说明
HAProxy的核心功能
- 负载均衡:L4和L7两种模式,支持RR/静态RR/LC/IP Hash/URI Hash/URL_PARAM Hash/HTTP_HEADER Hash等丰富的负载均衡算法
- 健康检查:支持TCP和HTTP两种健康检查模式
- 会话保持:对于未实现会话共享的应用集群,可通过Insert Cookie/Rewrite Cookie/Prefix Cookie,以及上述的多种Hash方式实现会话保持
- SSL:HAProxy可以解析HTTPS协议,并能够将请求解密为HTTP后向后端传输
- HTTP请求重写与重定向
- 监控与统计:HAProxy提供了基于Web的统计信息页面,展现健康状态和流量数据。基于此功能,使用者可以开发监控程序来监控HAProxy的状态
下图是HAProxy的架构:
安装配置
根据不同的操作系统下载安装不同的版本
RHEL 6安装包下载
haproxy-1.5.10.tar.gz:点此下载
RHEL 7安装包下载
haproxy-1.5.10_rhel7.zip:点此下载
RHEL 6安装配置
假设安装在/home/eim/目录下
tar -zxvf haproxy-1.5.10.tar.gz
配置系统启动服务
vim /etc/init.d/haproxy
修改启动脚本的实际路径
config="/home/eim/haproxy-1.5.10/haproxy.cfg"
exec="/home/eim/haproxy-1.5.10/sbin/haproxy"#!/bin/bash
#
# haproxy
#
# chkconfig: 35 85 15
# description: HAProxy is a free, very fast and reliable solution
# offering high availability, load balancing, and
# proxying for TCP and HTTP-based applications
# processname: haproxy
# config: /etc/haproxy.cfg
# pidfile: /var/run/haproxy.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0
config="/home/eim/haproxy/haproxy.cfg"
exec="/home/eim/haproxy/sbin/haproxy"
prog=$(basename $exec)
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
lockfile=/var/lock/subsys/haproxy
check() {
$exec -c -V -f $config
}
start() {
$exec -c -q -f $config
if [ $? -ne 0 ]; then
echo "Errors in configuration file, check with $prog check."
return 1
fi
echo -n $"Starting $prog: "
# start it up here, usually something like "daemon $exec"
daemon $exec -D -f $config -p /var/run/$prog.pid
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
# stop it here, often "killproc $prog"
killproc $prog
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
$exec -c -q -f $config
if [ $? -ne 0 ]; then
echo "Errors in configuration file, check with $prog check."
return 1
fi
stop
start
}
reload() {
$exec -c -q -f $config
if [ $? -ne 0 ]; then
echo "Errors in configuration file, check with $prog check."
return 1
fi
echo -n $"Reloading $prog: "
$exec -D -f $config -p /var/run/$prog.pid -sf $(cat /var/run/$prog.pid)
retval=$?
echo
return $retval
}
force_reload() {
restart
}
fdr_status() {
status $prog
}
case "$1" in
start|stop|restart|reload)
$1
;;
force-reload)
force_reload
;;
checkconfig)
check
;;
status)
fdr_status
;;
condrestart|try-restart)
[ ! -f $lockfile ] || restart
;;
*)
echo $"Usage: $0 {start|stop|status|checkconfig|restart|try-restart|reload|force-reload}"
exit 2
esac配置开机自启动
chmod +x /etc/init.d/haproxy
chkconfig --add haproxy
chkconfig --level 2345 haproxy on启动、停止、重新加载
service haproxy start
service haproxy stop
# 修改haproxy配置文件后,需执行以下命令重载配置
service haproxy reload
# 命令行启动
/data/haproxy-1.5.10/sbin/haproxy -D -f /date/haproxy-1.5.10/haproxy.cfg -p /var/run/haproxy.pid
# 命令行手动重载
/data/haproxy-1.5.10/sbin/haproxy -D -f /data/haproxy-1.5.10/haproxy.cfg -p /var/run/haproxy.pid -sf 已运行haprpoxy进程pidRHEL 7安装配置
假设安装在/data/目录下
unzip haproxy-1.5.10_rhel7.zip
配置为系统服务,并开机自动启动。如果修改了安装目录,需要同时修改启动脚本haproxy.service的路径
cp haproxy-1.5.10_rhel7/haproxy.service /etc/systemd/system
systemctl daemon-reload
systemctl enable haproxy启动、停止、重新加载
systemctl start haproxy
systemctl status haproxy
systemctl reload haproxy
systemctl stop haproxy
# 命令行启动
/data/haproxy-1.5.10_rhel7/sbin/haproxy -D -f /data/haproxy-1.5.10_rhel7/haproxy.cfg -p /var/run/haproxy.pid
# 命令行手动重载
/data/haproxy-1.5.10_rhel7/sbin/haproxy -D -f /data/haproxy-1.5.10_rhel7/haproxy.cfg -p /var/run/haproxy.pid -sf 已运行haprpoxy进程pid代理配置
cd /home/data/haproxy-1.5.10
vim haproxy.cfgglobal
log 127.0.0.1 local0 log 127.0.0.1 local1 notice # log loghost local0 info maxconn 65535 # 多进程 nbproc 4 # 修改以下路径为安装目录 chroot /home/data/haproxy-1.5.10 pidfile /var/run/haproxy.pid ssl-default-bind-options no-sslv3 ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK tune.ssl.default-dh-param 2048 uid 99 gid 99 daemon ##代理tcp端口,并且有多台服务器处理该端口请求 listen imserver 0.0.0.0:5888 mode tcp balance leastconn tcp-request inspect-delay 5s server imserver01 10.10.110.101:5222 check inter 10s server imserver02 10.10.110.102:5222 check inter 10s # 代理redis集群master节点 listen redis 0.0.0.0:36379 mode tcp option tcp-check balance roundrobin tcp-check send PING tcp-check expect string +PONG # tcp-check send AUTH <your-passphrase> # tcp-check expect string +OK tcp-check send info replication tcp-check expect string role:master tcp-check send QUIT tcp-check expect string +OK server redis-1 10.10.15.111:6379 check inter 10s server redis-2 10.10.15.112:6379 check inter 10s server redis-3 10.10.15.113:6379 check inter 10s ##代理http端口 frontend http_in ##使用http的方式代理 bind *:6555 bind *:80 ##可配置多个端口来代理 ##使用https的方式代理,如何生成证书文件,在以下有说明 bind *:443 ssl crt /home/data/haproxy-1.5.10/ssl/eim.pem ##以下表示将用户的http请求转换成https请求 http-response replace-value Location ^http://10.10.110.53/(.*)$ https://10.10.110.53/1 http-response replace-value Location ^http://weixin.bjhuarun.com/(.*)$ https://weixin.bjhuarun.com/1 #redirect scheme https if !{ ssl_fc }
##限制HTTP请求方法
acl invalid_method method HEAD OPTIONS TRACE SEARCH COPY MOVE PROPFIND PROPPATCH MKCOL LOCK UNLOCK PUT DELETE
http-request deny if invalid_method
## 限制部分url地址访问源 公司公网网段( 121.15.129.225/27 116.31.88.83/29 )
acl login_beg path_beg /login /dubbo-admin /config-toolkit /manager /console
acl login_redirect_beg path_beg /login/redirect
acl internal_src src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 121.15.129.225/27 116.31.88.83/29
block if !internal_src login_beg !login_redirect_beg
## 防止中间人host header攻击
acl white_host hdr_reg(host) -i weixin.bjhuarun.com 10.10.110.101 block if !white_host
##以下表示请求以/fs/开头,则分发给fs-server服务器处理
acl fs-server path_beg -i /fs/
use_backend fs-server if fs-server
##以下表示请求以/api/fs/ /cloudfs /upgrade/api/fs开头,则分发给cloudfs服务器处理
acl cloudfs-server path_beg -i /api/fs/ /cloudfs /upgrade/api/fs
use_backend cloudfs-server if cloudfs-server
##以下表示请求在以上路径都不符合时,使用该后台服务器处理
default_backend cas
backend cloudfs-server
mode http
option forwardfor
reqrep ^([^ :]*) /api/fs/(.*) 1 /cloudfs/api/fs/2 reqrep ^([^ :]*) /upgrade/api/fs/(.*) 1 /cloudfs/api/fs/2
server wget 10.10.110.102:8081 check inter 10s
backend fs-server
mode http
option forwardfor
server wget 10.10.110.102:8081 check inter 10s
##当有多个后台服务器处理同一个请求时,则按照如下配置
backend cas
mode http
option forwardfor
balance source
# 七层健康检查,多个后端server的情况必须使用七层检查
option httpchk GET /
server cas01 10.10.110.101:8080 check inter 10s
server cas02 10.10.110.102:8080 check inter 10s
# 代理后端为HTTPS 应用
backend bjhuarun-server
mode http
option forwardfor
server bjhuarun www.bjhuarun.com:443 check ssl verify none inter 10s