一、使用TCP代理模式
实验场景:
远程代理访问后端mariadb数据库服务器。
HAproxy | 192.168.147.131 |
mariadb server | 192.168.147.132 |
mariadb server | 192.168.147.133 |
1、配置mariadb server
mariadb-server 192.168.147.132
MariaDB [(none)]> create database haproxydb;
Query OK, 1 row affected (0.01 sec)
MariaDB [(none)]> grant all on haproxydb.* to 'haproxy'@'%' identified by '123456';
Query OK, 0 rows affected (0.03 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mariadb-server 192.168.147.133
MariaDB [(none)]> create database haproxydb;
Query OK, 1 row affected (0.01 sec)
MariaDB [(none)]> grant all on haproxydb.* to 'haproxy'@'%' identified by '123456';
Query OK, 0 rows affected (0.03 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
2、配置HAproxy
listen mysql
bind :3307
mode tcp
balance leastconn
#option mysql-check user haproxy
server MySQL1 192.168.147.132:3306
server MySQL2 192.168.147.133:3306
3、重启haproxy服务
[root@centos7 ~]# systemctl restart haproxy
[root@centos7 ~]# ss -ntl | grep 3307
LISTEN 0 128 *:3307 *:*
4、客户端访问
[root@centos7 ~]# mysql -uhaproxy -p123456 -P 3307 -h192.168.147.131
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 5.5.60-MariaDB-wsrep MariaDB Server, wsrep_25.23.r9949137
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| haproxydb |
| test |
+--------------------+
3 rows in set (0.04 sec)
MariaDB [(none)]> select user();
+-------------------------+
| user() |
+-------------------------+
| haproxy@192.168.147.131 |
+-------------------------+
1 row in set (0.00 sec)
实验场景:
远程代理访问后端SSH服务器
HAproxy | 192.168.239.130 |
SSH | 192.168.239.128 |
SSH | 192.168.239.132 |
HAproxy配置
listen ssh-server
bind :22022
balance leastconn
mode tcp
server sshsrv1 192.168.239.132:22 check
server sshsrv2 192.168.239.128:22 check
连接测试
[root@centos7 ~]# ssh -p 22022 192.168.239.130
root@192.168.239.130's password:
Last login: Tue May 5 19:12:33 2020 from 192.168.239.1
[root@centos7 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.239.132 netmask 255.255.255.0 broadcast 192.168.239.255
inet6 fe80::20c:29ff:febf:a863 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:bf:a8:63 txqueuelen 1000 (Ethernet)
RX packets 43456 bytes 3005415 (2.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 29168 bytes 2289902 (2.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
二、启用统计状态页面
1、编辑HAproxy配置文件
listen status
bind :9527
#mode http
stats enable ##启用状态页
stats realm HAPorxy\ Stats\ Page ##状态页登录提示信息
stats auth admin:admin ##登录状态页的认证用户与密码
stats hide-version ##隐藏版本号
stats admin if TRUE ##启用stats page中的管理功能
2、输入登录账户与密码
3、管理主机
例如把web1这台服务器设为维护状态
三、设置cookie,实现会话粘性
会话黏性:将同一客户端(地址)的请求始终发往同一服务器
frontend eshop *:80
#acl src
default_backend websrvs
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend websrvs
balance roundrobin
cookie WEBSRV insert nocache indirect ##当用户请求时,如果被分配到第一个server,则WEBSRV的值等于srv1,如果是第二台server,则WEBSRV的值等于srv2
server web1 192.168.239.132:80 check cookie srv1
server web2 192.168.239.128:80 check cookie srv2
客户端测试,此时访问到的是web1主机,cookie信息是
Cookie WEBSRV=srv1
换一个客户端测试,此时访问到的是web2主机,cookie信息是
Cookie WEBSRV=srv2
四、其他配置选项
1、option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
在由haproxy发往后端主机的请求报文中添加“X-Forwarded-For”首部,其值前端客户端的地址;用于向后端主发送真实的客户端IP;
[ except <network> ]:请求报请来自此处指定的网络时不予添加此首部;
[ header <name> ]:使用自定义的首部名称,而非“X-Forwarded-For”;
此选项在default配置端中已经默认配置了。
还要在后端的HTTP服务器上修改其日志格式。
[root@centos7 ~]# vim /etc/httpd/conf/httpd.conf
<IfModule log_config_module>
#LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
远程客户端发起访问
[root@centos7 ~]# for i in {1..20};do curl http://192.168.147.131;done
<h1>Backend Server 132<h1>
<h1>Backend Server 133<h1>
<h1>Backend Server 132<h1>
<h1>Backend Server 133<h1>
<h1>Backend Server 132<h1>
<h1>Backend Server 133<h1>
<h1>Backend Server 132<h1>
<h1>Backend Server 133<h1>
<h1>Backend Server 132<h1>
<h1>Backend Server 133<h1>
<h1>Backend Server 132<h1>
<h1>Backend Server 133<h1>
<h1>Backend Server 132<h1>
<h1>Backend Server 133<h1>
<h1>Backend Server 132<h1>
<h1>Backend Server 133<h1>
<h1>Backend Server 132<h1>
<h1>Backend Server 133<h1>
<h1>Backend Server 132<h1>
<h1>Backend Server 133<h1>
监控后端日志信息,此时可以记录到远程客户端的地址。
[root@centos7 ~]# tail -f /var/log/httpd/access_log
192.168.147.134 - - [05/May/2020:15:42:28 +0800] "GET / HTTP/1.1" 200 27 "-" "curl/7.29.0"
192.168.147.134 - - [05/May/2020:15:42:28 +0800] "GET / HTTP/1.1" 200 27 "-" "curl/7.29.0"
192.168.147.134 - - [05/May/2020:15:42:28 +0800] "GET / HTTP/1.1" 200 27 "-" "curl/7.29.0"
192.168.147.134 - - [05/May/2020:15:42:28 +0800] "GET / HTTP/1.1" 200 27 "-" "curl/7.29.0"
192.168.147.134 - - [05/May/2020:15:42:28 +0800] "GET / HTTP/1.1" 200 27 "-" "curl/7.29.0"
192.168.147.134 - - [05/May/2020:15:42:28 +0800] "GET / HTTP/1.1" 200 27 "-" "curl/7.29.0"
192.168.147.134 - - [05/May/2020:15:42:28 +0800] "GET / HTTP/1.1" 200 27 "-" "curl/7.29.0"
192.168.147.134 - - [05/May/2020:15:42:28 +0800] "GET / HTTP/1.1" 200 27 "-" "curl/7.29.0"
192.168.147.134 - - [05/May/2020:15:42:28 +0800] "GET / HTTP/1.1" 200 27 "-" "curl/7.29.0"
192.168.147.134 - - [05/May/2020:15:42:28 +0800] "GET / HTTP/1.1" 200 27 "-" "curl/7.29.0"
2、自定义错误页面
errorfile <code> <file>
<code>:是HTTP状态代码。 当前,HAProxy能够生成代码200、400、403、408、500、502、503和504。
<file>:用于指定一个包含完整HTTP响应的文件。
示例:
errorfile 400 /etc/haproxy/errorfiles/400badreq.http
errorfile 408 /dev/null # workaround Chrome pre-connect bug
errorfile 403 /etc/haproxy/errorfiles/403forbid.http
errorfile 503 /etc/haproxy/errorfiles/503sorry.http
errorloc <code> <url>
errorloc302 <code> <url>
示例:
errorloc 403 http://www.magedu.com/error_pages/403.html
编辑配置文件
frontend eshop
bind :80
mode http
default_backend websrvs
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend websrvs
balance roundrobin
errorfile 503 /etc/haproxy/errorfiles/503sorry.html ##503是服务器内部错误
server web1 192.168.147.132:80 check
server web2 192.168.147.133:80 check
定义错误页面
[root@centos7 errorfiles]# vim /etc/haproxy/errorfiles/503sorry.html
<h1>sorry ,backendserver is down</h1>
模拟后端服务器故障,然后客户端测试访问。
[root@centos7 ~]# systemctl stop httpd
也可以定义错误URL路径。当出现503内部错误时就跳转到http://www.baidu.com/
frontend eshop
bind :80
mode http
default_backend websrvs
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend websrvs
balance roundrobin
# errorfile 503 /etc/haproxy/errorfiles/503sorry.html
errorloc 503 http://www.baidu.com/
server web1 192.168.147.132:80 check
server web2 192.168.147.133:80 check
模拟后端服务器故障,然后客户端测试访问。
[root@centos7 ~]# systemctl stop httpd
3、在请求报文头部和响应报文头部添加自定义首部。
reqadd <string> [{if | unless} <cond>]
在HTTP请求的末尾添加标头
rspadd <string> [{if | unless} <cond>]
在HTTP响应的末尾添加标头
示例:
rspadd X-Via:\ HAPorxy
reqdel <search> [{if | unless} <cond>]
reqidel <search> [{if | unless} <cond>] (ignore case)
删除所有与HTTP请求中的正则表达式匹配的标头
rspdel <search> [{if | unless} <cond>]
rspidel <search> [{if | unless} <cond>] (ignore case)
删除HTTP响应报文中所有与正则表达式匹配的标头
示例:
rspidel Server.* ##删除HTTP响应报文中的server头部
在响应报文首部添加字段X-via值为HAproxy。
frontend eshop *:80
#acl src
#reqadd X-proto:\ http
default_backend websrvs
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend websrvs
balance roundrobin
rspadd X-via:\ HAproxy
cookie WEBSRV insert nocache indirect
server web1 192.168.239.132:80 check cookie srv1
server web2 192.168.239.128:80 check cookie srv2
响应报文首部携带了X-via:\ HAproxy这个头部信息。
删除响应报文首部,例如:删除HTTP响应报文中的server头部
backend websrvs
balance roundrobin
#acl is_http dst_port 80
#reqadd X-proto:\ http if is_http
rspadd X-via:\ HAproxy
rspidel .*server.* ##添加此行
#cookie WEBSRV insert nocache indirect
server web1 192.168.239.132:80 check #cookie srv1
server web2 192.168.239.128:80 check
4、为指定的MIME类型启用压缩传输功能
compression algo <algorithm> ...:启用http协议的压缩机制,指明压缩算法gzip, deflate;
compression type <mime type> ...:指明压缩的MIME类型;常适用于压缩的类型为文本类型;
例:compression type text/html
compression algo gzip
frontend eshop *:80
#acl src
#reqadd X-proto:\ http
default_backend websrvs
compression type text/html
compression algo gzip
5、对后端服务器做http协议的健康状态检测
option httpchk
option httpchk <uri>
option httpchk <method> <uri>
option httpchk <method> <uri> <version>
定义基于http协议的7层健康状态检测机制;
http-check expect [!] <match> <pattern>
HTTP运行状况检查能匹配到模式指定的响应内容或特定的状态代码。
backend websrvs
balance roundrobin
# errorfile 503 /etc/haproxy/errorfiles/503sorry.html
errorloc 503 http://www.baidu.com/
option httpchk GET /index.html
server web1 192.168.147.132:80 check
server web2 192.168.147.133:80 check
也可以使HTTP运行状况检查匹配指定的响应内容或特定的状态代码,只有匹配到指定的响应内容或状态码时才认为检查成功。
backend websrvs
balance roundrobin
# errorfile 503 /etc/haproxy/errorfiles/503sorry.html
errorloc 503 http://www.baidu.com/
option httpchk GET /index.html
http-check expect rstring .*Backend.* ##对指定的URL检查时匹配到包含Backend字符串则认为成功
server web1 192.168.147.132:80 check
server web2 192.168.147.133:80 check
6、阻塞7层请求
block { if | unless } <condition>
示例:
acl invalid_src src 172.16.200.2
block if invalid_src
errorfile 403 /etc/fstab
frontend eshop
bind :80
mode http
acl invalid_src src 192.168.147.1
block if invalid_src
errorfile 403 /etc/haproxy/errorfiles/503sorry.html
default_backend websrvs