3.全局参数
在global这个节点里的参数是“进程范围的”并且经常是“操作系统指定”的。它们通常是一次性设置而且一旦正确设置不需要动来动去的。它们中的
一些和命令行对应。
global节点支持以下关键词:
* 进程管理和安全
- ca-base
- chroot
- crt-base
- cpu-map
- daemon
- description
- deviceatlas-json-file
- deviceatlas-log-level
- deviceatlas-separator
- deviceatlas-properties-cookie
- external-check
- gid
- group
- hard-stop-after
- log
- log-tag
- log-send-hostname
- lua-load
- nbproc
- nbthread
- node
- pidfile
- presetenv
- resetenv
- uid
- ulimit-n
- user
- setenv
- stats
- ssl-default-bind-ciphers
- ssl-default-bind-ciphersuites
- ssl-default-bind-options
- ssl-default-server-ciphers
- ssl-default-server-ciphersuites
- ssl-default-server-options
- ssl-dh-param-file
- ssl-server-verify
- unix-bind
- unsetenv
- 51degrees-data-file
- 51degrees-property-name-list
- 51degrees-property-separator
- 51degrees-cache-size
- wurfl-data-file
- wurfl-information-list
- wurfl-information-list-separator
- wurfl-engine-mode
- wurfl-cache-size
- wurfl-useragent-priority
* 性能调节
- max-spread-checks
- maxconn
- maxconnrate
- maxcomprate
- maxcompcpuusage
- maxpipes
- maxsessrate
- maxsslconn
- maxsslrate
- maxzlibmem
- noepoll
- nokqueue
- nopoll
- nosplice
- nogetaddrinfo
- noreuseport
- profiling.tasks
- spread-checks
- server-state-base
- server-state-file
- ssl-engine
- ssl-mode-async
- tune.buffers.limit
- tune.buffers.reserve
- tune.bufsize
- tune.chksize
- tune.comp.maxlevel
- tune.h2.header-table-size
- tune.h2.initial-window-size
- tune.h2.max-concurrent-streams
- tune.http.cookielen
- tune.http.logurilen
- tune.http.maxhdr
- tune.idletimer
- tune.lua.forced-yield
- tune.lua.maxmem
- tune.lua.session-timeout
- tune.lua.task-timeout
- tune.lua.service-timeout
- tune.maxaccept
- tune.maxpollevents
- tune.maxrewrite
- tune.pattern.cache-size
- tune.pipesize
- tune.rcvbuf.client
- tune.rcvbuf.server
- tune.recv_enough
- tune.runqueue-depth
- tune.sndbuf.client
- tune.sndbuf.server
- tune.ssl.cachesize
- tune.ssl.lifetime
- tune.ssl.force-private-cache
- tune.ssl.maxrecord
- tune.ssl.default-dh-param
- tune.ssl.ssl-ctx-cache-size
- tune.ssl.capture-cipherlist-size
- tune.vars.global-max-size
- tune.vars.proc-max-size
- tune.vars.reqres-max-size
- tune.vars.sess-max-size
- tune.vars.txn-max-size
- tune.zlib.memlevel
- tune.zlib.windowsize
* 排错
- debug
- quiet
3.1 进程管理和安全
ca-base <dir>
当直接用“ca-file“表示ssL ca证书路径,“crl-file”关联crl路径,这个参数用来指定一个用来获取SSL CA证书和CRL(证书吊销列表)
的默认路径。绝对路径通常被指定在”ca-file“和“ctl-file”中,并且忽略"ca-base".
chroot <jail dir>
把当前目录切换到指定目录,并且在切换之前会抛弃所有的权限。这样做会增加安全等级以防止位置的漏洞被侦测。这样攻击者就很难
威胁到整个系统。这个选项只有用超级管理员权限启动进程的时候才有效。一定要确保你要切换的目录<jail_dir>是空的,并且任何用户没有写的权限。
cpu-map [auto:]<process-set>[/<thread-set>] <cpu-set>...
在Linux 2.6内核及以上版本,可以绑定一个进程或者线程到指定的CPU上。这意味着被指定的进程或者线程永远不会在指定以外的CPU上运行。“cpu-map”直接
指定CPU给指定的进程或线程用。第一个参数是一个进程,之后跟着一个线程。格式如下:
all | odd | even | number[-[number]]
<number> 必须是1到32者64中的一个,这取决于你的机器字节大小。任何在nbproc之上的进程ID和任何在nbthread之上的
线程ID都是被忽略的。可以用两个数字中间加("-")来指定一个范围。也可以用“all”指定所有的进程。只有奇数数字用“odd”
或者偶数数字用"even",就像用“bind-process”指令。第二个参数是CPU设置。每个CPU设置是一个介于0到31或者0到63或者两
个数字用“-”连接的唯一标识。你为每个cpu设置了标识,就可以绑定进程和线程了。显而易见,如果你想这样,你得设置
多个“cpu-map”指令。每个指令会覆盖之前与它发生冲突的指令。一个线程将绑定在它的映射和它附属的进程之一。如果线程没有
被映射而且它的进程也没有被映射,那么这个线程则不会被绑定。
我们可以定义部分范围。大的那个数字可以被省略。如果这样的话,大的那个数字就会被相应的最大数字替代,比如32或者64.这取决于你的机器字节大小。
你可以前面加上前缀“auto:”,这样可以在增加新的CPU或者新的进程、线程的时候让Haproxy自动绑定。为了确保设置有效,两个设置要有同样的size。
不管定义的CPU的顺序,它总是从下至上搜寻。把“auto:”前缀同时加到进程和线程的范围前面是不支持的。只有一个范围被支持,其他一个必须是精确的数字。
示例:
cpu-map 1-4 0-3 # 绑定标识为1到4的进程到前4个cpu
cpu-map 1/all 0-3 # 绑定第一个进程的所有线程到前4个CPU
cpu-map 1- 0- # 将会被替换成"cpu-map 1-64 0-63"
# 或者"cpu-map 1-32 0-31"这取决于你的机器字节大小
# 所有这些行绑定进程1到cpu0,进程2到cpu1,以此类推。
cpu-map auto:1-4 0-3
cpu-map auto:1-4 0-1 2-3
cpu-map auto:1-4 3 2 1 0
# 所有这些行绑定线程1到cpu0,线程2到cpu1,以此类推
cpu-map auto:1/1-4 0-3
cpu-map auto:1/1-4 0-1 2-3
cpu-map auto:1/1-4 3 2 1 0
# 使用all/odd/even关键词绑定每个进程到精确到cpu上
cpu-map auto:all 0-63
cpu-map auto:even 0-31
cpu-map auto:odd 32-63
# 无效的cpu-map设置,因为进程和cpu配置没有同样的数量
cpu-map auto:1-4 0 # invalid
cpu-map auto:1 0-3 # invalid
# 无效的cpu-map设置,因为自动绑定作用在了进程范围上
# and a thread range.
cpu-map auto:all/all 0 # invalid
cpu-map auto:all/1-4 0 # invalid
cpu-map auto:1-4/all 0 # invalid
crt-base <dir>
当用“crtfile”指令时,指定一个默认目录用来获取从这个指令SSL证书。在"crtfile"指令之后指定绝对路径会覆盖"crtfile"设置
并且忽略“crt-base”。
daemon
可以让进程在后台挂起。这种操作是被推荐的。相当于在命令行中用“-D”参数。也可以用“-db”来禁用。这个选项在systemd模式无效。
deviceatlas-json-file <path>
设置通过API加载的DeviceAtlas json数据的路径。这个路径必须是一个有效的json数据文件并且能被
HAProxy进程访问。
deviceatlas-log-level <value>
设置API返回信息的等级。这个指令是可选的如果不设置默认为0.
deviceatlas-separator <char>
设置API属性结果的字符分隔符。这个指令是可选的如果不设置默认为|。
deviceatlas-properties-cookie <name>
设置客户端的cooke名字,它是用来侦测在请求期间DeviceAtlas 客户端组件是否被使用。这个指令是可选的
如果不设置默认为DAPROPS.
external-check
允许使用外部代理来进行健康检查。这个指令由于安全原因默认被禁止的。
gid <number>
修改进程的group ID 为指定数字。推荐group id使用HAProxy的专用id或者一个类似的小的守护进程设置。
HAProxy必须用一个属于这个组的用户或者拥有超级用户权限的用户启动。注意,如果haproxy从一个
拥有额外组的用户启动了,那么如果从一个超级用户启动它只能丢弃这些额外组的权限。
你还可以参考“group”和“uid”。
hard-stop-after <time>
定义了用来处理一个清除软停止(clean soft-stop)所能执行的最大时间。
讨论:
<time> 是soft-stop在收到SIGUSR1信号后一个应用所能存活的最长时间(默认毫秒为单位)。
这可能是用来确保就算应用在软停止(soft-stop)期间,就算连接还在保持打开状态,应用依然会
被关闭。(比如tcp代理模式中的long timeouts)此设置TCP和HTTP模式都有效。
示例:
global
hard-stop-after 30s
group <group name>
类似于"gid",但是用/etc/group 中的group name来替代GID。可以参考gid和user指令。
未完待续,这章比较长,要分很多篇来完成。
------------------------------以下是英文原文-------------------------------
3. Global parameters
Parameters in the "global" section are process-wide and often OS-specific. They are generally set once for all and do not need being changed once correct. Some of them have command-line equivalents. The following keywords are supported in the "global" section : * Process management and security - ca-base - chroot - crt-base - cpu-map - daemon - description - deviceatlas-json-file - deviceatlas-log-level - deviceatlas-separator - deviceatlas-properties-cookie - external-check - gid - group - hard-stop-after - log - log-tag - log-send-hostname - lua-load - nbproc - nbthread - node - pidfile - presetenv - resetenv - uid - ulimit-n - user - setenv - stats - ssl-default-bind-ciphers - ssl-default-bind-ciphersuites - ssl-default-bind-options - ssl-default-server-ciphers - ssl-default-server-ciphersuites - ssl-default-server-options - ssl-dh-param-file - ssl-server-verify - unix-bind - unsetenv - 51degrees-data-file - 51degrees-property-name-list - 51degrees-property-separator - 51degrees-cache-size - wurfl-data-file - wurfl-information-list - wurfl-information-list-separator - wurfl-engine-mode - wurfl-cache-size - wurfl-useragent-priority * Performance tuning - max-spread-checks - maxconn - maxconnrate - maxcomprate - maxcompcpuusage - maxpipes - maxsessrate - maxsslconn - maxsslrate - maxzlibmem - noepoll - nokqueue - nopoll - nosplice - nogetaddrinfo - noreuseport - profiling.tasks - spread-checks - server-state-base - server-state-file - ssl-engine - ssl-mode-async - tune.buffers.limit - tune.buffers.reserve - tune.bufsize - tune.chksize - tune.comp.maxlevel - tune.h2.header-table-size - tune.h2.initial-window-size - tune.h2.max-concurrent-streams - tune.http.cookielen - tune.http.logurilen - tune.http.maxhdr - tune.idletimer - tune.lua.forced-yield - tune.lua.maxmem - tune.lua.session-timeout - tune.lua.task-timeout - tune.lua.service-timeout - tune.maxaccept - tune.maxpollevents - tune.maxrewrite - tune.pattern.cache-size - tune.pipesize - tune.rcvbuf.client - tune.rcvbuf.server - tune.recv_enough - tune.runqueue-depth - tune.sndbuf.client - tune.sndbuf.server - tune.ssl.cachesize - tune.ssl.lifetime - tune.ssl.force-private-cache - tune.ssl.maxrecord - tune.ssl.default-dh-param - tune.ssl.ssl-ctx-cache-size - tune.ssl.capture-cipherlist-size - tune.vars.global-max-size - tune.vars.proc-max-size - tune.vars.reqres-max-size - tune.vars.sess-max-size - tune.vars.txn-max-size - tune.zlib.memlevel - tune.zlib.windowsize * Debugging - debug - quiet
3.1. Process management and security
Assigns a default directory to fetch SSL CA certificates and CRLs from when a
relative path is used with "ca-file" or "crl-file" directives. Absolute
locations specified in "ca-file" and "crl-file" prevail and ignore "ca-base".
Changes current directory to <jail dir> and performs a chroot() there before dropping privileges. This increases the security level in case an unknown vulnerability would be exploited, since it would make it very hard for the attacker to exploit the system. This only works when the process is started with superuser privileges. It is important to ensure that <jail_dir> is both empty and non-writable to anyone.
On Linux 2.6 and above, it is possible to bind a process or a thread to a specific CPU set. This means that the process or the thread will never run on other CPUs. The "cpu-map" directive specifies CPU sets for process or thread sets. The first argument is a process set, eventually followed by a thread set. These sets have the format all | odd | even | number[-[number]] <number>> must be a number between 1 and 32 or 64, depending on the machine's word size. Any process IDs above nbproc and any thread IDs above nbthread are ignored. It is possible to specify a range with two such number delimited by a dash ('-'). It also is possible to specify all processes at once using "all", only odd numbers using "odd" or even numbers using "even", just like with the "bind-process" directive. The second and forthcoming arguments are CPU sets. Each CPU set is either a unique number between 0 and 31 or 63 or a range with two such numbers delimited by a dash ('-'). Multiple CPU numbers or ranges may be specified, and the processes or threads will be allowed to bind to all of them. Obviously, multiple "cpu-map" directives may be specified. Each "cpu-map" directive will replace the previous ones when they overlap. A thread will be bound on the intersection of its mapping and the one of the process on which it is attached. If the intersection is null, no specific binding will be set for the thread. Ranges can be partially defined. The higher bound can be omitted. In such case, it is replaced by the corresponding maximum value, 32 or 64 depending on the machine's word size. The prefix "auto:" can be added before the process set to let HAProxy automatically bind a process or a thread to a CPU by incrementing process/thread and CPU sets. To be valid, both sets must have the same size. No matter the declaration order of the CPU sets, it will be bound from the lowest to the highest bound. Having a process and a thread range with the "auto:" prefix is not supported. Only one range is supported, the other one must be a fixed number.
cpu-map 1-4 0-3 # bind processes 1 to 4 on the first 4 CPUs
cpu-map 1/all 0-3 # bind all threads of the first process on the
# first 4 CPUs
cpu-map 1- 0- # will be replaced by "cpu-map 1-64 0-63"
# or "cpu-map 1-32 0-31" depending on the machine's # word size. # all these lines bind the process 1 to the cpu 0, the process 2 to cpu 1 # and so on. cpu-map auto:1-4 0-3 cpu-map auto:1-4 0-1 2-3 cpu-map auto:1-4 3 2 1 0 # all these lines bind the thread 1 to the cpu 0, the thread 2 to cpu 1 # and so on. cpu-map auto:1/1-4 0-3 cpu-map auto:1/1-4 0-1 2-3 cpu-map auto:1/1-4 3 2 1 0 # bind each process to exactly one CPU using all/odd/even keyword cpu-map auto:all 0-63 cpu-map auto:even 0-31 cpu-map auto:odd 32-63 # invalid cpu-map because process and CPU sets have different sizes. cpu-map auto:1-4 0 # invalid cpu-map auto:1 0-3 # invalid # invalid cpu-map because automatic binding is used with a process range # and a thread range. cpu-map auto:all/all 0 # invalid cpu-map auto:all/1-4 0 # invalid cpu-map auto:1-4/all 0 # invalid Assigns a default directory to fetch SSL certificates from when a relative path is used with "crtfile" directives. Absolute locations specified after "crtfile" prevail and ignore "crt-base".
Makes the process fork into background. This is the recommended mode of operation. It is equivalent to the command line "-D" argument. It can be disabled by the command line "-db" argument. This option is ignored in systemd mode.
Sets the path of the DeviceAtlas JSON data file to be loaded by the API. The path must be a valid JSON data file and accessible by HAProxy process.
Sets the level of information returned by the API. This directive is optional and set to 0 by default if not set.
Sets the character separator for the API properties results. This directive is optional and set to | by default if not set.
Sets the client cookie's name used for the detection if the DeviceAtlas Client-side component was used during the request. This directive is optional and set to DAPROPS by default if not set.
Allows the use of an external agent to perform health checks. This is disabled by default as a security precaution. See "option external-check".
Changes the process' group ID to <number>. It is recommended that the group
ID is dedicated to HAProxy or to a small set of similar daemons. HAProxy must
be started with a user belonging to this group, or with superuser privileges.
Note that if haproxy is started from a user having supplementary groups, it
will only be able to drop these groups if started with superuser privileges.
See also "group" and "uid".
Defines the maximum time allowed to perform a clean soft-stop.
<time> is the maximum time (by default in milliseconds) for which the
instance will remain alive when a soft-stop is received via the
SIGUSR1 signal.
This may be used to ensure that the instance will quit even if connections remain opened during a soft-stop (for example with long timeouts for a proxy in tcp mode). It applies both in TCP and HTTP mode.
global
hard-stop-after 30s
Similar to "gid" but uses the GID of group name <group name> from /etc/group.
See also "gid" and "user".
717
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
