HAProxy配置及使用
HAProxy
HAProxy 是一款提供高可用性、负载均衡以及基于TCP(第四层)和HTTP(第七层)应用的代理软件,支持虚拟主机,它是免费、快速并且可靠的一种解决方案。 HAProxy特别适用于那些负载特大的web站点,这些站点通常又需要会话保持或七层处理。HAProxy运行在时下的硬件上,完全可以支持数以万计的 并发连接。并且它的运行模式使得它可以很简单安全的整合进您当前的架构中, 同时可以保护你的web服务器不被暴露到网络上。
HAProxy搭建HTTP负载集群
本次环境为:
环境 | IP地址 | 需要安装的应用 | 系统版本 |
---|---|---|---|
client | 192.168.100.1 | / | RedHat 8 |
LB | 192.168.100.2 | haproxy | RedHat 8 |
RS1 | 192.168.100.3 | httpd | RedHat 8 |
RS2 | 192.168.100.4 | httpd | RedHat 8 |
准备工作:
#LB
[root@LB ~]# systemctl disable --now firewalld
[root@LB ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
[root@LB ~]# setenforce 0
#RS1:
[root@RS1 ~]# systemctl disable --now firewalld
[root@RS1 ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
[root@RS1 ~]# setenforce 0
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# systemctl enable --now httpd
[root@RS1 ~]# echo haproxy-web1 > /var/www/html/index.html
#RS2:
[root@RS2 ~]# systemctl disable --now firewalld
[root@RS2 ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
[root@RS2 ~]# setenforce 0
[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# systemctl enable --now httpd
[root@RS2 ~]# echo haproxy-web2 > /var/www/html/index.html
安装haproxy
#LB
//下载haproxy
[root@LB ~]# wget https://www.haproxy.org/download/2.3/src/haproxy-2.3.10.tar.gz
[root@LB ~]# ls
anaconda-ks.cfg haproxy-2.3.10.tar.gz
//安装依赖包
[root@LB ~]# yum -y install make gcc pcre-devel bzip2-devel openssl-devel systemd-devel
//创建用户
[root@LB ~]# useradd -r -M -s /sbin/nologin haproxy
//编译安装haproxy
[root@LB ~]# tar xf haproxy-2.3.10.tar.gz
[root@LB ~]# cd haproxy-2.3.10/
[root@DR haproxy-2.3.10]# make -j $(grep 'processor' /proc/cpuinfo |wc -l) \
TARGET=linux-glibc \
USE_OPENSSL=1 \
USE_ZLIB=1 \
USE_PCRE=1 \
USE_SYSTEMD=1
[root@DR haproxy-2.3.10]# make install PREFIX=/usr/local/haproxy
[root@DR haproxy-2.3.10]# cp haproxy /usr/sbin/
配置各个负载的内核参数
#LB
[root@LB ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf
[root@LB ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@LB ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
提供配置文件
#LB
[root@LB ~]# mkdir /etc/haproxy
[root@LB ~]# vim /etc/haproxy/haproxy.cfg
global
daemon
maxconn 256
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
bind *:80
default_backend servers
backend servers
server web01 192.168.100.3:80
server web02 192.168.100.4:80
[root@LB ~]# haproxy -f /etc/haproxy/haproxy.cfg -c
Configuration file is valid
启动服务
#LB
//直接启动
[root@LB ~]# haproxy -f /etc/haproxy/haproxy.cfg
[root@LB ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
//守护进程启动
[root@LB ~]# vim /usr/lib/systemd/system/haproxy.service
[Unit]
Description=HAProxy Load Balancer
After=syslog.target network.target
[Service]
ExecStartPre=/usr/local/haproxy/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
ExecStart=/usr/local/haproxy/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
ExecReload=/bin/kill -USR2 $MAINPID
[Install]
WantedBy=multi-user.target
[root@LB ~]# systemctl daemon-reload
[root@LB ~]# systemctl enable --now haproxy
[root@LB ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
client访问测试
#client
[root@client ~]# curl 192.168.100.2
haproxy-web1
[root@client ~]# curl 192.168.100.2
haproxy-web2
[root@client ~]# curl 192.168.100.2
haproxy-web1
[root@client ~]# curl 192.168.100.2
haproxy-web2
HAProxy搭建HTTPS负载集群
在以上配置基础下搭建https
# RS上安装mod_ssl
[root@RS1 ~]# yum -y install mod_ssl
[root@RS2 ~]# yum -y install mod_ssl
# 这里就不做证书,使用默认的证书,重启服务查看443是否启动
[root@RS1 ~]# systemctl restart httpd
[root@RS2 ~]# systemctl restart httpd
# 443端口已经起来
[root@RS1 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
[root@RS2 ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
修改配置文件
#LB
[root@LB ~]# vim /etc/haproxy/haproxy.cfg
global
log 127.0.0.1 local2 info
maxconn 20480
chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
user haproxy
group haproxy
daemon
nbproc 1
nbthread 4
spread-checks 5
defaults
mode http
log global
option dontlognull
option httpclose
option http-keep-alive
option redispatch
balance roundrobin
timeout connect 60s
timeout client 30s
timeout server 30s
timeout check 10s
maxconn 60000
retries 3
listen https
bind 0.0.0.0:443
log global
mode tcp
balance roundrobin
server web01 192.168.100.3:443 check inter 2s fall 3 rise 5
server web02 192.168.100.4:443 check inter 2s fall 3 rise 5
[root@LB ~]# mkdir /var/lib/haproxy
//重启服务
[root@LB ~]# systemctl restart haproxy
[root@LB ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
client访问测试
#client
[root@client ~]# curl -k https://192.168.100.2
haproxy-web1
[root@client ~]# curl -k https://192.168.100.2
haproxy-web2
[root@client ~]# curl -k https://192.168.100.2
haproxy-web1
[root@client ~]# curl -k https://192.168.100.2
haproxy-web2
[root@client ~]# curl -k https://192.168.100.2
haproxy-web1
[root@client ~]# curl -k https://192.168.100.2
haproxy-web2
访问haproxy网页界面
//修改配置文件
[root@LB ~]# vim /etc/haproxy/haproxy.cfg
#--------------全局配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:80
mode http
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
cookie SESSION_COOKIE insert indirect nocache
server web01 192.168.100.3:80 check inter 2000 fall 5
server web02 192.168.100.4:80 check inter 2000 fall 5
#server web01 192.168.80.102:80 cookie web01 check inter 2000 fall 5
//重启服务
[root@LB ~]# systemctl restart haproxy
[root@LB ~]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 0.0.0.0:8189 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
启用日志
#LB
[root@LB ~]# vim /etc/rsyslog.conf
······
# Save boot messages also to boot.log
(插入一行内容如下)
local0.info /var/log/haproxy.log
local7.* /var/log/boot.log
[root@LB ~]# systemctl restart rsyslog
访问测试
访问 192.168.100.2:8189/haproxy_stats
#LB
[root@LB ~]# cat /etc/haproxy/haproxy.cfg
······
#--------------统计页面配置------------------
stats uri /haproxy_stats //访问方式
stats realm Haproxy\ Statistics
stats auth admin:admin //用户名和密码admin