我们可以基于haproxy 提供的dataplaneapi 动态进行haproxy 配置的修改,增强haproxy的可编程能力,以下是一个简单
的测试,基于docker-compose运行
环境准备
- docker-compose文件
version: "3"
services:
grafana:
image: grafana/grafana
ports:
- "3000:3000"
prometheus:
image: prom/prometheus
volumes:
- "./prometheus.yml:/etc/prometheus/prometheus.yml"
ports:
- "9090:9090"
haproxy:
image: dalongrong/haproxy-dataplaneapi:2.0.5
build: ./
volumes:
- "./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg"
ports:
- "80:80"
- "5555:5555"
- "8404:8404"
- "8080:8080"
- "9000:9000"
- "9001:9001"
- "9002:9002"
- "1000-1005:1000-1005"
- "10080:10080"
nginx1:
image: nginx
ports:
- "8090:80"
nginx2:
image: nginx
ports:
- "8091:80"
- haproxy 配置
#
# This is the ultimate HAProxy 2.0 "Getting Started" config
# It demonstrates many of the features available which are now available
# While you may not need all of these things, this can serve
# as a reference for your own configurations.
#
# Have questions? Check out our community Slack:
# https://slack.haproxy.org/
#
global
# master-worker required for `program` section
# enable here or start with -Ws
master-worker
mworker-max-reloads 3
# enable core dumps
set-dumpable
user root
group root
log stdout local0
stats socket /run/haproxy.sock mode 600 level admin
stats timeout 2m
defaults
mode http
log global
timeout client 5s
timeout server 5s
timeout connect 5s
option redispatch
option httplog
resolvers dns
parse-resolv-conf
resolve_retries 3
timeout resolve 1s
timeout retry 1s
hold other 30s
hold refused 30s
hold nx 30s
hold timeout 30s
hold valid 10s
hold obsolete 30s
program dataplane-api
command /usr/local/sbin/dataplaneapi --host 0.0.0.0 --port 5555 --haproxy-bin /usr/local/sbin/haproxy --config-file /usr/local/etc/haproxy/haproxy.cfg --reload-cmd "kill -SIGUSR2 1" --reload-delay 5 --userlist api
no option start-on-reload
userlist api
# user admin password $5$aVnIFECJ$2QYP64eTTXZ1grSjwwdoQxK/AP8kcOflEO1Q5fc.5aA
user admin insecure-password dalong
frontend stats
bind *:8404
# Enable Prometheus Exporter
http-request use-service prometheus-exporter if { path /metrics }
stats enable
stats uri /stats
stats refresh 10s
frontend fe_main
bind *:8080
# Enable log sampling
# One out of 10 requests would be logged to this source
log 127.0.0.1:10001 sample 1:10 local0
# For every 11 requests, log requests 2, 3, and 8-11
log 127.0.0.1:10002 sample 2-3,8-11:11 local0
# Log profiling data
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r cpu_calls:%[cpu_calls] cpu_ns_tot:%[cpu_ns_tot] cpu_ns_avg:%[cpu_ns_avg] lat_ns_tot:%[lat_ns_tot] lat_ns_avg:%[lat_ns_avg]"
# gRPC path matching
acl is_grpc_codename path /CodenameCreator/KeepGettingCodenames
# Dynamic 'do-resolve' trusted hosts
acl dynamic_hosts req.hdr(Host) api.local admin.local haproxy.com
# Activate Traffic Mirror
# Redirect if not SSL
# http-request redirect scheme https unless { ssl_fc }
# Enable src tracking
# http-request track-sc0 src table mypeers/src_tracking
# Enable rate limiting
# Return 429 Too Many Requests if client averages more than
# 10 requests in 10 seconds.
# (duration defined in stick table in peers section)
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 10 }
# Enable local resolving of Host if within dynamic_hosts ACL
# Allows connecting to dynamic IP address specified in Host header
# Useful for DNS split view or split horizon
http-request do-resolve(txn.dstip,dns) hdr(Host),lower if dynamic_hosts
http-request capture var(txn.dstip) len 40 if dynamic_hosts
# return 503 when dynamic_hosts matches but the variable
# txn.dstip is not set which mean DNS resolution error
# otherwise route to be_dynamic
use_backend be_503 if dynamic_hosts !{ var(txn.dstip) -m found }
use_backend be_dynamic if dynamic_hosts
# route to gRPC path
use_backend be_grpc if is_grpc_codename
default_backend be_main
backend be_main
# Enable Power of Two Random Choices Algorithm
balance random(2)
# Enable Layer 7 retries
retry-on all-retryable-errors
retries 3
# retrying POST requests can be dangerous
# make sure you understand the implications before removing
http-request disable-l7-retry if METH_POST
server server1 nginx1:80 check inter 3s
server server2 nginx2:80 check inter 3s
backend be_grpc
default-server ssl verify none alpn h2 check maxconn 50
server grpc1 10.1.0.11:3000
server grpc2 10.1.0.12:3000
backend be_dynamic
default-server ssl verify none check maxconn 50
# rule to prevent HAProxy from reconnecting to services
# on the local network (forged DNS name used to scan the network)
http-request deny if { var(txn.dstip) -m ip 127.0.0.0/8 10.0.0.0/8 }
http-request set-dst var(txn.dstip)
server dynamic 0.0.0.0:0
backend spoe-traffic-mirror
mode tcp
balance roundrobin
timeout connect 5s
timeout server 1m
server spoa1 127.0.0.1:12345
server spoa2 10.1.0.20:12345
backend be_503
# dummy backend used to return 503.
# You can use the 'errorfile' directive to send a nice
# 503 error page to end users.
errorfile 503 /usr/local/etc/haproxy/errors/503.http
- 启动
docker-compose up -d
- 效果
动态添加代理配置
dataplaneapi 有一个事物的概念,我们可以基于次模型进行动态haproxy 的操作,以下是一个简单的演示
- 创建代理的流程
首选创建backend
添加server到backend
创建frontend
添加bind 到frontend - 一个简单的操作
初始化事物:
curl -X POST --user admin:dalong
-H "Content-Type: application/json"
http://localhost:5555/v1/services/haproxy/transactions?version=1
效果:
{"_version":1,"id":"1f9630d9-665d-43f8-8ad9-f15652fbfbbe","status":"in_progress"}
查询事物:
curl -X GET --user admin:dalong
-H "Content-Type: application/json"
"http://localhost:5555/v1/services/haproxy/transactions"
效果:
[{"_version":1,"id":"1f9630d9-665d-43f8-8ad9-f15652fbfbbe","status":"in_progress"}]
创建backend 服务:
curl -X POST --user admin:dalong
-H "Content-Type: application/json"
-d '{"name": "test_backend", "mode":"http", "balance": {"algorithm":"roundrobin"}, "httpchk": {"method": "HEAD", "uri": "/", "version": "HTTP/1.1"}}'
"http://localhost:5555/v1/services/haproxy/configuration/backends?transaction_id=1f9630d9-665d-43f8-8ad9-f15652fbfbbe"
效果:
{"balance":{"algorithm":"roundrobin","arguments":null},"httpchk":{"method":"HEAD","uri":"/","version":"HTTP/1.1"},"mode":"http","name":"test_backend"}
添加server 到backend 服务:
curl -X POST --user admin:dalong
-H "Content-Type: application/json"
-d '{"name": "server1", "address": "192.168.0.104", "port":8888, "check": "enabled", "maxconn": 30, "weight": 100}'
"http://localhost:5555/v1/services/haproxy/configuration/servers?backend=test_backend&transaction_id=1f9630d9-665d-43f8-8ad9-f15652fbfbbe"
效果:
{"address":"192.168.0.104","check":"enabled","maxconn":30,"name":"server1","port":8888,"weight":100}
创建frontend 服务:
curl -X POST --user admin:dalong
-H "Content-Type: application/json"
-d '{"name": "test_frontend", "mode": "http", "default_backend": "test_backend", "maxconn": 2000}'
"http://localhost:5555/v1/services/haproxy/configuration/frontends?transaction_id=1f9630d9-665d-43f8-8ad9-f15652fbfbbe"
效果:
{"default_backend":"test_backend","maxconn":2000,"mode":"http","name":"test_frontend"}
创建bind 服务:
curl -X POST --user admin:dalong
-H "Content-Type: application/json"
-d '{"name": "http", "address": "*", "port": 10080}'
"http://localhost:5555/v1/services/haproxy/configuration/binds?frontend=test_frontend&transaction_id=1f9630d9-665d-43f8-8ad9-f15652fbfbbe"
效果:
{"address":"*","name":"http","port":10080}
应用变更:
curl -X PUT --user admin:dalong
-H "Content-Type: application/json"
"http://localhost:5555/v1/services/haproxy/transactions/1f9630d9-665d-43f8-8ad9-f15652fbfbbe"
效果:
{"_version":1,"id":"1f9630d9-665d-43f8-8ad9-f15652fbfbbe","status":"success"}
- 修改的haproxy 配置文件
实际上我们应用变更之后,会生成新的配置文件
内容如下: 
- 启动demo backend 服务
live-server --port=8888
- 效果
live-server 服务: 
haproxy 代理服务: 
haproxy 监控服务: 
prometheus metrics服务: 
说明
以上是一个简单的操作,官方文档提供了比较全的说明,很值得看看,同时基于dataplaneapi 我们可以方便的 扩展haproxy
参考资料
https://www.haproxy.com/documentation/hapee/1-9r1/configuration/dataplaneapi/
https://www.haproxy.com/documentation/dataplaneapi/latest/
https://github.com/rongfengliang/haproxy2.0-prometheus