HAProxy基础配置-修改haproxy运行时的用户身份

         HAProxy基础配置-修改haproxy运行时的用户身份

                                   作者:尹正杰

版权声明:原创作品,谢绝转载!否则将追究法律责任。

 

 

一.使用系统默认的nobody用户管理haproxy

1>.编辑haprxoy的配置文件

[root@node102.yinzhengjie.org.cn ~]# cat /etc/haproxy/haproxy.cfg 
global
maxconn 100000
chroot /yinzhengjie/softwares/haproxy
#stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
uid 99
gid 99
daemon
nbproc 2
cpu-map 1 0
cpu-map 2 1
pidfile /yinzhengjie/softwares/haproxy/run/haproxy.pid
log 127.0.0.1 local3 info

defaults
option http-keep-alive
option  forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client  300000ms
timeout server  300000ms

listen stats
 mode http
 bind 0.0.0.0:9999
 stats enable
 log global
 stats uri     /haproxy-status
 stats auth    haadmin:q1w2e3r4ys

listen  web_port
 bind 0.0.0.0:80
 mode http
 log global
 server web1  127.0.0.1:8080  check inter 3000 fall 2 rise 5

#frontend web
# bind 172.30.1.102:80
# use_backend myweb

#backend myweb
# server web01 172.30.1.106:80

#上面注释的frontend和backend部分是可以通过listen指令代替
listen web
 bind 172.30.1.102:80
 server web01 172.30.1.106:80
[root@node102.yinzhengjie.org.cn ~]#

2>.查看haprxoy运行时的用户身份

 

[root@node102.yinzhengjie.org.cn ~]# id 99
uid=99(nobody) gid=99(nobody) groups=99(nobody)
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# getent passwd nobody 
nobody:x:99:99:Nobody:/:/sbin/nologin
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# ps -ef | grep haproxy
root     20977     1  0 18:24 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
nobody   20981 20977  0 18:24 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
nobody   20982 20977  0 18:24 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
root     21144  3488  0 18:59 pts/0    00:00:00 grep --color=auto haproxy
[root@node102.yinzhengjie.org.cn ~]#

 

 

二.自定义用户管理haproxy服务

1>.创建haproxy用户

[root@node102.yinzhengjie.org.cn ~]# useradd haproxy -r -s /sbin/nologin         #创建haproxy用户时使用"-r"参数禁止创建家目录,使用"-s"指定该用户我无法登录操作系统。
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# getent passwd  haproxy
haproxy:x:998:996::/home/haproxy:/sbin/nologin
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# id haproxy
uid=998(haproxy) gid=996(haproxy) groups=996(haproxy)
[root@node102.yinzhengjie.org.cn ~]#

2>.编辑haprxoy的配置文件

[root@node102.yinzhengjie.org.cn ~]# id haproxy
uid=998(haproxy) gid=996(haproxy) groups=996(haproxy)
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# vim /etc/haproxy/haproxy.cfg 
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# cat /etc/haproxy/haproxy.cfg 
global
maxconn 100000
chroot /yinzhengjie/softwares/haproxy
#stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
uid 998
gid 996
daemon
nbproc 2
cpu-map 1 0
cpu-map 2 1
pidfile /yinzhengjie/softwares/haproxy/run/haproxy.pid
log 127.0.0.1 local3 info

defaults
option http-keep-alive
option  forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client  300000ms
timeout server  300000ms

listen stats
 mode http
 bind 0.0.0.0:9999
 stats enable
 log global
 stats uri     /haproxy-status
 stats auth    haadmin:q1w2e3r4ys

listen  web_port
 bind 0.0.0.0:80
 mode http
 log global
 server web1  127.0.0.1:8080  check inter 3000 fall 2 rise 5

#frontend web
# bind 172.30.1.102:80
# use_backend myweb

#backend myweb
# server web01 172.30.1.106:80

#上面注释的frontend和backend部分是可以通过listen指令代替
listen web
 bind 172.30.1.102:80
 server web01 172.30.1.106:80
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]#

3>. 重启haproxy服务使配置生效

[root@node102.yinzhengjie.org.cn ~]# netstat -untalp | grep haproxy
tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN      20981/haproxy       
tcp        0      0 172.30.1.102:80         0.0.0.0:*               LISTEN      20981/haproxy       
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      20981/haproxy       
udp        0      0 0.0.0.0:55925           0.0.0.0:*                           20977/haproxy       
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# systemctl restart haproxy
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# netstat -untalp | grep haproxy
tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN      21278/haproxy       
tcp        0      0 172.30.1.102:80         0.0.0.0:*               LISTEN      21278/haproxy       
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      21278/haproxy       
udp        0      0 0.0.0.0:34022           0.0.0.0:*                           21274/haproxy       
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]#

4>.查看haprxoy运行时的用户身份

[root@node102.yinzhengjie.org.cn ~]# id haproxy
uid=998(haproxy) gid=996(haproxy) groups=996(haproxy)
[root@node102.yinzhengjie.org.cn ~]#
[root@node102.yinzhengjie.org.cn ~]# ps -ef | grep haproxy
root     21274     1  0 19:16 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
haproxy  21278 21274  0 19:16 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
haproxy  21279 21274  0 19:16 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
root     21297  3488  0 19:17 pts/0    00:00:00 grep --color=auto haproxy
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]#

5>.修改haproxy配置文件

[root@node102.yinzhengjie.org.cn ~]# vim /etc/haproxy/haproxy.cfg 
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# getent passwd  haproxy
haproxy:x:998:996::/home/haproxy:/sbin/nologin
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# cat /etc/haproxy/haproxy.cfg 
global
maxconn 100000
chroot /yinzhengjie/softwares/haproxy
#stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
#uid 998
#gid 996
#也可以使用user和group指令来代替上面的uid和gid的配置
user haproxy
group haproxy
daemon
nbproc 2
cpu-map 1 0
cpu-map 2 1
pidfile /yinzhengjie/softwares/haproxy/run/haproxy.pid
log 127.0.0.1 local3 info

defaults
option http-keep-alive
option  forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client  300000ms
timeout server  300000ms

listen stats
 mode http
 bind 0.0.0.0:9999
 stats enable
 log global
 stats uri     /haproxy-status
 stats auth    haadmin:q1w2e3r4ys

listen  web_port
 bind 0.0.0.0:80
 mode http
 log global
 server web1  127.0.0.1:8080  check inter 3000 fall 2 rise 5

#frontend web
# bind 172.30.1.102:80
# use_backend myweb

#backend myweb
# server web01 172.30.1.106:80

#上面注释的frontend和backend部分是可以通过listen指令代替
listen web
 bind 172.30.1.102:80
 server web01 172.30.1.106:80
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# systemctl restart haproxy
[root@node102.yinzhengjie.org.cn ~]# 
[root@node102.yinzhengjie.org.cn ~]# ps -ef | grep haproxy
root     21318     1  0 19:19 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
haproxy  21321 21318  0 19:19 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
haproxy  21322 21318  0 19:19 ?        00:00:00 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
root     21324  3488  0 19:19 pts/0    00:00:00 grep --color=auto haproxy
[root@node102.yinzhengjie.org.cn ~]#

 

posted @ 2019-12-29 23:19  尹正杰  阅读(1488)  评论(0编辑  收藏  举报