HAproxy的相关使用案例（全面）

环境配置

主机名	IP地址
haproxy	192.168.136.100
webserver1	192.168.136.10
webserver2	192.168.136.20

配置IP地址和nginx服务

haproxy 192.168.136.100

[root@haproxy ~]# dnf install haproxy -y

webserver1 192.168.136.10

[root@webserver1 ~]# yum install nginx -y
[root@webserver1 ~]# echo webserver1 - 192.168.136.10 > /usr/share/nginx/
html/index.html 
[root@webserver1 ~]# systemctl start nginx.service 

webserver2 192.168.136.20

[root@webserver2 ~]# yum install nginx -y
[root@webserver2 ~]# echo webserver2 - 192.168.136.20 > /usr/share/nginx/html/index.html 
[root@webserver2 ~]# systemctl start nginx.service 

查haproxy配置文件

[root@haproxy ~]# rpm -qc haproxy 
/etc/haproxy/haproxy.cfg
/etc/logrotate.d/haproxy
/etc/sysconfig/haproxy

让我们先来了解一下配置HAproxy的基本配置信息

global:全局配置段

• 进程及安全配置相关的参数
• 性能调整相关参数
• Debuga参数

proxies:代理配置段

• defaults:为frontend,backend,listen提供默认配置
• frontend:前端，相当于nginx中的server {}
• backend:后端，相当于nginx中的upstream{}
• listen：同时拥有前端和后端配置，配置简单，生产推荐使用

修改配置文件

可以先设置vim的缩进

[root@haproxy ~]# vim ~/.vimrc   
set ts=2 ai sw=4

编辑配置文件 

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg 

法一： 

 测试

[root@localhost ~]# curl 192.168.136.100
webserver1 - 192.168.136.10
[root@localhost ~]# curl 192.168.136.100
webserver2 - 192.168.136.20
[root@localhost ~]# curl 192.168.136.100
webserver1 - 192.168.136.10
[root@localhost ~]# curl 192.168.136.100
webserver2 - 192.168.136.20

法二

 测试

[root@localhost ~]# curl 192.168.136.100
webserver1 - 192.168.136.10
[root@localhost ~]# curl 192.168.136.100
webserver2 - 192.168.136.20
[root@localhost ~]# curl 192.168.136.100
webserver1 - 192.168.136.10
[root@localhost ~]# curl 192.168.136.100
webserver2 - 192.168.136.20

haproxy的全局配置

一些参数的解释

设置多进程   

 查看

[root@haproxy ~]# systemctl restart haproxy.service 
[root@haproxy ~]# pstree -p | grep haproxy
           |-haproxy(1397)-+-haproxy(1399)
           |               `-haproxy(1400)
[root@haproxy ~]# cat /proc/1399/status | grep -i thread
Threads:	1
Speculation_Store_Bypass:	thread vulnerable
[root@haproxy ~]# cat /proc/1400/status | grep -i thread
Threads:	1
Speculation_Store_Bypass:	thread vulnerable

测试：

webserver1 - 192.168.136.10
[root@localhost ~]# curl 192.168.136.100
webserver1 - 192.168.136.10
[root@localhost ~]# curl 192.168.136.100
webserver2 - 192.168.136.20
[root@localhost ~]# curl 192.168.136.100
webserver2 - 192.168.136.20

开启线程2个

（注意：nbthread和nbproc只能开启一个）

测试

[root@haproxy ~]# systemctl restart haproxy.service 
[root@haproxy ~]# pstree -p | grep haproxy
           |-haproxy(1375)---haproxy(1377)---{haproxy}(1378)
[root@haproxy ~]# cat /proc/1377/status | grep -i thread
Threads:	2
Speculation_Store_Bypass:	thread vulnerable

 定制指定日志

vim /etc/rsyslog.conf

打开udp

定义日志的位置

设置一个备用的服务器

在这里我设置的是haproxy上配置httpd服务 当然也可以另外开启一个主机做http  为了避免端口冲突 ，所以使用了8080端口

[root@haproxy ~]# dnf install httpd -y
[root@haproxy ~]# vim /etc/httpd/conf/httpd.conf 

[root@haproxy ~]# echo sorry 下班了 > /var/www/html/index.html
[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg 
listen webcluster
    bind *:80
    mode http
    balance roundrobin
    server web1 192.168.136.10:80 check inter 2 fall 3 rise 5 weight 2
    server web2 192.168.136.20:80 check inter 2 fall 3 rise 5 weight 1
    server web_sorry 192.168.136.100:8080 backup

 把 web1和web2的nginx服务都stop一下

测试

禁用disabled

当server1要维护时，加个disabled 下线了

 上线的话，把disable去掉

网页重定向

最大连接数

socat 动态调整

对服务器动态权重和其它状态可以利用socat工具进行调整，Socat是Linux下的一个多功能的网络工具，名字来由是Socket CAT,相当于netCAT的增强版。Socat的主要特点就是在两个数据流之间建立双向通道，且支持众多协议和链接方式。如IP、TCP、UDP、IPv6、Socket文件等

[root@haproxy ~]# dnf install socat -y

修改/var/lib/haproxy的权限

看帮助

echo "help" | socat stdio /var/lib/haproxy/stats

看状态 echo "show servers state" | socat stdio /var/lib/haproxy/stats  

范例：利用工具socat对服务器动态权重调整

原来的设定

  

修改权重并查看

[root@haproxy ~]# echo "set weight webcluster/web1 1" | socat stdio /var/lib/haproxy/stats
[root@haproxy ~]# echo "get weight webcluster/web1" | socat stdio /var/lib/haproxy/stats
1 (initial 2)

 

[root@haproxy ~]# echo "set weight webcluster/web1 2" | socat stdio /var/lib/haproxy/stats
[root@haproxy ~]# echo "get weight webcluster/web1" | socat stdio /var/lib/haproxy/stats
2 (initial 2)

 

使web1机子下线

[root@haproxy ~]# echo "disable server webcluster/web1" | socat stdio /var/lib/haproxy/stats

只有web2响应

 

再使之上线

[root@haproxy ~]# echo "enable server webcluster/web1" | socat stdio /var/lib/haproxy/stats

处理多进程，用多个文件，如何热处理

 

第一个满了 再去执行另一个主机

谁的资源少就先访问谁，如果差不多，就看权重

 

[root@webserver1 ~]# echo 192.168.136.10 - index1.html > /usr/share/nginx/html/index1.html
[root@webserver1 ~]# echo 192.168.136.10 - index2.html > /usr/share/nginx/html/index2.html
[root@webserver1 ~]# echo 192.168.136.10 - index3.html > /usr/share/nginx/html/index3.html

[root@webserver2 ~]# echo 192.168.136.20 - index1.html > /usr/share/nginx/html/index1.html
[root@webserver2 ~]# echo 192.168.136.20 - index2.html > /usr/share/nginx/html/index2.html
[root@webserver2 ~]# echo 192.168.136.20 - index3.html > /usr/share/nginx/html/index3.html

访问不同的网站，始终由那个服务器提供服务

 

测试

状态页配置

状态页配置项

启动状态页

vim /etc/haproxy/haproxy.cfg

 

[root@webserver1 ~]# systemctl stop nginx.service 

 

[root@webserver1 ~]# systemctl start nginx.service 

基于cookie值的会话保持

 

 

IP透传

七层

[root@webserver1 ~]# echo httpd - webserver1 192.168.136.10 > /var/www/html/index.html
[root@webserver1 ~]# systemctl start httpd

 

在日志文件中可以看到

在日志文件中可以看到

四层

在配置了nginx服务器的webserver2上配置

vim /etc/nginx/nginx.conf

测试

httpd现在做不了四层IP透传，基本没需求了

acl

访问控制列表ACL，Access Control Lists） 是一种基于包过滤的访问控制技术

它可以根据设定的条件对经过服务器传输的数据包进行过滤(条件匹配)即对接收到的报文进行匹配和过 滤，基于请求报文头部中的源地址、源端口、目标地址、目标端口、请求方法、URL、文件后缀等信息内 容进行匹配并执行进一步操作，比如允许其通过或丢弃。

hdr_dom（[ [，]]）：域匹配，header中的dom（host）

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg
frontend webcluster
    bind *:80
    mode http
    acl test hdr_dom(host) -i www.jieyu.org
    use_backend webcluster-host if test
    default_backend default-host
​
backend webcluster-host
    mode http
    server web1 192.168.136.10:80 check inter 2 fall 2 rise 5
​
backend default-host
    mode http
    server web2 192.168.136.20:80 check inter 2 fall 2 rise 5
在C:\Windows\System32\drivers\etc\hosts添加
192.168.136.100 www.jieyu.org

测试

hdr_end（[ [，]]）：后缀匹配，header中指定匹配内容end

在C:\Windows\System32\drivers\etc\hosts编辑
192.168.136.100 www.jieyu.org www.jieyu.com

测试

hdr_beg（[ [，]]）：前缀匹配，header中指定匹配内容的begin

在C:\Windows\System32\drivers\etc\hosts编辑
192.168.136.100 www.jieyu.org www.jieyu.com bbs.jieyu.com

base_sub : substring match 包含特定字符串

在C:\Windows\System32\drivers\etc\hosts编辑
192.168.136.100 www.jieyu.org  www.jieyu.edu www.test.com

base中匹配到的字符串 或者在路径里面，或者在名字

[root@webserver1 ~]# mkdir /var/www/html/yu -p
[root@webserver1 ~]# echo 192.168.136.10 yu > /var/www/html/yu/index.html

包含的字符匹配（不匹配主机名里的）

取反

满足多个acl

测试

指定源地址

反之拒绝

基于不同的浏览器

测试

基于后缀名的动静分离

 在web1上安装php

[root@webserver1 ~]# yum install php -y
[root@webserver1 ~]# systemctl restart httpd
[root@webserver1 ~]# vim /var/www/html/index.php
<?php
        phpinfo();
?>

测试 

基于路径

在web2上
先创建目录
[root@webserver2 ~]# mkdir -p /usr/share/nginx/html/static
写文件
[root@webserver2 ~]# echo static - 192.168.136.20 > /usr/share/nginx/html/static/index.html
在ewb1上同样
[root@webserver1 ~]# mkdir -p /var/www/html/php
[root@webserver1 ~]# mv /var/www/html/index.php /var/www/html/php/

测试

自定义错误页

基于自定义的错误页面文件

[root@haproxy ~]# mkdir -p /etc/haproxy/errorpages
[root@haproxy ~]# vim /etc/haproxy/errorpages/503page.http
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html;charset=UTF-8

<html><body><h1>什么动物生气最安静</h1>
大猩猩！！
</body></html>

关闭后端主机，测试

基于http重定向错误页面

 浏览器访问192.168.136.100 自动跳转到百度

HAProxy 四层负载

针对除HTTP以外的TCP协议应用服务访问的应用场景

MySQL

Redis

Memcache

RabbitMQ 

注意：如果使用frontend和backend，一定在 frontend 和 backend 段中都指定mode tcp 

listen mysql-port
bind 10.0.0.7:6379
mode tcp
balance leastconn
server server1 10.0.0.17:3306 check
server server2 10.0.0.27:3306 check backup

范例：对 MySQL 服务实现四层负载 

在webserver1 和 webserver2上安装mariadb-server

dnf  install mariadb-server -y

设置server-id

 

[root@webserver1 ~]# systemctl start mariadb.service
[root@webserver1 ~]# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 10.5.16-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT @@server_id;
+-------------+
| @@server_id |
+-------------+
|           1 |
+-------------+
1 row in set (0.000 sec)

MariaDB [(none)]> CREATE USER yu@'%' identified by 'yu';
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> GRANT ALL ON *.* TO yu@'%';
Query OK, 0 rows affected (0.001 sec)


[root@webserver2 ~]# systemctl start mariadb.service
[root@webserver2 ~]# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.5.16-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SELECT @@server_id;
+-------------+
| @@server_id |
+-------------+
|           2 |
+-------------+
1 row in set (0.000 sec)


MariaDB [(none)]> CREATE USER yu@'%' identified by 'yu';
Query OK, 0 rows affected (0.001 sec)

MariaDB [(none)]> GRANT ALL ON *.* TO yu@'%';
Query OK, 0 rows affected (0.001 sec)

 在proxy主机上  安装mariadb

[root@haproxy ~]# yum install mariadb -y
[root@haproxy ~]# dnf whatprovides */bin/mysql
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Last metadata expiration check: 3:00:44 ago on Sun 11 Aug 2024 07:56:38 PM CST.
mariadb-3:10.5.16-2.el9_0.x86_64 : A very fast and robust SQL database server
Repo        : @System
Matched from:
Filename    : /usr/bin/mysql

mariadb-3:10.5.16-2.el9_0.x86_64 : A very fast and robust SQL database server
Repo        : appstream
Matched from:
Filename    : /usr/bin/mysql

mysql-8.0.30-3.el9_0.x86_64 : MySQL client programs and shared libraries
Repo        : appstream
Matched from:
Filename    : /usr/bin/mysql


[root@haproxy ~]# dnf install mysql-8.0.30-3.el9_0.x86_64 -y

编辑配置文件 

[root@haproxy ~]# vim /etc/haproxy/haproxy.cfg

listen dbserver
    bind *:3306
    mode tcp
    balance roundorbin
    server db1 192.168.136.10:3306 check inter 2 fall 2 rise 5
    server db2 192.168.136.20:3306 check inter 2 fall 2 rise 5

测试 

[root@haproxy ~]# mysql -uyu -pyu -h192.168.136.100 -e "select @@server_id"
+-------------+
| @@server_id |
+-------------+
| 1 |
+-------------+
[root@haproxy ~]# mysql -uyu -pyu -h192.168.136.100 -e "select @@server_id"
+-------------+
| @@server_id |
+-------------+
| 2 |
+-------------+

HAProxy https 实现

haproxy可以实现https的证书安全,从用户到haproxy为https,从haproxy到后端服务器用http通信 但基于性能考虑,生产中证书都是在后端服务器比如nginx上实现

 生成证书

[root@haproxy ~]# mkdir /etc/haproxy/certs/
[root@haproxy ~]# openssl req -newkey rsa:2048 -nodes -sha512 -keyout /etc/haproxy/certs/jieyu.org.key -x509 -days 365 -out /etc/haproxy/certs/jieyu.org.crt
.+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+..............+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..........+......+.......+...+........+....+...+...+.....+.+.........+..+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+......+......+.....+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+.....+....+...+..+.......+.....+...............+.+.....+.......+.....+......+..........+..+....+.........+......+...............+...+........+....+.....+.+.....+..........+...+.........+..+....+.....+...............+.......+..+.+.....+......+......+..................+....+........+...+......+......+.......+.....+..................+....+......+.........+......+........+.+........+...+...+....+..+.............+......+..+....+.....+...+.+..+..........+.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:nanjing
Locality Name (eg, city) [Default City]:nanjing
Organization Name (eg, company) [Default Company Ltd]:jieyu
Organizational Unit Name (eg, section) []:webserver
Common Name (eg, your name or your server's hostname) []:www.jieyu.org
Email Address []:admin@jieyu.org
[root@haproxy ~]# ls /etc/haproxy/certs/
jieyu.org.crt  jieyu.org.key
#导入
[root@haproxy ~]# cat /etc/haproxy/certs/jieyu.org.key /etc/haproxy/certs/jieyu.org.crt > /etc/haproxy/certs/jieyu.pem

 

listen web-https
    mode http
    bind *:443 ssl crt /etc/haproxy/certs/jieyu.pem
    backend roundorbin
    server web1 192.168.136.10:80 check inter 2 fall 3 rise 5
    server web2 192.168.136.20:80 check inter 2 fall 3 rise 5

做全站加密

自动跳转到https

 

 咱们的配置可以写子配置文件  /etc/haproxy/conf.d/