HAProxy ACL、HAProxysock、基于 ACL 的动静分离示例、配置 HAProxy 支持 https 示例介绍

最新推荐文章于 2024-04-05 00:05:46 发布

Lee木木

最新推荐文章于 2024-04-05 00:05:46 发布

阅读量286

点赞数

分类专栏： Linux学习笔记文章标签： Linux HAProxy

本文链接：https://blog.csdn.net/weixin_44983653/article/details/102993781

版权

Linux学习笔记专栏收录该内容

156 篇文章 16 订阅

订阅专栏

HAProxy ACL、HAProxysock、基于 ACL 的动静分离示例、配置 HAProxy 支持 https 示例介绍

1、HAProxy 相关博客
2、HAProxy ACL
3、HAProxysock
4、基于 ACL 的动静分离示例
5、配置 HAProxy 支持 https 协议

1、HAProxy 相关博客

HAProxy Balance 调度算法详解（包括 hash type）

HAProxy 的 server 参数、 stats 相关参数和 cookie 参数详解（包含其它相关参数 rspadd / rspdel / option / mode / maxconn ）

HAProxy 简单示例及 HAProxy_Log 的简单配置

HAProxy Log 日志系统详解

HAProxy 的压缩、健康检查和其它相关参数详解（compression、http-check、timeout、use_backend、block、http-request、tcp-request）

2、HAProxy ACL

2.1 ACL 介绍

The use of Access Control Lists (ACL) provides a flexible solution to perform content switching and generally to take decisions based on content extracted from the request, the response or any environmental status.

2.2 ACL 语法介绍

## acl <aclname> <criterion> [flags] [operator] [<value>] ...

	## aclname         # 指定acl的名称，在引用时区分大小写。可随意指定，且多个acl指令可以指定同一个aclname，这表示"或"的逻辑关系
	## flags           # 可选项，表示标识位。一般会用到的标识位只有"-i"，表示不区分大小写
	## operator        # 可选项，某些操作符，有"eq"、"ge"、"gt"、"le"、"lt"，表示数学上的等于、大于、小于
	## <criterion>     # 指定检查标准，即检查方法。见下文给出的常用4层标准和7层标准
	## <value>         # 根据criterion的不同，值的类型不同

2.2.1 aclname

## <aclname>
	## ACL names must be formed from upper and lower case letters, digits, '-' (dash), 
	## '_' (underscore) , '.' (dot) and ':' (colon).ACL names are case-sensitive.

2.2.2 value types

## - boolean
## - integer or integer range
## - IP address / network
## - string (exact, substring, suffix, prefix, subdir, domain)
## - regular expression
## - hex block

2.2.3 flags

## -i : ignore case during matching of all subsequent patterns.
## -m : use a specific pattern matching method
## -n : forbid the DNS resolutions
## -u : force the unique id of the ACL
## -- : force end of flags. Useful when a string looks like one of the flags.

2.2.4 operator

## 匹配整数值：eq、ge、gt、le、lt
				
## 匹配字符串：
	## - exact match     (-m str) : the extracted string must exactly match the patterns ;
	## - substring match (-m sub) : the patterns are looked up inside the extracted string, and the ACL matches if any of them is found inside ;
	## - prefix match    (-m beg) : the patterns are compared with the beginning of the extracted string, and the ACL matches if any of them matches.
	## - suffix match    (-m end) : the patterns are compared with the end of the extracted string, and the ACL matches if any of them matches.
	## - subdir match    (-m dir) : the patterns are looked up inside the extracted string, delimited with slashes ("/"), and the ACL matches if any of them matches.
	## - domain match    (-m dom) : the patterns are looked up inside the extracted string, delimited with dots ("."), and the ACL matches if any of them matches.

2.2.5 acl 作为条件时的逻辑关系

## - AND (implicit)
## - OR  (explicit with the "or" keyword or the "||" operator)
## - Negation with the exclamation mark ("!")
				
## 示例 ##
	## if invalid_src invalid_port      
	## if invalid_src || invalid_port
	## if ! invalid_src invalid_port

2.2.6 criterion

## dst : ip
## dst_port : integer
## src : ip
## src_port : integer

## 示例 ##
	## acl invalid_src  src  172.16.200.2

## path : string
	## This extracts the request's URL path, which starts at the first slash and ends before the question mark (without the host part).
	## /path;<params>
						
	## path     : exact string match
	## path_beg : prefix match
	## path_dir : subdir match
	## path_dom : domain match
	## path_end : suffix match
	## path_len : length match
	## path_reg : regex match
	## path_sub : substring match
					

					
## 示例 ## 
	## path_beg /images/
	## path_end .jpg .jpeg .png .gif
	## path_reg ^/images.*\.jpeg$
	## path_sub image                   # 路径字串
	## path_dir jpegs                   # 子路径（两个 / 之间的完整内容）
	## path_dom ilinux                  # 域名
		
	## 此路径匹 /images/jpegs/20180312/logo.jpg 匹配上述 1 2 4 ##

## url : string
	## This extracts the request's URL as presented in the request. A typical use is with prefetch-capable caches, and with portals which need to aggregate multiple information from databases and keep them in caches.
					
	## url     : exact string match
	## url_beg : prefix match
	## url_dir : subdir match
	## url_dom : domain match
	## url_end : suffix match
	## url_len : length match
	## url_reg : regex match
	## url_sub : substring match

## req.hdr([<name>[,<occ>]]) : string
	## This extracts the last occurrence of header <name> in an HTTP request.
					
	## hdr([<name>[,<occ>]])     : exact string match
	## hdr_beg([<name>[,<occ>]]) : prefix match
	## hdr_dir([<name>[,<occ>]]) : subdir match
	## hdr_dom([<name>[,<occ>]]) : domain match
	## hdr_end([<name>[,<occ>]]) : suffix match
	## hdr_len([<name>[,<occ>]]) : length match
	## hdr_reg([<name>[,<occ>]]) : regex match
	## hdr_sub([<name>[,<occ>]]) : substring match

## 示例 ##
	## acl bad_curl hdr_sub(User-Agent) -i curl
	## block if bad_curl

##	status : integer
	## Returns an integer containing the HTTP status code in the HTTP response.

2.3 Pre-defined ACLs

## ACL name	Equivalent to	Usage
## FALSE	always_false	never match
## HTTP	req_proto_http	match if protocol is valid HTTP
## HTTP_1.0	req_ver 1.0	match HTTP version 1.0
## HTTP_1.1	req_ver 1.1	match HTTP version 1.1
## HTTP_CONTENT	hdr_val(content-length) gt 0	match an existing content-length
## HTTP_URL_ABS	url_reg ^[^/:]*://	match absolute URL with scheme
## HTTP_URL_SLASH	url_beg /	match URL beginning with "/"
## HTTP_URL_STAR	url *	match URL equal to "*"
## LOCALHOST	src 127.0.0.1/8	match connection from local host
## METH_CONNECT	method CONNECT	match HTTP CONNECT method
## METH_GET	method GET HEAD	match HTTP GET or HEAD method
## METH_HEAD	method HEAD	match HTTP HEAD method
## METH_OPTIONS	method OPTIONS	match HTTP OPTIONS method
## METH_POST	method POST	match HTTP POST method
## METH_TRACE	method TRACE	match HTTP TRACE method
## RDP_COOKIE	req_rdp_cookie_cnt gt 0	match presence of an RDP cookie
## REQ_CONTENT	req_len gt 0	match data in the request buffer
## TRUE	always_true	always match
## WAIT_END	wait_end	wait for end of content analysis

3、HAProxysock

## echo "help"| socat stdio /usr/local/haproxy/stats

4、基于 ACL 的动静分离示例

frontend  web *:80
	acl url_static       path_beg       -i  /static /images /javascript /stylesheets
	acl url_static       path_end       -i  .jpg .gif .png .css .js .html .txt .htm

	use_backend staticsrvs          if url_static
	default_backend             appsrvs

backend staticsrvs
	balance     roundrobin
	server      stcsrv1 172.16.100.6:80 check

backend appsrvs
	balance	roundrobin
	server  app1 172.16.100.7:80 check
	server  app1 172.16.100.7:8080 check

listen stats
	bind :9091
	stats enable
	stats auth admin:admin
	stats admin if TRUE

5、配置 HAProxy 支持 https 协议

1 支持ssl会话
	## bind *:443 ssl crt /PATH/TO/SOME_PEM_FILE
			
	crt后的证书文件要求PEM格式，且同时包含证书和与之匹配的所有私钥		
	## cat  demo.crt demo.key > demo.pem 
				
2 把80端口的请求重向定443
	## bind *:80
	## redirect scheme https if !{ ssl_fc }
			
另一种配置：对非ssl的任何url的访问统统定向至https主机的主页
   	## redirect location https://172.16.0.67/ if !{ ssl_fc }
			
3 如何向后端传递用户请求的协议和端口
	## http_request set-header X-Forwarded-Port %[dst_port]
	## http_request add-header X-Forwared-Proto https if { ssl_fc }