1、基于acl+文件后缀实现动静分离
listen web_port
bind 192.168.7.102:80
mode http
acl php_server path_end -i .php
use_backend php_server_host if php_server
acl image_server path_end -i .jpg .png .jpeg .gif
use_backend image_server_host if image_server
default_backend default_host
backend default_host
mode http
server web1 192.168.7.101:8080 check inter 2000 fall 3 rise 5
backend php_server_host
mode http
server web1 192.168.7.101:8080 check inter 2000 fall 3 rise 5
backend image_server_host
mode http
server web1 192.168.7.102:8080 check inter 2000 fall 3 rise 5
2、acl-匹配访问路径
listen web_port
bind 192.168.7.102:80
mode http
acl static_path path_beg -i /static /images /javascript
use_backend static_path_host if static_path
default_backend default_host
backend default_host
mode http
server web1 192.168.7.101:8080 check inter 2000 fall 3 rise 5
backend static_path_host
mode http
server web1 192.168.7.101:8080 check inter 2000 fall 3 rise 5
3、http 基于策略的访问控制
listen web_port
bind 192.168.7.102:80
mode http
acl badguy_deny src 192.168.4.1
http-request deny if badguy_deny
http-request allow
default_backend default_host
backend default_host
mode http
server web1 192.168.7.102:8080 check inter 2000 fall 3 rise 5
backend static_path_host
mode http
server web1 192.168.7.101:8080 check inter 2000 fall 3 rise 5
backend image_server_host
mode http
server web1 192.168.7.102:8080 check inter 2000 fall 3 rise 5
4、预定义acl使用
listen web_port
bind 192.168.7.102:80
mode http
acl static_path path_beg -i /static /images /javascript
use_backend static_path_host if HTTP_1.1 TRUE static_path
default_backend default_host
backend default_host
mode http
server web1 192.168.7.102:8080 check inter 2000 fall 3 rise 5
backend static_path_host
mode http
server web1 192.168.7.101:8080 check inter 2000 fall 3 rise 5
5、https
#https-证书制作
mkdir /usr/local/haproxy/certs
cd /usr/local/haproxy/cert
openssl genrsa -out haproxy.key 2048
openssl req -new -x509 -key haproxy.key -out haproxy.crt -subj "/CN=www.magedu.net"
cat haproxy.key haproxy.crt > haproxy.pem
openssl x509 -in haproxy.pem -noout -text #查看证书
#https 示例
#web server http
frontend web_server-http
bind 172.18.200.101:80
redirect scheme https if !{ ssl_fc }
mode http
use_backend web_host
#web server https
frontend web_server-https
bind 172.18.200.101:443 ssl crt /usr/local/haproxy/certs/haproxy.pem
mode http
use_backend web_host
backend default_host
mode http
server web1 192.168.7.101:8080 check inter 2000 fall 3 rise 5
server web2 192.168.7.102:8080 check inter 2000 fall 3 rise 5
backend web_host
mode http
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server web1 192.168.7.101:8080 check inter 2000 fall 3 rise 5
server web2 192.168.7.102:8080 check inter 2000 fall 3 rise 5
6、HAProxy-服务器动态上下线
yum install socat
echo "show info" | socat stdio /var/lib/haproxy/haproxy.sock
echo "get weight web_host/192.168.7.101" | socat stdio /var/lib/haproxy/haproxy.sock
echo "disable server web_host/192.168.7.101" | socat stdio /var/lib/haproxy/haproxy.sock
echo "enable server web_host/192.168.7.101" | socat stdio /var/lib/haproxy/haproxy.sock
7、HAProxy-实战案例
编写shell脚本,实现能传递多个后端服务器IP为脚本参数,并ssh到haproxy 服务器中动态将后端server逐个开启和关闭。