indirect nocache server web1 10.0.0.201:80 cookie web1 check inter 3000 fall 3 rise 5 server web2 10.0.0.202:80 cookie web2 check inter 3000 fall 3 rise 5
[root@node3 ~]# curl --cookie "SERVER-COOKIE=web1" http://192.168.32.204/index.html web01 10.0.0.201 [root@node3 ~]# curl --cookie "SERVER-COOKIE=web2" http://192.168.32.204/index.html web02 10.0.0.202 #根据cookie的值来分配后端服务器
二、HAProxy状态页
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4-stats%20uri
状态页配置选项
stats enable #基于默认的参数启用stats page stats hide-version #隐藏版本 stats refresh <delay> #设定自动刷新时间间隔 stats uri <prefix> #自定义stats page uri,默认值:/haproxy?stats stats realm <realm> #账户认证时的提示信息,示例:stats realm : HAProxy\ Statistics stats auth <user>:<passwd> #认证时的账号和密码,可使用多次,默认:no authentication stats admin { if | unless } <cond> #启用stats page中的管理功能
listen stats bind :192.168.32.204:9999 stats enable #stats hide-version stats uri /haproxy-status stats realm HAPorxy\ Stats\ Page stats auth haadmin:123456 stats auth admin:123456 #stats refresh 30s #stats admin if TRUE
输入地址192.168.32.204:9999/haproxy-status
输入账号密码,进入了haproxy的状态页
pid = 3698 (process #2, nbproc = 2, nbthread = 2) #pid为当前pid号,process为当前进程号, nbproc和nbthread为一共多少进程和每个进程多少个线程 uptime = 0d 0h00m08s #启动了多长时间 system limits: memmax = unlimited; ulimit-n = 131124 #系统资源限制:内存/最大打开文件数/ maxsock = 131124; maxconn = 65536; maxpipes = 0 #最大socket连接数/单进程最大连接数/最大管道数 maxpipes current conns = 1; current pipes = 0/0; conn rate = 1/sec #当前连接数/当前管道数/当前连接速率 Running tasks: 1/9; idle = 100 % #运行的任务/当前空闲率 active UP:#在线服务器 backup UP:#标记为backup的服务器 active UP, going down:#监测未通过正在进入down过程 backup UP, going down:#备份服务器正在进入down过程 active DOWN, going up:#down的服务器正在进入up过程 backup DOWN, going up:#备份服务器正在进入up过程 active or backup DOWN:#在线的服务器或者是backup的服务器已经转换成了down状态 not checked:#标记为不监测的服务器 active or backup DOWN for maintenance (MAINT) #active或者backup服务器人为下线的 active or backup SOFT STOPPED for maintenance #active或者backup被人为软下线(人为将weight改成0)
session rate(每秒的连接会话信息): Errors(错误统计信息):
cur:每秒的当前会话数量 Req:错误请求量
max:每秒新的最大会话数量 conn:错误链接量
limit:每秒新的会话限制量 Resp:错误响应量
sessions(会话信息): Warnings(警告统计信息):
cur:当前会话量 Retr:重新尝试次数
max:最大会话量R Redis:再次发送次数
limit: 限制会话量
Total:总共会话量 Server(real server信息):
LBTot:选中一台服务器所用的总时间 Status:后端机的状态,包括UP和DOWN
Last:和服务器的持续连接时间 LastChk:持续检查后端服务器的时间
Wght:权重
Bytes(流量统计): Act:活动链接数量
In:网络的字节输入总量 Bck:备份的服务器数量
Out:网络的字节输出总量 Chk:心跳检测时间
Dwn:后端服务器连接后都是DOWN的数量
Denied(拒绝统计信息): Dwntme:总的downtime时间
Req:拒绝请求量 Thrtle:server 状态
Resp:拒绝回复量
在http模式下,基于实际需求修改客户端的请求报文与响应报文,通过reqadd和reqdel在请求报文添加删除字段, 通过rspadd与rspidel在响应报文中添加与删除字段。
在请求报文尾部添加指定首部 reqadd <string> [{if | unless} <cond>] 从请求报文中删除匹配正则表达式的首部 reqdel <search> [{if | unless} <cond>] reqidel <search> [{if | unless} <cond>] 在响应报文尾部添加指定首部 rspadd <string> [{if | unless} <cond>] 示例: rspadd X-Via:\ HAPorxy 从响应报文中删除匹配正则表达式的首部 rspdel <search> [{if | unless} <cond>] rspidel <search> [{if | unless} <cond>] 示例: rspidel server.* #从响应报文删除server信息 rspidel X-Powered-By:.* #从响应报文删除X-Powered-By信息
测试
[root@node3 ~]# curl --head 192.168.32.204 HTTP/1.1 200 OK server: nginx/1.16.1 date: Thu, 07 Jan 2021 16:00:36 GMT content-type: text/html content-length: 17 last-modified: Wed, 06 Jan 2021 14:46:16 GMT etag: "5ff5cd38-11" accept-ranges: bytes set-cookie: SERVER-COOKIE=web2; path=/ cache-control: private
haproxy配置文件
listen web_port bind 192.168.32.204:80 mode http log global balance roundrobin rspidel server.* #删除相应报文的server信息 server web1 10.0.0.201:80 weight 1 check inter 3000 fall 2 rise 5 server web2 10.0.0.202:80 weight 1 check inter 3000 fall 2 rise 5
[root@node3 ~]# curl --head 192.168.32.204 HTTP/1.1 200 OK date: Thu, 07 Jan 2021 16:03:33 GMT content-type: text/html content-length: 17 last-modified: Wed, 06 Jan 2021 14:46:09 GMT etag: "5ff5cd31-11" accept-ranges: bytes
1、配置HAProxy记录日志到指定日志文件中
HAProxy配置
在global配置项定义: log 127.0.0.1 local3 info #基于syslog记录日志到指定设备,级别有(err、warning、info、 debug) listen web_port bind 127.0.0.1:80 mode http log global server web1 127.0.0.1:8080 check inter 3000 fall 2 rise 5 # systemctl restart haproxy
Rsyslog配置
vim /etc/rsyslog.conf $ModLoad imudp $UDPServerRun 514 local3.* /var/log/haproxy.log #local3必须与haproxy配置中的local3一样 # systemctl restart rsyslog
重启syslog服务并访问app页面,然后验证是否生成日志
客户机访问 [root@node3 ~]# curl http://192.168.32.204/index.html web02 10.0.0.202 [root@node3 ~]# curl http://192.168.32.204/index.html web01 10.0.0.201 [root@node3 ~]# curl http://192.168.32.204/index.html web02 10.0.0.202 日志信息 [root@node4 log]# tail -f /var/log/haproxy.log Jan 8 00:16:42 localhost haproxy[4341]: Connect from 192.168.32.203:48456 to 192.168.32.204:80 (web_port/HTTP) Jan 8 00:16:42 localhost haproxy[4341]: Connect from 192.168.32.203:48456 to 192.168.32.204:80 (web_port/HTTP) Jan 8 00:16:43 localhost haproxy[4341]: Connect from 192.168.32.203:48458 to 192.168.32.204:80 (web_port/HTTP) Jan 8 00:16:43 localhost haproxy[4341]: Connect from 192.168.32.203:48458 to 192.168.32.204:80 (web_port/HTTP) Jan 8 00:16:43 localhost haproxy[4341]: Connect from 192.168.32.203:48460 to 192.168.32.204:80 (web_port/HTTP) Jan 8 00:16:43 localhost haproxy[4341]: Connect from 192.168.32.203:48460 to 192.168.32.204:80 (web_port/HTTP)
将特定信息记录在日志中
capture cookie <name> len <length> #捕获请求和响应报文中的 cookie并记录日志 capture request header <name> len <length> #捕获请求报文中指定的首部内容和长度并记录日志 capture response header <name> len <length> #捕获响应报文中指定的内容和长度首部并记录日志 示例: capture request header Host len 256 capture request header User-Agent len 512 capture request header Referer len 15
配置
listen web_host bind 192.168.32.204:80 mode http balance roundrobin log global option httplog #日志格式选项 capture request header X-Forwarded-For len 15 capture request header User-Agent len 512 cookie SERVER-COOKIE insert indirect nocache server web1 10.0.0.201:80 cookie web1 check inter 3000 fall 3 rise 5 server web2 10.0.0.202:80 cookie web2 check inter 3000 fall 3 rise 5
重启后测试
客户端访问 [root@node3 ~]# curl http://192.168.32.204/index.html web01 10.0.0.201 [root@node3 ~]# curl http://192.168.32.204/index.html web02 10.0.0.202 日志信息 [root@node4 haproxy]# tail -f /var/log/haproxy.log Jan 8 00:22:23 localhost haproxy[4993]: 192.168.32.203:48466 [08/Jan/2021:00:22:23.467] web_port web_port/web1 0/0/0/1/1 200 221 - - --NI 1/1/0/0/0 0/0 {|curl/7.29.0} "GET /index.html HTTP/1.1" Jan 8 00:22:23 localhost haproxy[4993]: 192.168.32.203:48468 [08/Jan/2021:00:22:23.868] web_port web_port/web2 0/0/0/0/0 200 221 - - --NI 1/1/0/0/0 0/0 {|curl/7.29.0} "GET /index.html HTTP/1.1"
对响应给客户端的报文进行压缩,以节省网络带宽,但是会占用部分CPU性能。
1、配置选项
compression algo #启用http协议中的压缩机制,常用算法有gzip deflate identity #调试使用的压缩方式 gzip #常用的压缩方式,与各浏览器兼容较好 deflate #有些浏览器不支持 raw-deflate #新出的压缩方式 compression type #要压缩的文件类型
listen web_host bind 192.168.32.204:80 mode http balance roundrobin log global option httplog #capture request header X-Forwarded-For len 15 #capture request header User-Agent len 512 compression algo gzip deflate compression type compression type text/plain text/html text/css text/xml text/javascript application/javascript cookie SERVER-COOKIE insert indirect nocache server web1 10.0.0.201:80 cookie web1 check inter 3000 fall 3 rise 5 server web2 10.0.0.202:80 cookie web2 check inter 3000 fall 3 rise 5
基于不同的监测方式,对后端real server进行状态监测
option httpchk option httpchk <uri> option httpchk <method> <uri> option httpchk <method> <uri> <version>
基于四层的传输端口做状态监测
基于指定URI 做状态监测
基于指定URI的request请求头部内容做状态监测
listen web_host bind 192.168.7.101:80 mode http balance roundrobin log global option httplog #option httpchk GET /app/monitor/check.html HTTP/1.0 option httpchk HEAD /app/monitor/check.html HTTP/1.0\r\nHost:\ 192.168.7.102 cookie SERVER-COOKIE insert indirect nocache server web1 192.168.7.103:80 cookie web1 check inter 3000 fall 3 rise 5 server web2 192.168.7.104:80 cookie web2 check inter 3000 fall 3 rise 5
七、ACL
访问控制列表(ACL,Access Control Lists)是一种基于包过滤的访问控制技术,它可以根据设定的条件对经过服 务器传输的数据包进行过滤(条件匹配),即对接收到的报文进行匹配和过滤,基于请求报文头部中的源地址、源端 口、目标地址、目标端口、请求方法、URL、文件后缀等信息内容进行匹配并执行进一步操作,比如允许其通过或 丢弃。 http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7
1、ACL配置选项
acl <aclname> <criterion> [flags] [operator] [<value>]
acl 名称 匹配规范 匹配模式 具体操作符 操作对象类型
acl image_service hdr_dom(host) -i img.magedu.com ACL名称,可以使用大字母A-Z、小写字母a-z、数字0-9、冒号:、点.、中横线和下划线,并且严格区分大小写,必 须Image_site和image_site完全是两个acl。
定义ACL匹配规范 hdr([<name> [,<occ>]]):完全匹配字符串,header的指定信息 hdr_beg([<name> [,<occ>]]):前缀匹配,header中指定匹配内容的begin hdr_end([<name> [,<occ>]]):后缀匹配,header中指定匹配内容end hdr_dom([<name> [,<occ>]]):域匹配,header中的domain name hdr_dir([<name> [,<occ>]]):路径匹配,header的uri路径 hdr_len([<name> [,<occ>]]):长度匹配,header的长度匹配 hdr_reg([<name> [,<occ>]]):正则表达式匹配,自定义表达式(regex)模糊匹配 hdr_sub([<name> [,<occ>]]):子串匹配,header中的uri模糊匹配 dst 目标IP dst_port 目标PORT src 源IP src_port 源PORT 示例: hdr(<string>) 用于测试请求头部首部指定内容 hdr_dom(host) 请求的host名称,如 www.magedu.com hdr_beg(host) 请求的host开头,如 www. img. video. download. ftp. hdr_end(host) 请求的host结尾,如 .com .net .cn path_beg 请求的URL开头,如/static、/images、/img、/css path_end 请求的URL中资源的结尾,如 .gif .png .css .js .jpg .jpeg 有些功能是类似的,比如以下几个都是匹配用户请求报文中host的开头是不是www: acl short_form hdr_beg(host) www. acl alternate1 hdr_beg(host) -m beg www. acl alternate2 hdr_dom(host) -m beg www. acl alternate3 hdr(host) -m beg www.
ACL匹配模式 -i 不区分大小写 -m 使用指定的pattern匹配方法 -n 不做DNS解析 -u 禁止acl重名,否则多个同名ACL匹配或关系
ACL 操作符 整数比较:eq、ge、gt、le、lt 字符比较: - exact match (-m str) :字符串必须完全匹配模式 - substring match (-m sub) :在提取的字符串中查找模式,如果其中任何一个被发现,ACL将匹配 - prefix match (-m beg) :在提取的字符串首部中查找模式,如果其中任何一个被发现,ACL将匹配 - suffix match (-m end) :将模式与提取字符串的尾部进行比较,如果其中任何一个匹配,则ACL进行匹配 - subdir match (-m dir) :查看提取出来的用斜线分隔(“/”)的字符串,如果其中任何一个匹配,则ACL进 行匹配 - domain match (-m dom) :查找提取的用点(“.”)分隔字符串,如果其中任何一个匹配,则ACL进行匹配
value的类型 The ACL engine can match these types against patterns of the following types : - Boolean #布尔值 - integer or integer range #整数或整数范围,比如用于匹配端口范围 - IP address / network #IP地址或IP范围, 192.168.0.1 ,192.168.0.1/24 - string--> www.magedu.com exact –精确比较 substring—子串 suffix-后缀比较 prefix-前缀比较 subdir-路径, /wp-includes/js/jquery/jquery.js domain-域名,www.magedu.com - regular expression #正则表达式 - hex block #16进制
ACL调用方式: - 与:隐式(默认)使用 - 或:使用“or” 或 “||”表示 - 否定:使用“!“ 表示 示例: if valid_src valid_port #与关系,A和B都要满足为true if invalid_src || invalid_port #或,A或者B满足一个为true if ! invalid_src #非,取反,A和B哪个也不满足为true
3.1 ACL示例-域名匹配
listen web_host bind 192.168.32.204:80 mode http balance roundrobin log global option httplog acl web_host hdr_dom(host) www.magedu.net use_backend magedu_host if web_host default_backend default_web backend magedu_host mode http server web1 10.0.0.201:80 check inter 2000 fall 3 rise 5 backend default_web mode http server web1 10.0.0.202:80 check inter 2000 fall 3 rise 5
将指定的源地址调度至指定的web服务器组。 listen web_host bind 192.168.32.204:80 mode http balance roundrobin log global option httplog acl ip_range_test src 10.0.0.0/16 192.168.32.201 use_backend magedu_host if ip_range_test default_backend default_web backend magedu_host mode http server web1 10.0.0.201 check inter 2000 fall 3 rise 5 backend default_web mode http server web1 10.0.0.202:80 check inter 2000 fall 3 rise 5
拒绝指定IP或者IP范围访问 listen web_host bind 192.168.32.204:80 mode http balance roundrobin log global option httplog acl block_test src 192.168.32.203 192.168.0.0/24 block if block_test default_backend default_web backend magedu_host mode http server web1 10.0.0.201 check inter 2000 fall 3 rise 5 backend default_web mode http server web1 10.0.0.202:80 check inter 2000 fall 3 rise 5
匹配客户端浏览器,将不同类型的浏览器调动至不同的服务器组 listen web_host bind 192.168.32.204:80 mode http balance roundrobin log global option httplog acl web_host hdr_dom(host) www.magedu.net use_backend magedu_host if web_host acl redirect_test hdr(User-Agent) -m sub -i "Mozilla/5.0 (Windows NT 6.1; WOW64;Trident/7.0; rv:11.0) like Gecko" redirect prefix http://192.168.32.201 if redirect_test default_backend default_web backend magedu_host mode http server web1 10.0.0.201 check inter 2000 fall 3 rise 5 backend default_web mode http server web1 10.0.0.202:80 check inter 2000 fall 3 rise 5
listen web_host bind 192.168.32.204:80 mode http balance roundrobin log global option httplog acl php_server path_end -i .php use_backend php_server_host if php_server acl image_server path_end -i .jpg .png .jpeg .gif use_backend image_server_host if image_server default_backend default_web backend php_server_host mode http server web1 10.0.0.203 check inter 2000 fall 3 rise 5 backend image_server_host mode http server web1 10.0.0.201 check inter 2000 fall 3 rise 5 backend default_web mode http server web1 10.0.0.202:80 check inter 2000 fall 3 rise 5
listen web_host bind 192.168.32.204:80 mode http balance roundrobin log global option httplog acl static_path path_beg -i /static /images /javascript use_backend static_path_host if static_path default_backend default_web backend static_path_host mode http server web1 10.0.0.201 check inter 2000 fall 3 rise 5 backend default_web mode http server web1 10.0.0.202:80 check inter 2000 fall 3 rise 5
listen web_host bind 192.168.32.204:80 mode http balance roundrobin log global option httplog acl static_path path_beg -i /static /images /javascript use_backend static_path_host if static_path acl badguy_deny src 192.168.32.200 http-request deny if badguy_deny http-request allow default_backend default_web backend static_path_host mode http server web1 10.0.0.201 check inter 2000 fall 3 rise 5 backend default_web mode http server web1 10.0.0.202:80 check inter 2000 fall 3 rise 5
http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7.4
预定义ACL
ACL name Equivalent to Usage FALSE always_false never match HTTP req_proto_http match if protocol is valid HTTP HTTP_1.0 req_ver 1.0 match HTTP version 1.0 HTTP_1.1 req_ver 1.1 match HTTP version 1.1 HTTP_CONTENT hdr_val(content-length) gt 0 match an existing content-length HTTP_URL_ABS url_reg ^[^/:]*:// match absolute URL with scheme HTTP_URL_SLASH url_beg / match URL beginning with "/" HTTP_URL_STAR url * match URL equal to "*" LOCALHOST src 127.0.0.1/8 match connection from local host METH_CONNECT method CONNECT match HTTP CONNECT method METH_DELETE method DELETE match HTTP DELETE method METH_GET method GET HEAD match HTTP GET or HEAD method METH_HEAD method HEAD match HTTP HEAD method METH_OPTIONS method OPTIONS match HTTP OPTIONS method METH_POST method POST match HTTP POST method METH_PUT method PUT match HTTP PUT method METH_TRACE method TRACE match HTTP TRACE method RDP_COOKIE req_rdp_cookie_cnt gt 0 match presence of an RDP cookie REQ_CONTENT req_len gt 0 match data in the request buffer TRUE always_true always match WAIT_END wait_end wait for end of content analysis
预定义ACL使用
listen web_host bind 192.168.32.204:80 mode http balance roundrobin log global option httplog acl static_path path_beg -i /static /images /javascript use_backend static_path_host if HTTP_1.1 TRUE static_path default_backend default_web backend php_server_host mode http server web1 192.168.32.203 check inter 2000 fall 3 rise 5 backend static_path_host mode http server web1 10.0.0.201 check inter 2000 fall 3 rise 5 backend default_web mode http server web1 10.0.0.202:80 check inter 2000 fall 3 rise 5
I have a dream so I study hard!!!