使用C语言编写的开放源代码软件,提供高可用性、负载均衡,以及基于TCP(4层)和HTTP(7层)的应用程序代理;
借助HAProxy可以快速并可靠的提供基于TCP和HTTP应用的代理解决方案,并支持虚拟主机;
HAProxy实现了一种时间驱动,单一进程模型,此模型支持非常大的链接数;
HAProxy支持拒绝连接:维护连接开销低,可以限制攻击蠕虫(attack bots),该功能拯救了很多被DDos攻击的小型站点;
HAProxy支持全透明代理(具备防火墙的典型特点):可以用客户端IP地址或者任何其他地址来连接后端服务器. 这个特性仅在Linux 2.4/2.6内核打了cttproxy补丁后才可以使用. 这个特性也使得为某特殊服务器处理部分流量同时又不修改服务器的地址成为可能。
1 - route HTTP requests depending on statically assigned cookies
2 - spread load among several servers while assuring server persistence
3 - through the use of HTTP cookies
4 - switch to backup servers in the event a main server fails
5 - accept connections to special ports dedicated to service monitoring
6 - stop accepting connections without breaking existing ones
7 - add, modify, and delete HTTP headers in both directions
8 - block requests matching particular patterns
9 - report detailed status to authenticated users from a URI intercepted by the application
主程序:/usr/sbin/haproxy
配置文件: /etc/haproxy/haproxy.cfg
Unit file: /usr/lib/systemd/system/haproxy.service
global:全局配置段\
进程及安全配置相关的参数
性能调整相关参数
Debug参数
proxies:代理配置段
defaults:为frontend, listen, backend提供默认配置;
frontend:前端,相当于nginx, server {}
backend:后端,相当于nginx, upstream {}
listen:同时拥前端和后端
简单的配置示例: frontend web bind *:80 default_backend websrvs backend websrvs balance roundrobin server srv1 172.16.100.6:80 check server srv2 172.16.100.7:80 check
全局配置段
1 Process management and security
* 1.1 ca-base * 1.2 chroot * 1.3 crt-base * 1.4 deamon:守护进程; * 1.5 gid 用户组ID,需设置; * 1.6 uid 用户ID,需设置; * 1.7 group * 1.8 log:<address> [len <length>] <facility> [max level] [min level] * 1.8.0 至多可以使用两次log功能 * 1.8.1 length:收集日志服务器的地址; * 1.8.2 address:最长为1024个字节; * 1.8.3 facility:共24种:kern,user,mail,deamon,auth,syslog,lpr,news,uucp,cron,ftp,ntp..... * 1.8.4 level:emerg、alert、crit、error、warning、notice、info、dubeg; * 1.9 log-send-hostname * 1.10 nbproc:小于等于CPU核心数即可,官方建议采用默认值; * 1.11 ulimit-n:设定当前用户可以打开多少文件数,可以自动设定,官方建议无需设定该值; * 1.12 user * 1.13 stats * 1.14 ssl-server-verify * 1.15 node * 1.16 description * 1.17 unix-bind
设置log,需开启本机的rsyslog服务,可编辑/etc/rsyslog.conf进行定义,配置以下两行
$InputTCPServerRun 514local2.* /var/log/haproxy.log
Performance tuning
系统调整
- max-spread-checks- maxconn:最大并发链接数,一般需要调整;- maxconnrate:每个进程每秒钟可以生成的最大链接数;即每秒钟可以接受最多的链接;- maxcomprate- maxcompcpuusage:最大CPU使用量- maxpipes- maxsessrate:最大会话速率,一旦达到最大速率不在接受新的请求;- maxsslconn:每个进程的最大ssl连接数;- maxsslrate:ssl连接速率;- noepoll- nokqueue- nopoll- nosplice- nogetaddrinfo- spread-checks:<0..50 in percent> 状态检查分散开- tune.bufsize- tune.chksize- tune.comp.maxlevel- tune.http.cookielen- tune.http.maxhdr- tune.idletimer- tune.maxaccept- tune.maxpollevents- tune.maxrewrite- tune.pipesize- tune.rcvbuf.client- tune.rcvbuf.server- tune.sndbuf.client- tune.sndbuf.server- tune.ssl.cachesize- tune.ssl.lifetime- tune.ssl.force-private-cache- tune.ssl.maxrecord- tune.ssl.default-dh-param- tune.zlib.memlevel- tune.zlib.windowsize
Debugging
- debug:调试模式- quiet:静默模式
代理配置段
Proxy configuration can be located in a set of sections :
defaults <name>
frontend <name>
backend <name>
listen <name>
A "defaults" section sets default parameters for all other sections following its declaration. Those default parameters are reset by the next "defaults"section. See below for the list of parameters which can be set in a "defaults"section. The name is optional but its use is encouraged for better readability. A "frontend" section describes a set of listening sockets accepting clientconnections. A "backend" section describes a set of servers to which the proxy will connectto forward incoming connections. A "listen" section defines a complete proxy with its frontend and backend parts combined in one section. It is generally useful for TCP-only traffic. All proxy names must be formed from upper and lower case letters, digits,‘-‘ (dash), ‘_‘ (underscore) , ‘.‘ (dot) and ‘:‘ (colon). ACL names arecase-sensitive, which means that "www" and "WWW" are two different proxies.
bind
绑定ip及端口
bind [<address>]:<port_range> [, ...] [param*]
bind /<path> [, ...] [param*]
Define one or several listening addresses and/or ports in a frontend.
sections :
defaults frontend listen backend no yes yes no
例:listen http_proxy bind :80,:443
bind 10.0.0.1:10080,10.0.0.1:10443
bind /var/run/ssl-frontend.sock user root mode 600 accept-proxylisten http_https_proxy bind :80
bind :443 ssl crt /etc/haproxy/site.pemlisten http_https_proxy_explicit bind ipv6@:80
bind ipv4@public_ssl:443 ssl crt /etc/haproxy/site.pem bind unix@ssl-frontend.sock user root mode 600 accept-proxylisten external_bind_app1 bind fd@${FD_APP1}balance
定义调度类型
balance <algorithm> [ <arguments> ]
balance url_param <param> [check_post]
Define the load balancing algorithm to be used in a backend.
May be used in sections : defaults frontend listen backendyes no yes yes
1 roundrobin:轮询;
2 static-rr:根据权重轮流使用,但是静态的,对服务器数量无限制,不支持平滑切换;
3 leastconn:连接数量最少的服务器优先,当连接数相同时使用roundrobin,不适用http;
4 frist:将第一台连接满,开始连接第二台,第二台连接满连接第三台;
5 source:基于源IP的绑定,相当于Nginx的hash_ip,相当于LVS的Source ip hashing;
6 URI:对URI进行hash,将同一个URI发送至同一个服务器,适用于缓存服务器,hash方式取决于hash_type;
7 url_param:根据指定参数进行调度,对参数进行hash,将统一用户的信息都发送至同一台服务器,hash方式取决于hash_type;
8 hdr(name):在每个HTTP请求中查找HTTP头<name>,然后根据hash HTTP头的name来进行调度,hash方式取决于hash_type;
9 rdp-cookie(name):查询每个进来的TCP请求并hash,该机制用于退化的持久连接,hash方式取决于hash_type;
hash-type:哈希算法
hash-type <method> <function> <modifier>
Specify a method to use for mapping hashes to servers
May be used in sections : defaults frontend listen backend yes no yes yes <method> map-based:除权取余法,哈希数据结构是静态的数组; consistent:一致性哈希,哈希数据结构是一个树; <function> is the hash function to be used : 哈希函数 sdbm djb2 wt6 <modifier> avalanche
default_backend
default_backend <backend>\
Specify the backend to use when no "use_backend" rule has been matched.
May be used in sections : defaults frontend listen backend yes yes yes no 例 use_backend dynamic if url_dyn use_backend static if url_css url_img extension_img default_backend dynamic
server
server <name> <address>[:[port]] [param*]
Declare a server in a backend 定义后端主机及其各种选项
May be used in sections : defaults frontend listen backend no no yes yes
本文出自 “guo_ruilin” 博客,请务必保留此出处http://guoruilin198.blog.51cto.com/12567311/1905687
原文地址:http://guoruilin198.blog.51cto.com/12567311/1905687
