acl 语法:acl [flags] [operator]
acl_name:自定义的acl名称,区分大小写,只能包含、字母、数字、"-"、 "_" 、":" 、 "."
criterion:检查条件
flag:标志位,例如:
-i:不区分大小写
operation:操作符,做数值比较,例如:eq(=)、ge(>=)、gt(>)、le(<=)、lt(
value:指定的值。可以是数值,也可是字符串。
数据类型为int时
例如: 1024:65535
数据类型为string时:
支持-i选项
支持正则表达式
支持IP address and networks
检查标准:
dst :目标地址
dst_port :目标端口
src :源地址
src_port :源端口
ACL基于tcp做4层访问控制
Exampletcp-request content accept [{if | unless} condition ]
tcp-request content accept reject
只能在frontend、listen区段中定义
Example:acl goodguys src 10.0.0.0/24
tcp-request content accept if googuys
tcp-request content reject
解释:只允许10.0.0.0/24网段的用户访问,其他的都拒绝
实例:listen statistics
bind *:8010
stats enable
stats uri /haadmin?stats
stats auth admin:admin
stats admin if TRUE
acl whitelist src 172.16.0.0/16
acl blacklist src 172.16.100.10/24
tcp-request content reject if blacklist
tcp-request content accept if whitelist
tcp-request content reject
解释:允许172.16.0.0/16网段的用户访问本地的http://127.0.0.1/haadmin?stats页面,但拒绝172.16.100.10/24这个IP访问
ACL基于http做七层访问控制
Example:acl nagios src 192.168.129.3
acl local_net src 192.168.0.0/16
acl auth_ok http_auth(L1)
http-request allow if nagios
http-request allow if local_net auth_ok
http-request auth reaml Gimme if local_net auth_ok
http-request deny
Example:acl auth_ok http_auth_group(L1) G1
http-request auth unless auth_ok
检查标准:hdr(header) :
检查首部,并且首部中的指定header必须是后面的字符串。
例如:hdr(Content) -i close
解释:检查Content首部,且必须为close。忽略大小写
hdr_beg
用于测试请求报文的指定首部的开头部分是否符合指定的模式。例如,下面的例子用记测试请求是否为提供静态内容的主机img、video、download或ftp。acl host_static hdr_beg(host) -i img. video. download. ftp.
hdr_end
用于测试请求报文的指定首部的结尾部分是否符合指定的模式
hdr_reg(header)
对首部的值做正则表达式匹配
例如:acl vhost hdr_reg(Host) -i .*\.magedu.com
解释:匹配magedu.com域内所有Host虚拟主机,并定义成vhost这个acl规则
http_first_req
检查http协议的第一次请求
method
检测http请求报文中使用的方法
path
检查http请求url中的path路径
http请求的url格式为scheme://user:password@host:port/path;params?query#fragment
例如:acl index path -i /index.html
解释:检查请求的path是否为/index.html(不区分大小写),并定义成path
path_beg
用于测试请求的URL是否以指定的模式开头。下面的例子用于测试URL是否以/static、/p_w_picpaths、/javascript或/stylesheets头。acl url_static path_beg -i /static /p_w_picpaths /javascript /stylesheets
path_end
用于测试请求的URL是否以指定的模式结尾。例如,下面的例子用户测试URL是否以jpg、gif、png、css或js结尾。acl url_static path_end -i .jpg .gif .png .css .js
path_reg
对path做正则匹配
url
对url做精确指定,url为/path;params?query#fragment
url_beg
检查url是否以指定内容开头
url_end
检查url是否以指定内容结尾
ACL组合多个条件
ACL条件判断操作符:and、or、!
Example:acl url_static path_beg /static /p_w_picpath /img /css
acl url_static path_end .gif .png .jpg .css .js
acl host_www hdr_beg(host) -i www
acl host_static hdr_beg(host) -i img. video. download. ftp.
use_backend static if host_static or url_static
use_backend www if host_www
解释: 前面两个acl同名,表示满足任何一个都可以。即以static 、p_w_picpath、css开头或者以gif、png、jpg、css、js结尾的path都定义成static(静态页面)
第三条:检查host首部,以www开头的定义成host_www
第四条:检查host首部,以img、video、download、ftp开头的定义成host_static
第五条:如果满足条件则使用static后端(实例中没有配)
第六条:如果虚拟主机是以www开头的,则使用www后端(实例中没有配置)
HAproxy 基于ACL做动静分离配置样例:
动静分离示例:global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 30000
listen stats
mode http
bind 0.0.0.0:1080
stats enable
stats hide-version
stats uri /haproxyadmin?stats
stats realm Haproxy\ Statistics
stats auth admin:admin
stats admin if TRUE
frontend http-in
bind *:80
mode http
log global
option httpclose //使用短链接
option logasap //在收到http请求时开始记录日志。默认是请求结束才开始记录
option dontlognull //不记录空信息(即建立连接后,如果没有任何请求,不会产生日志)
capture request header Host len 20 //记录请求报文中虚拟主机,长度为20个字符
capture request header Referer len 60 //记录请求报文中Referer(跳转的上一级)
acl url_static path_beg -i /static /p_w_picpaths /javascript /stylesheets
acl url_static path_end -i .jpg .jpeg .gif .png .css .js
use_backend static_servers if url_static
default_backend dynamic_servers
backend static_servers
balance roundrobin
server imgsrv1 172.16.200.7:80 check maxconn 6000
server imgsrv2 172.16.200.8:80 check maxconn 6000
backend dynamic_servers
cookie srv insert nocache
balance roundrobin
server websrv1 172.16.200.7:80 check maxconn 1000 cookie websrv1
server websrv2 172.16.200.8:80 check maxconn 1000 cookie websrv2
server websrv3 172.16.200.9:80 check maxconn 1000 cookie websrv3
负载均衡MySQL服务的配置实例#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
defaults
mode tcp
log global
option httplog
option dontlognull
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 600
listen stats
mode http
bind 0.0.0.0:1080
stats enable
stats hide-version
stats uri /haproxyadmin?stats
stats realm Haproxy\ Statistics
stats auth admin:admin
stats admin if TRUE
frontend mysql
bind *:3306
mode tcp
log global
default_backend mysqlservers
backend mysqlservers
balance leastconn
server dbsrv1 192.168.10.11:3306 check port 3306 intval 2 rise 1 fall 2 maxconn 300
server dbsrv2 192.168.10.12:3306 check port 3306 intval 2 rise 1 fall 2 maxconn 300
HAProxy为RabbitMQ做负载均衡的配置#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
global
log 127.0.0.1 local2 info
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
log global
option tcplog
option dontlognull
option http-server-close
option redispatch
retries 3
timeout connect 5s
timeout client 1m
timeout server 1m
timeout check 5s
maxconn 6000
listen stats
bind *:1080
mode http
stats refresh 30s
stats auth admin:admin
stats enable
stats admin if TRUE
stats uri /hadmin?stats
stats realm Haproxy Manager
option httplog
log global
frontend mq_web_console 0.0.0.0:15672
mode http
maxconn 3000
log global
no option dontlognull
option httplog
default_backend mq_web_console
backend mq_web_console
mode http
balance roundrobin
server node1 172.16.42.131:15672 check maxconn 2000
server node2 172.16.42.135:15672 check maxconn 2000
frontend mq_cluster 0.0.0.0:5672
mode tcp
maxconn 3000
log global
option tcplog
default_backend mq_cluster
backend mq_cluster
option tcplog
mode tcp
balance roundrobin
server node1 172.16.42.131:5672 check inter 5s rise 2 fall 3
server node2 172.16.42.135:5672 check inter 5s rise 2 fall 3