acl 语法:
acl <acl_name> <criterion> [flags] [operator] <value>
acl_name:自定义的acl名称,区分大小写,只能包含、字母、数字、"-"、 "_" 、":" 、 "."
criterion:检查条件
flag:标志位,例如:
-i:不区分大小写
operation:操作符,做数值比较,例如:eq(=)、ge(>=)、gt(>)、le(<=)、lt(<)
value:指定的值。可以是数值,也可是字符串。
数据类型为int时
例如: 1024:65535
数据类型为string时:
支持-i选项
支持正则表达式
支持IP address and networks
检查标准:
dst <ip_address> :目标地址
dst_port <integer>:目标端口
src <ip_address>:源地址
src_port <integer>:源端口
ACL基于tcp做4层访问控制
Example
tcp-request content accept [{if | unless} condition ] tcp-request content accept reject
只能在frontend、listen区段中定义
Example:
acl goodguys src 10.0.0.0/24
tcp-request content accept if googuys
tcp-request content reject
解释:只允许10.0.0.0/24网段的用户访问,其他的都拒绝
实例:
listen statistics bind *:8010 stats enable stats uri /haadmin?stats stats auth admin:admin stats admin if TRUE acl whitelist src 172.16.0.0/16 acl blacklist src 172.16.100.10/24 tcp-request content reject if blacklist tcp-request content accept if whitelist tcp-request content reject
解释:允许172.16.0.0/16网段的用户访问本地的http://127.0.0.1/haadmin?stats页面,但拒绝172.16.100.10/24这个IP访问
ACL基于http做七层访问控制
Example:
acl nagios src 192.168.129.3 acl local_net src 192.168.0.0/16 acl auth_ok http_auth(L1) http-request allow if nagios http-request allow if local_net auth_ok http-request auth reaml Gimme if local_net auth_ok http-request deny
Example:
acl auth_ok http_auth_group(L1) G1 http-request auth unless auth_ok
检查标准:
hdr(header) <string>:
检查首部,并且首部中的指定header必须是后面的字符串。
例如:
hdr(Content) -i close
解释:检查Content首部,且必须为close。忽略大小写
hdr_beg <string>
用于测试请求报文的指定首部的开头部分是否符合<string>指定的模式。例如,下面的例子用记测试请求是否为提供静态内容的主机img、video、download或ftp。
acl host_static hdr_beg(host) -i img. video. download. ftp.
hdr_end <string>
用于测试请求报文的指定首部的结尾部分是否符合<string>指定的模式
hdr_reg(header) <regex>
对首部的值做正则表达式匹配
例如:
acl vhost hdr_reg(Host) -i .*\.magedu.com
解释:匹配magedu.com域内所有Host虚拟主机,并定义成vhost这个acl规则
http_first_req
检查http协议的第一次请求
method <string>
检测http请求报文中使用的方法
path
检查http请求url中的path路径
http请求的url格式为
scheme://user:password@host:port/path;params?query#fragment
例如:
acl index path -i /index.html
解释:检查请求的path是否为/index.html(不区分大小写),并定义成path
path_beg <string>
用于测试请求的URL是否以<string>指定的模式开头。下面的例子用于测试URL是否以/static、/p_w_picpaths、/javascript或/stylesheets头。
acl url_static path_beg -i /static /p_w_picpaths /javascript /stylesheets
path_end <string>
用于测试请求的URL是否以<string>指定的模式结尾。例如,下面的例子用户测试URL是否以jpg、gif、png、css或js结尾。
acl url_static path_end -i .jpg .gif .png .css .js
path_reg <regex>
对path做正则匹配
url <string>
对url做精确指定,url为
/path;params?query#fragment
url_beg <string>
检查url是否以指定内容开头
url_end <string>
检查url是否以指定内容结尾
ACL组合多个条件
ACL条件判断操作符:and、or、!
Example:
acl url_static path_beg /static /p_w_picpath /img /css acl url_static path_end .gif .png .jpg .css .js acl host_www hdr_beg(host) -i www acl host_static hdr_beg(host) -i img. video. download. ftp. use_backend static if host_static or url_static use_backend www if host_www
解释: 前面两个acl同名,表示满足任何一个都可以。即以static 、p_w_picpath、css开头或者以gif、png、jpg、css、js结尾的path都定义成static(静态页面)
第三条:检查host首部,以www开头的定义成host_www
第四条:检查host首部,以img、video、download、ftp开头的定义成host_static
第五条:如果满足条件则使用static后端(实例中没有配)
第六条:如果虚拟主机是以www开头的,则使用www后端(实例中没有配置)
HAproxy 基于ACL做动静分离配置样例:
动静分离示例:
global log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 30000 listen stats mode http bind 0.0.0.0:1080 stats enable stats hide-version stats uri /haproxyadmin?stats stats realm Haproxy\ Statistics stats auth admin:admin stats admin if TRUE frontend http-in bind *:80 mode http log global option httpclose //使用短链接 option logasap //在收到http请求时开始记录日志。默认是请求结束才开始记录 option dontlognull //不记录空信息(即建立连接后,如果没有任何请求,不会产生日志) capture request header Host len 20 //记录请求报文中虚拟主机,长度为20个字符 capture request header Referer len 60 //记录请求报文中Referer(跳转的上一级) acl url_static path_beg -i /static /p_w_picpaths /javascript /stylesheets acl url_static path_end -i .jpg .jpeg .gif .png .css .js use_backend static_servers if url_static default_backend dynamic_servers backend static_servers balance roundrobin server imgsrv1 172.16.200.7:80 check maxconn 6000 server imgsrv2 172.16.200.8:80 check maxconn 6000 backend dynamic_servers cookie srv insert nocache balance roundrobin server websrv1 172.16.200.7:80 check maxconn 1000 cookie websrv1 server websrv2 172.16.200.8:80 check maxconn 1000 cookie websrv2 server websrv3 172.16.200.9:80 check maxconn 1000 cookie websrv3
负载均衡MySQL服务的配置实例
#--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global # to have these messages end up in /var/log/haproxy.log you will # need to: # # 1) configure syslog to accept network log events. This is done # by adding the '-r' option to the SYSLOGD_OPTIONS in # /etc/sysconfig/syslog # # 2) configure local2 events to go to the /var/log/haproxy.log # file. A line like the following can be added to # /etc/sysconfig/syslog # # local2.* /var/log/haproxy.log # log 127.0.0.1 local2 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon defaults mode tcp log global option httplog option dontlognull retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 600 listen stats mode http bind 0.0.0.0:1080 stats enable stats hide-version stats uri /haproxyadmin?stats stats realm Haproxy\ Statistics stats auth admin:admin stats admin if TRUE frontend mysql bind *:3306 mode tcp log global default_backend mysqlservers backend mysqlservers balance leastconn server dbsrv1 192.168.10.11:3306 check port 3306 intval 2 rise 1 fall 2 maxconn 300 server dbsrv2 192.168.10.12:3306 check port 3306 intval 2 rise 1 fall 2 maxconn 300
HAProxy为RabbitMQ做负载均衡的配置
#--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global # to have these messages end up in /var/log/haproxy.log you will # need to: # # 1) configure syslog to accept network log events. This is done # by adding the '-r' option to the SYSLOGD_OPTIONS in # /etc/sysconfig/syslog # # 2) configure local2 events to go to the /var/log/haproxy.log # file. A line like the following can be added to # /etc/sysconfig/syslog # # local2.* /var/log/haproxy.log # global log 127.0.0.1 local2 info chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon stats socket /var/lib/haproxy/stats defaults log global option tcplog option dontlognull option http-server-close option redispatch retries 3 timeout connect 5s timeout client 1m timeout server 1m timeout check 5s maxconn 6000 listen stats bind *:1080 mode http stats refresh 30s stats auth admin:admin stats enable stats admin if TRUE stats uri /hadmin?stats stats realm Haproxy Manager option httplog log global frontend mq_web_console 0.0.0.0:15672 mode http maxconn 3000 log global no option dontlognull option httplog default_backend mq_web_console backend mq_web_console mode http balance roundrobin server node1 172.16.42.131:15672 check maxconn 2000 server node2 172.16.42.135:15672 check maxconn 2000 frontend mq_cluster 0.0.0.0:5672 mode tcp maxconn 3000 log global option tcplog default_backend mq_cluster backend mq_cluster option tcplog mode tcp balance roundrobin server node1 172.16.42.131:5672 check inter 5s rise 2 fall 3 server node2 172.16.42.135:5672 check inter 5s rise 2 fall 3
转载于:https://blog.51cto.com/zengestudy/1913949