1.Haproxy介绍
Haproxy提供高可用性、负载均衡以及基于TCP(第四层)和HTTP(第七层)应用的代理,支持虚拟主机,它是免费、快速并且可靠的一种解决方案。
haproxy特别适用于那些负载特别大的web站点,这些站点通常又需要会话保持或七层处理。haproxy运行在时下的硬件上,完全可以支持数以万计的并发连接,并且它的运行模式使得它可以很简单安全的整合进您当前的架构中,同时可以保护你的web服务器不被暴露到网络上。
haproxy实现了一种事件驱动、单一进程模型,此模型支持非常大的并发连接数。多进程或多线程模型受内存限制、系统调度器限制以及无处不在的锁限制,很少能处理数千并发连接。事件驱动模型因为在有更好的资源和时间管理的用户端(User-Space)实现所有这些任务,所以没有这些问题。此模型的弊端是,在多核系统上,这些程序通常扩展性较差。这就是为什么他们必须进行优化以使每个CPU时间片(Cycle)做更多的工作。
haproxy的优点
- 免费开源,稳定性也是非常好。单haproxy也跑得不错,稳定性可以与硬件级的F5相媲美。
- 根据官方文档,haproxy可以跑满10Gbps,这个数值作为软件级负载均衡器是相当惊人的。
- haproxy支持连接拒绝:因为维护一个连接的打开的开销是很低的,有时我们很需要限制攻击蠕虫(attack bots),也就是说限制它们的连接打开从而限制它们的危害。这个已经为一个陷于小型DDoS攻击的网站开发了而且已经拯救了很多站点,这个优点也是其它负载均衡器没有的。
- haproxy支持全透明代理(已具备硬件防火墙的典型特点):可以用客户端IP地址或者任何其他地址来连接后端服务器。这个特性仅在Linux 2.4/2.6内核打了tcp proxy补丁后才可以使用。这个特性也使得为某特殊服务器处理部分流量同时又不修改服务器的地址成为可能。
- haproxy现多于线上的Mysql集群环境,我们常用于它作为MySQL(读)负载均衡。
- 自带强大的监控服务器状态的页面,实际环境中我们结合Nagios进行邮件或短信报警。
- HAProxy支持虚拟主机,许多朋友说它不支持虚拟主机是错误的,通过测试我们知道,HAProxy是支持虚拟主机的。
haproxy安装
// 关闭防火墙和selinux
[root@DR ~]# systemctl disable --now firewalld.service
[root@DR ~]# setenforce 0
[root@DR ~]# getenforce
Disabled
// 安装服务
[root@DR ~]# yum -y install openssl make gcc pcre-devel bzip2-devel openssl-devel systemd-devel
// 创建用户
[root@DR ~]# useradd -r -M -s /sbin/nologin haproxy
// 上传haproxy包
[root@DR ~]# ls
公共 视频 文档 音乐 anaconda-ks.cfg initial-setup-ks.cfg
模板 图片 下载 桌面 haproxy-2.4.0.tar.gz
[root@DR ~]# tar xf haproxy-2.4.0.tar.gz
[root@DR ~]# cd haproxy-2.4.0/
[root@DR haproxy-2.4.0]# ls
addons CONTRIBUTING include Makefile scripts VERDATE
admin dev INSTALL README src VERSION
BRANCHES doc LICENSE reg-tests SUBVERS
CHANGELOG examples MAINTAINERS ROADMAP tests
[root@DR haproxy-2.4.0]# make clean
[root@DR haproxy-2.4.0]# make -j $(nproc) TARGET=linux-glibc USE_OPENSSL=1 USE_PCRE=1 USE_SYSTEMD=1
[root@DR haproxy-2.4.0]# make install prefix=/usr/local/haproxy
// 配置内核参数
[root@DR ~]# echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf
[root@DR ~]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
[root@DR ~]# sysctl -p
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
// 提供配置文件
[root@DR etc]# mkdir haproxy
[root@DR ~]# cd /etc/haproxy/
[root@DR haproxy]# cat > /etc/haproxy/haproxy.cfg <<EOF
> #--------------全局配置----------------
> global
> log 127.0.0.1 local0 info
> #log loghost local0 info
> maxconn 20480
> #chroot /usr/local/haproxy
> pidfile /var/run/haproxy.pid
> #maxconn 4000
> user haproxy
> group haproxy
> daemon
> #---------------------------------------------------------------------
> #common defaults that all the 'listen' and 'backend' sections will
> #use if not designated in their block
> #---------------------------------------------------------------------
> defaults
> mode http
> log global
> option dontlognull
> option httpclose
> option httplog
> #option forwardfor
> option redispatch
> balance roundrobin
> timeout connect 10s
> timeout client 10s
> timeout server 10s
> timeout check 10s
> maxconn 60000
> retries 3
> #--------------统计页面配置------------------
> listen admin_stats
> bind 0.0.0.0:8189
> stats enable
> mode http
> log global
> stats uri /haproxy_stats
> stats realm Haproxy\ Statistics
> stats auth admin:admin
> #stats hide-version
> stats admin if TRUE
> stats refresh 30s
> #---------------web设置-----------------------
> listen webcluster
> bind 0.0.0.0:80
> mode http
> #option httpchk GET /index.html
> log global
> maxconn 3000
> balance roundrobin
> cookie SESSION_COOKIE insert indirect nocache
> server web01 192.168.126.154:80 check inter 2000 fall 5
> #server web01 192.168.126.154:80 cookie web01 check inter 2000 fall 5
> EOF
// haproxy.service文件编写
[root@DR ~]# cat > /usr/lib/systemd/system/haproxy.service <<EOF
> [Unit]
> Description=HAProxy Load Balancer
> After=syslog.target network.target
>
> [Service]
> ExecStartPre=/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -c -q
> ExecStart=/usr/local/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid
> ExecReload=/bin/kill -USR2 $MAINPID
>
> [Install]
> WantedBy=multi-user.target
> EOF
// 启用日志
[root@DR ~]# vim /etc/rsyslog.conf
local0.* /var/log/haproxy.log //加入这行
// 重启服务
[root@DR ~]# systemctl restart rsyslog.service
// 启动服务
[root@DR ~]# systemctl restart haproxy
[root@RS1 ~]# yum -y install httpd
[root@RS1 ~]# systemctl start httpd
[root@RS1 ~]# echo "mkf1" > /var/www/html/index.html
[root@RS2 ~]# yum -y install httpd
[root@RS2 ~]# systemctl start httpd
[root@RS2 ~]# echo "mkf1" > /var/www/html/index.html
[root@RS1 ~]# yum -y install openssl
[root@RS1 ~]# mkdir ~/keys
[root@RS1 ~]# cd keys
[root@RS1 keys]# openssl genrsa -out passport.com.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
......+++++
e is 65537 (0x010001)
[root@RS1 keys]# openssl req -new -key passport.com.key -out passport.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:wh
Organization Name (eg, company) [Default Company Ltd]:mkf
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:mkf123
An optional company name []:
[root@RS1 keys]# openssl x509 -req -days 3650 -in passport.com.csr -signkey passport.com.key -out passport.com.crt
Signature ok
subject=C = cn, ST = hb, L = wh, O = mkf, OU = test, CN = localhost
Getting Private key
[root@RS1 keys]# ls
passport.com.crt passport.com.csr passport.com.key
// 将文件传输到RS2上面去
[root@RS1 keys]# scp passport.com.crt passport.com.key 192.168.126.156:/root/
The authenticity of host '192.168.126.156 (192.168.126.156)' can't be established.
ECDSA key fingerprint is SHA256:CpFtca4nVXa4tr+1wbiP0j/l/uc+TiIWPA35mjAwi18.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.126.156' (ECDSA) to the list of known hosts.
root@192.168.126.156's password:
passport.com.crt 100% 1176 1.4MB/s 00:00
passport.com.key
[root@RS2 ~]# yum -y install mod_ssl
[root@RS2 ~]# mkdir /etc/httpd/ssl
[root@RS2 ~]# mv passport.com.* /etc/httpd/ssl/
[root@RS2 ~]# cd /etc/httpd/
[root@RS2 httpd]# cd conf.d
[root@RS2 conf.d]# vim ssl.conf
# 取消下面两行注释
43 DocumentRoot "/var/www/html"
44 ServerName www.example.com:443
# 修改下面两行路径
85 SSLCertificateFile /etc/httpd/ssl/passport.com.crt
93 SSLCertificateKeyFile /etc/httpd/ssl/passport.com.key
// 重启服务
[root@RS2 ~]# systemctl restart httpd
// 修改配置文件
[root@DR haproxy]# cat haproxy.cfg
#--------------全局配置----------------
global
log 127.0.0.1 local0 info
#log loghost local0 info
maxconn 20480
#chroot /usr/local/haproxy
pidfile /var/run/haproxy.pid
#maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
#common defaults that all the 'listen' and 'backend' sections will
#use if not designated in their block
#---------------------------------------------------------------------
defaults
mode tcp // 模式改为tcp
log global
option dontlognull
option httpclose
option httplog
#option forwardfor
option redispatch
balance roundrobin
timeout connect 10s
timeout client 10s
timeout server 10s
timeout check 10s
maxconn 60000
retries 3
#--------------统计页面配置------------------
listen admin_stats
bind 0.0.0.0:8189
stats enable
mode http
log global
stats uri /haproxy_stats
stats realm Haproxy\ Statistics
stats auth admin:admin
#stats hide-version
stats admin if TRUE
stats refresh 30s
#---------------web设置-----------------------
listen webcluster
bind 0.0.0.0:443 // 端口改为443
mode tcp // 模式改为tcp
#option httpchk GET /index.html
log global
maxconn 3000
balance roundrobin
cookie SESSION_COOKIE insert indirect nocache
server web01 192.168.14.11:443 check inter 2000 fall 5 //端口改为443
server web02 192.168.14.12:443 check inter 2000 fall 5 //端口改为443
#server web01 192.168.14.10:80 cookie web01 check inter 2000 fall 5
[root@DR ~]# systemctl restart haproxy.service
扫一扫
774
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
