Submitted by admin on 2013, November 27, 9:13 PM
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.eth0.send_redirects = 1
ifconfig eth0:3 17.139.148.246 broadcast 17.139.148.246 netmask 255.255.255.255 up
route add -host 17.139.148.246 dev eth0:3
ipvsadm -C
ipvsadm -A -t 17.139.148.246:http -s rr
ipvsadm -a -t 17.139.148.246:http -r 17.139.165.210 -g -w 1
ipvsadm -a -t 17.139.148.246:http -r 17.139.144.218 -g -w 1
ipvsadm -C
ipvsadm -A -t 17.139.148.246:80 -s rr
ipvsadm -a -t 17.139.148.246:80 -r 17.139.165.210 -g -w 1
ipvsadm -a -t 17.139.148.246:80 -r 17.139.144.218 -g -w 1
ipvsadm -C
ipvsadm -A -t 17.139.148.246:80 -s rr
ipvsadm -a -t 17.139.148.246:80 -r 17.139.148.244 -g -w 1
ipvsadm -a -t 17.139.148.246:80 -r 17.139.148.245 -g -w 1
net.ipv4.ip_forward = 0
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
ifconfig lo:0 17.139.148.246 broadcast 17.139.148.246 netmask 255.255.255.255 up
route add -host 17.139.148.246 dev lo:0
grep ip_vs_init /boot/System.map
------------------------------------
iptunnel
LB
ifconfig tunl0 17.139.148.246 broadcast 17.139.148.246 netmask 255.255.255.0 up
route add -host 17.139.148.246 dev tunl0
ipvsadm -C
ipvsadm -A -t 17.139.148.246:80 -s rr
ipvsadm -a -t 17.139.148.246:80 -r 17.139.165.210 -i
ipvsadm -a -t 17.139.148.246:80 -r 17.139.144.218 -i
ipvsadm -a -t 17.139.148.246:80 -r 6.198.139.186 -i
ipvsadm -a -t 17.139.148.246:80 -r 6.229.125.146 -i
ipvsadm -a -t 17.139.148.246:80 -r 11.34.173.210 -i
ipvsadm -a -t 17.139.148.246:80 -r 11.34.169.10 -i
RS
ifconfig tunl0 17.139.148.246 broadcast 17.139.148.246 netmask 255.255.255.0 up
route add -host 17.139.148.246 dev tunl0
net.ipv4.conf.lo.arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
http://lansgg.blog.51cto.com/5675165/1229421
集群/分流 | 评论:0
| Trackbacks:0
| 阅读:677
Submitted by admin on 2013, November 27, 4:06 PM
#/usr/local/sbin/haproxy -f /etc/haproxy/haproxy.cfg -st `cat /var/run/haproxy.pid`
####################全局配置信息########################
#######参数是进程级的,通常和操作系统(OS)相关#########
global
maxconn 20480 #默认最大连接数
log 127.0.0.1 local3 #[err warning info debug]
chroot /var/haproxy #chroot运行的路径
uid 99 #所属运行的用户uid
gid 99 #所属运行的用户组
daemon #以后台形式运行haproxy
nbproc 1 #进程数量(可以设置多个进程提高性能)
pidfile /var/run/haproxy.pid #haproxy的pid存放路径,启动进程的用户必须有权限访问此文件
ulimit-n 65535 #ulimit的数量限制
#####################默认的全局设置######################
##这些参数可以被利用配置到frontend,backend,listen组件##
defaults
log global
mode http #所处理的类别 (#7层 http;4层tcp )
maxconn 20480 #最大连接数
option httplog #日志类别http日志格式
option httpclose #每次请求完毕后主动关闭http通道
option dontlognull #不记录健康检查的日志信息
option forwardfor #如果后端服务器需要获得客户端真实ip需要配置的参数,可以从Http Header中获得客户端ip
option redispatch #serverId对应的服务器挂掉后,强制定向到其他健康的服务器
option abortonclose #当服务器负载很高的时候,自动结束掉当前队列处理比较久的连接
stats refresh 30 #统计页面刷新间隔
retries 3 #3次连接失败就认为服务不可用,也可以通过后面设置
balance roundrobin #默认的负载均衡的方式,轮询方式
#balance source #默认的负载均衡的方式,类似nginx的ip_hash
#balance leastconn #默认的负载均衡的方式,最小连接
contimeout 5000 #连接超时
clitimeout 50000 #客户端超时
srvtimeout 50000 #服务器超时
timeout check 2000 #心跳检测超时
####################监控页面的设置#######################
listen admin_status #Frontend和Backend的组合体,监控组的名称,按需自定义名称
bind 0.0.0.0:65532 #监听端口
mode http #http的7层模式
log 127.0.0.1 local3 err #错误日志记录
stats refresh 5s #每隔5秒自动刷新监控页面
stats uri /admin?stats #监控页面的url
stats realm itnihao\ itnihao #监控页面的提示信息
stats auth admin:admin #监控页面的用户和密码admin,可以设置多个用户名
stats auth admin1:admin1 #监控页面的用户和密码admin1
stats hide-version #隐藏统计页面上的HAproxy版本信息
stats admin if TRUE #手工启用/禁用,后端服务器(haproxy-1.4.9以后版本)
errorfile 403 /etc/haproxy/errorfiles/403.http
errorfile 500 /etc/haproxy/errorfiles/500.http
errorfile 502 /etc/haproxy/errorfiles/502.http
errorfile 503 /etc/haproxy/errorfiles/503.http
errorfile 504 /etc/haproxy/errorfiles/504.http
#################HAProxy的日志记录内容设置###################
capture request header Host len 40
capture request header Content-Length len 10
capture request header Referer len 200
capture response header Server len 40
capture response header Content-Length len 10
capture response header Cache-Control len 8
#######################网站监测listen配置#####################
###########此用法主要是监控haproxy后端服务器的监控状态############
listen site_status
bind 0.0.0.0:1081 #监听端口
mode http #http的7层模式
log 127.0.0.1 local3 err #[err warning info debug]
monitor-uri /site_status #网站健康检测URL,用来检测HAProxy管理的网站是否可以用,正常返回200,不正常返回503
acl site_dead nbsrv(server_web) lt 2 #定义网站down时的策略当挂在负载均衡上的指定backend的中有效机器数小于1台时返回true
acl site_dead nbsrv(server_blog) lt 2
acl site_dead nbsrv(server_bbs) lt 2
monitor fail if site_dead #当满足策略的时候返回503,网上文档说的是500,实际测试为503
monitor-net 192.168.16.2/32 #来自192.168.16.2的日志信息不会被记录和转发
monitor-net 192.168.16.3/32
########frontend配置############
#####注意,frontend配置里面可以定义多个acl进行匹配操作########
frontend http_80_in
bind 0.0.0.0:80 #监听端口,即haproxy提供web服务的端口,和lvs的vip端口类似
mode http #http的7层模式
log global #应用全局的日志配置
option httplog #启用http的log
option httpclose #每次请求完毕后主动关闭http通道,HA-Proxy不支持keep-alive模式
option forwardfor #如果后端服务器需要获得客户端的真实IP需要配置次参数,将可以从Http Header中获得客户端IP
########acl策略配置#############
acl itnihao_web hdr_reg(host) -i ^(www.itnihao.cn|ww1.itnihao.cn)$
#如果请求的域名满足正则表达式中的2个域名返回true -i是忽略大小写
acl itnihao_blog hdr_dom(host) -i blog.itnihao.cn
#如果请求的域名满足www.itnihao.cn返回true -i是忽略大小写
#acl itnihao hdr(host) -i itnihao.cn
#如果请求的域名满足itnihao.cn返回true -i是忽略大小写
#acl file_req url_sub -i killall=
#在请求url中包含killall=,则此控制策略返回true,否则为false
#acl dir_req url_dir -i allow
#在请求url中存在allow作为部分地址路径,则此控制策略返回true,否则返回false
#acl missing_cl hdr_cnt(Content-length) eq 0
#当请求的header中Content-length等于0时返回true
########acl策略匹配相应#############
#block if missing_cl
#当请求中header中Content-length等于0阻止请求返回403
#block if !file_req || dir_req
#block表示阻止请求,返回403错误,当前表示如果不满足策略file_req,或者满足策略dir_req,则阻止请求
use_backend server_web if itnihao_web
#当满足itnihao_web的策略时使用server_web的backend
use_backend server_blog if itnihao_blog
#当满足itnihao_blog的策略时使用server_blog的backend
#redirect prefix http://blog.itniaho.cn code 301 if itnihao
#当访问itnihao.cn的时候,用http的301挑转到http://192.168.16.3
default_backend server_bbs
#以上都不满足的时候使用默认server_bbs的backend
##########backend的设置##############
#下面我将设置三组服务器 server_web,server_blog,server_bbs
###########################backend server_web#############################
backend server_web
mode http #http的7层模式
balance roundrobin #负载均衡的方式,roundrobin平均方式
cookie SERVERID #允许插入serverid到cookie中,serverid后面可以定义
option httpchk GET /index.html #心跳检测的文件
server web1 192.168.16.2:80 cookie web1 check inter 1500 rise 3 fall 3 weight 1
#服务器定义,cookie 1表示serverid为web1,check inter 1500是检测心跳频率rise 3是3次正确认为服务器可用,
#fall 3是3次失败认为服务器不可用,weight代表权重
server web2 192.168.16.3:80 cookie web2 check inter 1500 rise 3 fall 3 weight 2
#服务器定义,cookie 1表示serverid为web2,check inter 1500是检测心跳频率rise 3是3次正确认为服务器可用,
#fall 3是3次失败认为服务器不可用,weight代表权重
###################################backend server_blog###############################################
backend server_blog
mode http #http的7层模式
balance roundrobin #负载均衡的方式,roundrobin平均方式
cookie SERVERID #允许插入serverid到cookie中,serverid后面可以定义
option httpchk GET /index.html #心跳检测的文件
server blog1 192.168.16.2:80 cookie blog1 check inter 1500 rise 3 fall 3 weight 1
#服务器定义,cookie 1表示serverid为web1,check inter 1500是检测心跳频率rise 3是3次正确认为服务器可用,fall 3是3次失败认为服务器不可用,weight代表权重
server blog2 192.168.16.3:80 cookie blog2 check inter 1500 rise 3 fall 3 weight 2
#服务器定义,cookie 1表示serverid为web2,check inter 1500是检测心跳频率rise 3是3次正确认为服务器可用,fall 3是3次失败认为服务器不可用,weight代表权重
###################################backend server_bbs###############################################
backend server_bbs
mode http #http的7层模式
balance roundrobin #负载均衡的方式,roundrobin平均方式
cookie SERVERID #允许插入serverid到cookie中,serverid后面可以定义
option httpchk GET /index.html #心跳检测的文件
server bbs1 192.168.16.2:80 cookie bbs1 check inter 1500 rise 3 fall 3 weight 1
#服务器定义,cookie 1表示serverid为web1,check inter 1500是检测心跳频率rise 3是3次正确认为服务器可用,fall 3是3次失败认为服务器不可用,weight代表权重
server bbs2 192.168.16.3:80 cookie bbs2 check inter 1500 rise 3 fall 3 weight 2
#服务器定义,cookie 1表示serverid为web2,check inter 1500是检测心跳频率rise 3是3次正确认为服务器可用,fall 3是3次失败认为服务器不可用,weight代表权重
集群/分流 | 评论:0
| Trackbacks:0
| 阅读:715
Submitted by admin on 2013, November 27, 4:00 PM
global
log 127.0.0.1 local0
ulimit-n 131091
maxconn 65536
#chroot /usr/local/haproxy
uid 99
gid 99
#stats socket /usr/local/haproxy/HaproxSocket level admin
#stats socket /var/run/socket level admin
daemon
nbproc 8
pidfile /var/run/haproxy.pid
#debug
defaults
log 127.0.0.1 local3
mode http
option httplog
#option httplog clf
option httpclose
option dontlognull
#option forwardfor
option redispatch
option abortonclose
retries 3
maxconn 65536
#balance source
balance roundrobin
#stats uri /haproxy-stats
#stats refresh 10s
contimeout 30s
clitimeout 60s
srvtimeout 60s
listen Cluster 0.0.0.0:80
mode http
balance roundrobin
#option httpchk GET /goodo.html HTTP/1.0Host:9.126.13.13
#option httpchk GET /goodo.html
#server 192.168.0.111_node1 192.168.0.111:80 weight 3 check inter 2000 rise 2 fall 1
#server node1 17.139.148.242:80 weight 3 check inter 2000 rise 2 fall 1
#server node2 17.139.183.18:80 weight 1 check inter 12000 rise 2 fall 3
server node3 17.139.165.210:80 weight 1 check inter 12000 rise 2 fall 3
server node4 17.139.144.218:80 weight 1 check inter 12000 rise 2 fall 3
server node5 11.34.169.10:80 weight 1 check inter 12000 rise 2 fall 3
server node6 11.34.173.210:80 weight 1 check inter 12000 rise 2 fall 3
server node7 6.198.139.186:80 weight 1 check inter 12000 rise 2 fall 3
server node8 6.229.125.146:80 weight 1 check inter 12000 rise 2 fall 3
listen stats_auth 0.0.0.0:91
mode http
stats enable
stats uri /admin
stats realm "LOGIN"
stats auth admin:123456
stats hide-version
stats refresh 10s
stats admin if TRUE
bind-process 1
集群/分流 | 评论:0
| Trackbacks:0
| 阅读:763
Submitted by admin on 2013, November 27, 3:57 PM
本文档覆盖了如上版本HAProxy的所有配置命令. 但是不提供任何的提示(hint)、示例(example)或建议.
如果你要获得此类信息,请查看“参考手册”和“架构手册”。
HAProxy的配置过程分为3个主要部分:
- 命令行参数,这是最优先的
- global(全局)段,设置进程级参数
- 代理配置段,通常位于"default", "listen", "fronted", "backend"这样的形式内。
配置文件的语法是由以本手册描述的关键字后跟可选的一个或者多个参数(参数之间空格)
组成。如果字符串中包含空格,必须使用'\'进行转义。\本身需要使用\进行转义。
一些参数值为时间,比如说timeout。时间值通常单位为毫秒(ms),但是也可以通过加后缀
来使用其他的单位。这是很重要的,因为我并不会在每个关键字中说明这点。支持的单位为:
- us : microseconds. 1 microsecond = 1/1000000 second
- ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
- s : seconds. 1s = 1000ms
- m : minutes. 1m = 60s = 60000ms
- h : hours. 1h = 60m = 3600s = 3600000ms
- d : days. 1d = 24h = 1440m = 86400s = 86400000ms
1. Global(全局)参数
--------------------
"global" 段的参数是进程级的,通常和操作系统(OS)相关。这些参数一般只设置一次,如果
配置无误,就不需要再次配置进行修改。(译注:也就是说如果设置多个正确的,还是以第一个
为准,后面的无效)。 这些参数其中一些有对应的命令行参数。
global段支持的关键字如下:
* 进程管理和安全
- chroot
- daemon
- gid
- group
- log
- nbproc
- pidfile
- uid
- ulimit-n
- user
- stats
* 性能调优
- maxconn
- noepoll
- nokqueue
- nopoll
- nosepoll
- spread-checks
- tune.maxaccept
- tune.maxpollevents
* 调试
- debug
- quiet
1.1) 进程管理和安全
------------------------------------
chroot <jail dir>
切换运行目录到<jail dir>并且在放弃超级权限前执行chroot()。这会增强HAProxy的安全
级别。仅在HAProxy以超级用户启动时才能使用。要注意的是<jail dir>必须为空并且其他
任何用户不可写。
daemon
使HAProxy进程进入后台运行。这是推荐的运行模式。等同于命令行-D参数。命令行参数
-db则为禁止此选项。
gid <number>
进程运行的组ID。建议将HAProxy的运行gid设置为一个专有的,或者设置为和其他类似进程
一样的gid。 HAProxy必须以属于此组的用户启动,或者使用root来启动。
参考group 和 uid.
group <group name>
和gid类似,不过这里使用/etc/group中对应组名的gid。
参考gid和 uid.
log <address> <facility> [max level]
添加一个全局的syslog服务器。 最多允许定义2个全局服务器。这些服务器将接收HAProxy的
启动和退出日志,如果代理配置里设置了log global,可以接收所有日志。
<address> 可以为:
- 一个IPv4 IP地址后跟一个:和一个UDP端口。如果端口不指定, 默认使用514
(标准的syslog端口)
- 一个到UNIX domain socket文件的路径。注意chroot(此文件在chroot内能访问)
和uid/gid(此文件可写).
<facility> 必须为如下24种标准syslog设备的一种:
kern user mail daemon auth syslog lpr news
uucp cron auth2 ftp ntp audit alert cron2
local0 local1 local2 local3 local4 local5 local6 local7
还可以设置一个可选的level来过滤发出日志。默认会发出所有日志。如果指定了level,
等于或高于此级别的日志才会发出。 8个级别为:
emerg alert crit err warning notice info debug
nbproc <number>
创建<number>个进程进入deamon模式运行。此参数要求将运行模式设置为"daemon"。
默认只创建一个进程, 这也是推荐的运行模式。 对那些每个进程的文件描述符被限制为
很小值的系统来说, 可能需要开启多个daemon进程。但是使用多个进程将使调试变
得非常艰难,这是非常不鼓励使用的。
参考"daemon"。
pidfile <pidfile>
将所有进程的pid写入文件<pidfile>。 等同于命令行参数"-p"。 启动进程的用户必须
有权限访问此文件。
参考"daemon"
stats socket <path> [{uid | user} <uid>] [{gid | group} <gid>] [mode <mode>]
在<path>下创建流模式的UNIX套接字. 任何已存的套接字会备份后会被替换。连接到
此套接字并输入show stat后会得到一个CSV格式的输出,输出包括进程信息。输入show
info将返回更详细的相关信息。
stats timeout <timeout, in milliseconds>
默认stats套接字的超时时间为10s。可以用此参数修改,单位可以为us,ms,s,m,h,d后缀。
stats maxconn <connections>
默认,stats套接字(socket)仅限10个并发连接。这个值可由此参数修改。
uid <number>
设置进程用户ID为<number>.建议将HAProxy的运行uid设置为一个专有的,或者设置为和
其他类似进程一样的uid。 HAProxy必须以root来启动从而切换到其他用户运行。
参考gid和user.
ulimit-n <number>
设置每个进程的最大文件描述符数。默认的, 此值会自动计算,所以不推荐设置此参数。
user <user name>
和uid类似,不过这里使用/etc/passwd中对应用户名的uid。
参考uid和group.
1.2) 性能调优
-----------------------
maxconn <number>
Sets the maximum per-process number of concurrent connections to <number>. It
is equivalent to the command-line argument "-n". Proxies will stop accepting
connections when this limit is reached. The "ulimit-n" parameter is
automatically adjusted according to this value. See also "ulimit-n".
设置每个进程的最大并发连接数. 等于命令行参数"-n"。 如果达到此值,代理会拒绝接受
新的连接。ulimit-n会根据这个值自动调整。
noepoll
Disables the use of the "epoll" event polling system on Linux. It is
equivalent to the command-line argument "-de". The next polling system
used will generally be "poll". See also "nosepoll", and "nopoll".
在Linux上禁止使用epoll。等于命令行"-de"参数。 下一个会用到的polling系统为
poll。
查看"noepoll"和"nopoll".
nokqueue
Disables the use of the "kqueue" event polling system on BSD. It is
equivalent to the command-line argument "-dk". The next polling system
used will generally be "poll". See also "nopoll".
在BSD上禁止kqueue polling系统。等于命令行"-dk"参数. 下一个会使用的是poll.
查看"nopoll".
nopoll
Disables the use of the "poll" event polling system. It is equivalent to the
command-line argument "-dp". The next polling system used will be "select".
It should never be needed to disable "poll" since it's available on all
platforms supported by HAProxy. See also "nosepoll", and "nopoll" and
"nokqueue".
禁止poll,等于命令行"-dp"。下一个使用的是select。poll在任何能运行HAProxy的机器
上都支持,因此不要禁止poll。
查看"nospoll"和"nopoll"以及"nokquque".
nosepoll
Disables the use of the "speculative epoll" event polling system on Linux. It
is equivalent to the command-line argument "-ds". The next polling system
used will generally be "epoll". See also "nosepoll", and "nopoll".
在Linux上禁止使用speculative epoll系统。等于"-ds". 下一个使用的是epoll.
查看"nospell", "nopoll".
spread-checks <0..50, in percent>
Sometimes it is desirable to avoid sending health checks to servers at exact
intervals, for instance when many logical servers are located on the same
physical server. With the help of this parameter, it becomes possible to add
some randomness in the check interval between 0 and +/- 50%. A value between
2 and 5 seems to show good results. The default value remains at 0.
tune.maxaccept <number>
Sets the maximum number of consecutive accepts that a process may perform on
a single wake up. High values give higher priority to high connection rates,
while lower values give higher priority to already established connections.
This value is unlimited by default in single process mode. However, in
multi-process mode (nbproc > 1), it defaults to 8 so that when one process
wakes up, it does not take all incoming connections for itself and leaves a
part of them to other processes. Setting this value to zero or less disables
the limitation. It should normally not be needed to tweak this value.
tune.maxpollevents <number>
Sets the maximum amount of events that can be processed at once in a call to
the polling system. The default value is adapted to the operating system. It
has been noticed that reducing it below 200 tends to slightly decrease
latency at the expense of network bandwidth, and increasing it above 200
tends to trade latency for slightly increased bandwidth.
1.3) 调试
---------------
debug
启动debug模式,此模式会dump所有的交互信息到stdout,并运行于前台(译注:不进入deamon
模式)。等效于命令行参数-d. 此参数绝不要用于生产环境,因为它会在系统启动时被挂起.
quiet
在启动时不显示任何信息。等于命令行参数-v。
2) 代理(Proxies)
----------
Proxy configuration can be located in a set of sections :
代理相关配置位于下列配置段中:
- defaults <name>
- frontend <name>
- backend <name>
- listen <name>
A "defaults" section sets default parameters for all other sections following
its declaration. Those default parameters are reset by the next "defaults"
section. See below for the list of parameters which can be set in a "defaults"
section. The name is optional but its use is encouraged for better readability.
"defaults"段为其后的所有其他配置段设置默认参数。 "defaults"段可以有多个,后设置的总
是会覆盖之前的配置。 查看下面的列表可以知道"defaults"段可以使用哪些配置参数。"defaults"
关键字是可选的,但是为了更好的可读性,建议加上。
A "frontend" section describes a set of listening sockets accepting client
connections.
"frontend"段描述了一组监听的套接字,它们接受客户端连接。
A "backend" section describes a set of servers to which the proxy will connect
to forward incoming connections.
"backend"段描述了一组服务器,代理(Haproxy)会连接这些服务器并转发客户端请求到这些服
务器上。
A "listen" section defines a complete proxy with its frontend and backend
parts combined in one section. It is generally useful for TCP-only traffic.
"listen"段定义了一个完整的代理,它的前段(frontend)和后端(frontend)都在这个配置
段里。这种配置通常用于仅TCP的流量.
All proxy names must be formed from upper and lower case letters, digits,
'-' (dash), '_' (underscore) , '.' (dot) and ':' (colon). ACL names are
case-sensitive, which means that "www" and "WWW" are two different proxies.
代理名必须由大(小)写字母、数字、'-'、'_'、'.'、':'组成。ACL名字是大小写敏感的,
也即www和WWW分别指不同的代理。
Historically, all proxy names could overlap, it just caused troubles in the
logs. Since the introduction of content switching, it is mandatory that two
proxies with overlapping capabilities (frontend/backend) have different names.
However, it is still permitted that a frontend and a backend share the same
name, as this configuration seems to be commonly encountered.
由于历史原因,所有的代理名字是可以重叠的,这种仅仅会导致日志有些问题。 后来内容交换
(Content Switching)的加入使得两个有重复功能的代理(frontend/backend)必须使用不
同的名字。 然而, 仍然允许frontend和backend使用同一个名字,因为这种配置会经常遇到。
Right now, two major proxy modes are supported : "tcp", also known as layer 4,
and "http", also known as layer 7. In layer 4 mode, HAProxy simply forwards
bidirectionnal traffic between two sides. In layer 7 mode, HAProxy analyzes the
protocol, and can interact with it by allowing, blocking, switching, adding,
modifying, or removing arbitrary contents in requests or responses, based on
arbitrary criteria.
当前,HAProxy支持两种主要的代理模式: "tcp"也即4层,和"http",即7层。在4层模式下,
HAproxy仅在客户端和服务器之间转发双向流量。7层模式下,HAProxy会分析协议,并且能通过
允许、拒绝、交换、增加、修改或者删除请求(request)或者回应(response)里指定内容来控制
协议,这种操作要基于特定规则。
2.1) Quick reminder about HTTP
------------------------------
When a proxy is running in HTTP mode, both the request and the response are
fully analyzed and indexed, thus it becomes possible to build matching criteria
on almost anything found in the contents.
However, it is important to understand how HTTP requests and responses are
formed, and how HAProxy decomposes them. It will then become easier to write
correct rules and to debug existing configurations.
2.1.1) The HTTP transaction model
---------------------------------
The HTTP protocol is transaction-driven. This means that each request will lead
to one and only one response. Traditionnally, a TCP connection is established
from the client to the server, a request is sent by the client on the
connection, the server responds and the connection is closed. A new request
will involve a new connection :
[CON1] [REQ1] ... [RESP1] [CLO1] [CON2] [REQ2] ... [RESP2] [CLO2] ...
In this mode, called the "HTTP close" mode, there are as many connection
establishments as there are HTTP transactions. Since the connection is closed
by the server after the response, the client does not need to know the content
length.
Due to the transactional nature of the protocol, it was possible to improve it
to avoid closing a connection between two subsequent transactions. In this mode
however, it is mandatory that the server indicates the content length for each
response so that the client does not wait indefinitely. For this, a special
header is used: "Content-length". This mode is called the "keep-alive" mode :
[CON] [REQ1] ... [RESP1] [REQ2] ... [RESP2] [CLO] ...
Its advantages are a reduced latency between transactions, and less processing
power required on the server side. It is generally better than the close mode,
but not always because the clients often limit their concurrent connections to
a smaller value. HAProxy currently does not support the HTTP keep-alive mode,
but knows how to transform it to the close mode.
A last improvement in the communications is the pipelining mode. It still uses
keep-alive, but the client does not wait for the first response to send the
second request. This is useful for fetching large number of images composing a
page :
[CON] [REQ1] [REQ2] ... [RESP1] [RESP2] [CLO] ...
This can obviously have a tremendous benefit on performance because the network
latency is eliminated between subsequent requests. Many HTTP agents do not
correctly support pipelining since there is no way to associate a response with
the corresponding request in HTTP. For this reason, it is mandatory for the
server to reply in the exact same order as the requests were received.
Right now, HAProxy only supports the first mode (HTTP close) if it needs to
process the request. This means that for each request, there will be one TCP
connection. If keep-alive or pipelining are required, HAProxy will still
support them, but will only see the first request and the first response of
each transaction. While this is generally problematic with regards to logs,
content switching or filtering, it most often causes no problem for persistence
with cookie insertion.
2.1.2) HTTP request
-------------------
First, let's consider this HTTP request :
Line Contents
number
1 GET /serv/login.php?lang=en&profile=2 HTTP/1.1
2 Host: www.mydomain.com
3 User-agent: my small browser
4 Accept: image/jpeg, image/gif
5 Accept: image/png
2.1.2.1) The Request line
-------------------------
Line 1 is the "request line". It is always composed of 3 fields :
- a METHOD : GET
- a URI : /serv/login.php?lang=en&profile=2
- a version tag : HTTP/1.1
All of them are delimited by what the standard calls LWS (linear white spaces),
which are commonly spaces, but can also be tabs or line feeds/carriage returns
followed by spaces/tabs. The method itself cannot contain any colon (':') and
is limited to alphabetic letters. All those various combinations make it
desirable that HAProxy performs the splitting itself rather than leaving it to
the user to write a complex or inaccurate regular expression.
The URI itself can have several forms :
- A "relative URI" :
/serv/login.php?lang=en&profile=2
It is a complete URL without the host part. This is generally what is
received by servers, reverse proxies and transparent proxies.
- An "absolute URI", also called a "URL" :
http://192.168.0.12:8080/serv/login.php?lang=en&profile=2
It is composed of a "scheme" (the protocol name followed by '://'), a host
name or address, optionally a colon (':') followed by a port number, then
a relative URI beginning at the first slash ('/') after the address part.
This is generally what proxies receive, but a server supporting HTTP/1.1
must accept this form too.
- a star ('*') : this form is only accepted in association with the OPTIONS
method and is not relayable. It is used to inquiry a next hop's
capabilities.
- an address:port combination : 192.168.0.12:80
This is used with the CONNECT method, which is used to establish TCP
tunnels through HTTP proxies, generally for HTTPS, but sometimes for
other protocols too.
In a relative URI, two sub-parts are identified. The part before the question
mark is called the "path". It is typically the relative path to static objects
on the server. The part after the question mark is called the "query string".
It is mostly used with GET requests sent to dynamic scripts and is very
specific to the language, framework or application in use.
2.1.2.2) The request headers
----------------------------
The headers start at the second line. They are composed of a name at the
beginning of the line, immediately followed by a colon (':'). Traditionally,
an LWS is added after the colon but that's not required. Then come the values.
Multiple identical headers may be folded into one single line, delimiting the
values with commas, provided that their order is respected. This is commonly
encountered in the "Cookie:" field. A header may span over multiple lines if
the subsequent lines begin with an LWS. In the example in 2.1.2, lines 4 and 5
define a total of 3 values for the "Accept:" header.
Contrary to a common mis-conception, header names are not case-sensitive, and
their values are not either if they refer to other header names (such as the
"Connection:" header).
The end of the headers is indicated by the first empty line. People often say
that it's a double line feed, which is not exact, even if a double line feed
is one valid form of empty line.
Fortunately, HAProxy takes care of all these complex combinations when indexing
headers, checking values and counting them, so there is no reason to worry
about the way they could be written, but it is important not to accuse an
application of being buggy if it does unusual, valid things.
Important note:
As suggested by RFC2616, HAProxy normalizes headers by replacing line breaks
in the middle of headers by LWS in order to join multi-line headers. This
is necessary for proper analysis and helps less capable HTTP parsers to work
correctly and not to be fooled by such complex constructs.
2.1.3) HTTP response
--------------------
An HTTP response looks very much like an HTTP request. Both are called HTTP
messages. Let's consider this HTTP response :
Line Contents
number
1 HTTP/1.1 200 OK
2 Content-length: 350
3 Content-Type: text/html
2.1.3.1) The Response line
--------------------------
Line 1 is the "response line". It is always composed of 3 fields :
- a version tag : HTTP/1.1
- a status code : 200
- a reason : OK
The status code is always 3-digit. The first digit indicates a general status :
- 2xx = OK, content is following (eg: 200, 206)
- 3xx = OK, no content following (eg: 302, 304)
- 4xx = error caused by the client (eg: 401, 403, 404)
- 5xx = error caused by the server (eg: 500, 502, 503)
Please refer to RFC2616 for the detailed meaning of all such codes. The
"reason" field is just a hint, but is not parsed by clients. Anything can be
found there, but it's a common practice to respect the well-established
messages. It can be composed of one or multiple words, such as "OK", "Found",
or "Authentication Required".
2.1.3.2) The response headers
-----------------------------
Response headers work exactly like request headers, and as such, HAProxy uses
the same parsing function for both. Please refer to paragraph 2.1.2.2 for more
details.
2.2) 代理关键字矩阵
----------------------------
The following list of keywords is supported. Most of them may only be used in a
limited set of section types. Some of them are marked as "deprecated" because
they are inherited from an old syntax which may be confusing or functionally
limited, and there are new recommended keywords to replace them. Keywords
listed with [no] can be optionally inverted using the "no" prefix, ex. "no
option contstats". This makes sense when the option has been enabled by default
and must be disabled for a specific instance.
下面是HAProxy目前支持的关键字列表。 大部分只能用于部分配置段。 有一些标注了"deprecate"
是因为它们是从老的语法继承下来的,它们通常容易让人混淆或者功能受限,而且目前都有新的替代
关键字使用。有[no]标注的关键字表明用no作为前缀可以作为此关键字的相反设置,比如"no option
contstats". 比如说一个配置默认是启用的,但是在后面的某个具体的实例中需要关闭,这就非常有用了。
keyword defaults frontend listen backend
----------------------+----------+----------+---------+---------
acl - X X X
appsession - - X X
backlog X X X -
balance X - X X
bind - X X -
block - X X X
capture cookie - X X -
capture request header - X X -
capture response header - X X -
clitimeout X X X - (deprecated)
contimeout X - X X (deprecated)
cookie X - X X
default_backend - X X -
disabled X X X X
dispatch - - X X
enabled X X X X
errorfile X X X X
errorloc X X X X
errorloc302 X X X X
errorloc303 X X X X
fullconn X - X X
grace - X X X
http-check disable-on-404 X - X X
log X X X X
maxconn X X X -
mode X X X X
monitor fail - X X -
monitor-net X X X -
monitor-uri X X X -
[no] option abortonclose X - X X
[no] option allbackups X - X X
[no] option checkcache X - X X
[no] option clitcpka X X X -
[no] option contstats X X X -
[no] option dontlognull X X X -
[no] option forceclose X - X X
option forwardfor X X X X
[no] option http_proxy X X X X
option httpchk X - X X
[no] option httpclose X X X X
option httplog X X X X
[no] option logasap X X X -
[no] option nolinger X X X X
[no] option persist X - X X
[no] option redispatch X - X X
option smtpchk X - X X
[no] option srvtcpka X - X X
option ssl-hello-chk X - X X
option tcpka X X X X
option tcplog X X X X
[no] option tcpsplice X X X X
[no] option transparent X X X -
redisp X - X X (deprecated)
redispatch X - X X (deprecated)
reqadd - X X X
reqallow - X X X
reqdel - X X X
reqdeny - X X X
reqiallow - X X X
reqidel - X X X
reqideny - X X X
reqipass - X X X
reqirep - X X X
reqisetbe - X X X
reqitarpit - X X X
reqpass - X X X
reqrep - X X X
reqsetbe - X X X
reqtarpit - X X X
retries X - X X
rspadd - X X X
rspdel - X X X
rspdeny - X X X
rspidel - X X X
rspideny - X X X
rspirep - X X X
rsprep - X X X
server - - X X
source X - X X
srvtimeout X - X X (deprecated)
stats auth X - X X
stats enable X - X X
stats realm X - X X
stats refresh X - X X
stats scope X - X X
stats uri X - X X
stats hide-version X - X X
timeout check X - X X
timeout client X X X -
timeout clitimeout X X X - (deprecated)
timeout connect X - X X
timeout contimeout X - X X (deprecated)
timeout http-request X X X -
timeout queue X - X X
timeout server X - X X
timeout srvtimeout X - X X (deprecated)
timeout tarpit X X X X
transparent X X X - (deprecated)
use_backend - X X -
----------------------+----------+----------+---------+---------
keyword defaults frontend listen backend
2.2.1) 关键字索引(按字母顺序排序)
-----------------------------------------------
This section provides a description of each keyword and its usage.
本节描述每个关键字及其用法。
acl <aclname> <criterion> [flags] [operator] <value> ...
Declare or complete an access list.
声明或完整一个访问控制列表(ACL).
可用于配置段: defaults | frontend | listen | backend
no | yes | yes | yes
示例:
acl invalid_src src 0.0.0.0/7 224.0.0.0/3
acl invalid_src src_port 0:1023
acl local_dst hdr(host) -i localhost
2.5) HTTP头操作
-----------------------------
在HTTP模式下,可以基于正则表达式来重写、增加或者删除请求或者回应包头,如果一个某特定的
头匹配正则,也可以基于此来拒绝此请求或回应,这样就足以解决大部分简单的基于协议的攻击了,
也可以防止信息从内部网泄露出去。但是这样做却有一个限制: 因为HAproxy的HTTP引擎不支持
keep-alive, 在一个TCP会话中仅仅第一个请求中发送的头信息能被HAProxy看到,所有后续头
仅当做是数据而不会进行分析。而且,HAProxy从来不接触数据内容,它在分析完所有的头后会立即
停止分析。
本节包含了下列在2.2.1中详细描述过的关键字的用法:
- reqadd <string>
- reqallow <search>
- reqiallow <search>
- reqdel <search>
- reqidel <search>
- reqdeny <search>
- reqideny <search>
- reqpass <search>
- reqipass <search>
- reqrep <search> <replace>
- reqirep <search> <replace>
- reqtarpit <search>
- reqitarpit <search>
- rspadd <string>
- rspdel <search>
- rspidel <search>
- rspdeny <search>
- rspideny <search>
- rsprep <search> <replace>
- rspirep <search> <replace>
所有这些关键字都使用相同的约定。<search>参数是一个POSIX扩展的正则表达式(regex),支持
使用括号()进行分组(括号不需要使用\转义)。空格和其他域(field)分隔符必须使用\开头以避免
和域分隔符混淆。其他字符也可以结合\使用来改变其本身的含义:
\t tab
\r 回车(CR)
\n 换行(LF)
\ 空格(而不是域分隔符)
\# 输出'#'而不当做是注释
\\ 在正则中使用\
\\\\ 在文本中使用\(*2 for regex, *2 for haproxy)
\xXX 就像C语言里一样输出XX的十六进制ASCII码。
The <replace> parameter contains the string to be used to replace the largest
portion of text matching the regex. It can make use of the special characters
above, and can reference a substring which is delimited by parenthesis in the
regex, by writing a backslash ('\') immediately followed by one digit from 0 to
9 indicating the group position (0 designating the entire line). This practice
is very common to users of the "sed" program.
The <string> parameter represents the string which will systematically be added
after the last header line. It can also use special character sequences above.
Notes related to these keywords :
---------------------------------
- these keywords are not always convenient to allow/deny based on header
contents. It is strongly recommended to use ACLs with the "block" keyword
instead, resulting in far more flexible and manageable rules.
- lines are always considered as a whole. It is not possible to reference
a header name only or a value only. This is important because of the way
headers are written (notably the number of spaces after the colon).
- the first line is always considered as a header, which makes it possible to
rewrite or filter HTTP requests URIs or response codes, but in turn makes
it harder to distinguish between headers and request line. The regex prefix
^[^\ \t]*[\ \t] matches any HTTP method followed by a space, and the prefix
^[^ \t:]*: matches any header name followed by a colon.
- for performances reasons, the number of characters added to a request or to
a response is limited at build time to values between 1 and 4 kB. This
should normally be far more than enough for most usages. If it is too short
on occasional usages, it is possible to gain some space by removing some
useless headers before adding new ones.
- keywords beginning with "reqi" and "rspi" are the same as their couterpart
without the 'i' letter except that they ignore case when matching patterns.
- when a request passes through a frontend then a backend, all req* rules
from the frontend will be evaluated, then all req* rules from the backend
will be evaluated. The reverse path is applied to responses.
- req* statements are applied after "block" statements, so that "block" is
always the first one, but before "use_backend" in order to permit rewriting
before switching.
2.6) 日志
------------
[待补充]
2.7) CSV格式
0. pxname: 代理名
1. svname: service name (FRONTEND 指前端, BACKEND指后端,其他名字指服务器)
2. qcur: 当前的请求队列
3. qmax: 最大请求队列
4. scur: 当前会话(session)
5. smax: 最大会话(session)
6. slim: 会话限制
7. stot: 总会话
8. bin: bytes in
9. bout: bytes out
10. dreq: 拒绝的请求
11. dresp: 拒绝的回应(responses)
12. ereq: 请求错误
13. econ: 连接错误
14. eresp: 回应错误
15. wretr: 重试次数(warnings)
16. wredis: redispatches (warning)
17. status: 状态s (UP/DOWN/...)
18. weight: 服务器权重(server), 总权重(backend)
19. act: 服务器为主(active)(server), 主服务器个数(backend)
20. bck: 服务器为备(backup) (server),被服务器个数(backend)
21. chkfail: 失败的检查次数
22. chkdown: 从UP->DOWN 切换的次数
23. lastchg: 最后状态改变时间(seconds)
24. downtime: 总的宕机时间(秒)
25. qlimit: 队列限制
26. pid: 进程id (0 第一个实例, 1 为第二个, ...)
27. iid: 唯一代理id
28. sid: service id (unique inside a proxy)
29. throttle: warm up status
30. lbtot: 服务器被选择的总次数
31. tracked: id of proxy/server if tracking is enabled
32. type (0=frontend, 1=backend, 2=server)
2.8) Unix套接字命令(Unix Socket commands)
- "show stat [<iid> <type> <sid>]": 以csv格式导出状态信息。通过传入id,type和sid可以
导出指定项:
- iid为proxy id, -1导出所有
- type 选择可导出对象类型: 1 为 frontend, 2 指 backend, 4 指
server, -1 为所有. 这些指可以是OR(bit运算),如:
1+2=3 -> frontend+backend.
1+2+4=7 -> frontend+backend+server.
- sid 为service id, -1 从选定的proxy导出所有service.
- "show info": 导出当前haproxy的状态信息。
squid/缓存 | 评论:0
| Trackbacks:0
| 阅读:1481
Submitted by admin on 2013, November 27, 3:14 PM
近来在研究大文件 Cache 方面,squid 对大文件处理方面的优化.其中发现二个最重要的参数 range_offset_limit 和 quick_abort*.其实从名字中就能看得出来,二个最主要的分别就是一个是对大文件的 range (断点续传)和 abort (中断)的处理.注意这些都是由客户端请求过来的 request 来驱动产生的。
1. squid 中的 range_offset_limit
其实在前面几次提到过这个参数,也会有很多问题,一定要注意就是这个设置的比你的maximum_object_size要小.不然下载完,又放弃.
另外这个参数也会有个问题,就是当十个线程过来,它会同一个文件请求10次,不过总的来讲,这个参数少设置为好.
2. squid 中的 quick_abort
quick_abort_min (KB)
quick_abort_max (KB)
quick_abort_pct (percent)
控制squid是否继续传输被用户中断的请求.当用户中断请求时,squid把检测 quick_abort 的值.如果剩余部分小于“quick_abort_min”指定的值,squid 把继续完成剩余部分的传输;如果剩余部分大于“quick_abort_max”指定的值,squid 把终止剩余部分的传输;如果已完成“quick_abort_pct”指定的百分比,squid把继续完成剩余部分的传输.
比如我们对大量的大文件的 cache 系统可以这样处理,如果想有请求过来就一直请求完的话,就使用 quick_abort_min -1 来让请求断开后还不断的回源,这的副作用是有可能引起服务器的流量比真实用户的请求还多。
quick_abort_min 16 MB
quick_abort_max 16 MB
quick_abort_pct 80
3. squid 中的 collapsed_forwarding
多个回源流量变成一个回源,这个在大文件时,也比较有用,但是如果第一个用户很慢的话,会严重影响速度.如果有开发能力最好修复。
4. read_ahead_gap
这个是让 Squid 来预读多少的意思。
squid/缓存 | 评论:0
| Trackbacks:0
| 阅读:759
Submitted by admin on 2013, November 27, 2:01 PM
修改操作系统的日志配置
HAProxy可以收集本机及其他后端服务器日志,但是需要在HAProxy和操作系统上作一些配置。
使用root账户首先修改/etc/sysconfig/syslog文件,将SYSLOGD_OPTIONS="-m 0” 修改为SYSLOGD_OPTIONS="-m 0 -r -x",支持收集远程服务器日志。
然后修改/etc/syslog.conf,增加如下语句:
local0.* /home/admin/haproxy/logs/haproxy.log // haproxy.log地址代表了需要存储日志的地址,其中local0这个级别要和haproxy.cfg配置的log级别一样
执行service syslog restart,重新启动系统日志器
2. HAProxy的配置
HAProxy配置中分成五部分内容,当然这些组件不是必选的,可以根据需要选择部分作为配置。
global:参数是进程级的,通常和操作系统(OS)相关。这些参数一般只设置一次,如果配置无误,就不需要再次配置进行修改
defaults:配置默认参数的,这些参数可以被利用配置到frontend,backend,listen组件
frontend:接收请求的前端虚拟节点,Frontend可以根据规则直接指定具体使用后端的 backend(可动态选择)。
backend:后端服务集群的配置,是真实的服务器,一个Backend对应一个或者多个实体服务器。
listen:Frontend和Backend的组合体。
下面是HAProxy的一些常用的配置,这个配置是用来说明HAProxy的一些常用功能的配置,具体详细配置请查看安装目录下的doc目录下的文档文件,或者到” http://cn.haproxy.org/”
下载中文配置说明文档
配置文件例子:
global
#全局的日志配置 其中日志级别是[err warning info debug]
#local0 是日志设备,必须为如下24种标准syslog设备的一种:
#kern user mail daemon auth syslog lpr news
#uucp cron auth2 ftp ntp audit alert cron2
#local0 local1 local2 local3 local4 local5 local6 local7
#但是之前在/etc/syslog.conf文件中定义的是local0所以
#这里也是用local0
log 127.0.0.1 local0 info #[err warning info debug]
#最大连接数
maxconn 4096
#用户
user admin
#组
group admin
#使HAProxy进程进入后台运行。这是推荐的运行模式
daemon
#创建4个进程进入deamon模式运行。此参数要求将运行模式设置为"daemon"
nbproc 4
#将所有进程的pid写入文件
pidfile /home/admin/haproxy/logs/haproxy.pid
defaults
#默认的模式mode { tcp|http|health },tcp是4层,http是7层,health只会返回OK
mode http
#采用http日志格式
option httplog
#三次连接失败就认为是服务器不可用,也可以通过后面设置
retries 3
如果cookie写入了serverId而客户端不会刷新cookie,
#当serverId对应的服务器挂掉后,强制定向到其他健康的服务器
option redispatch
#当服务器负载很高的时候,自动结束掉当前队列处理比较久的链接
option abortonclose
#默认的最大连接数
maxconn 4096
#连接超时
contimeout 5000
#客户端超时
clitimeout 30000
#服务器超时
srvtimeout 30000
#=心跳检测超时
timeout check 2000
#注:一些参数值为时间,比如说timeout。时间值通常单位为毫秒(ms),但是也可以通过加#后缀,来使用其他的单位。
#- us : microseconds. 1 microsecond = 1/1000000 second
#- ms : milliseconds. 1 millisecond = 1/1000 second. This is the default.
#- s : seconds. 1s = 1000ms
#- m : minutes. 1m = 60s = 60000ms
#- h : hours. 1h = 60m = 3600s = 3600000ms
#- d : days. 1d = 24h = 1440m = 86400s = 86400000ms
########统计页面配置############
listen admin_stats
#监听端口
bind 0.0.0.0:1080
#http的7层模式
mode http
#日志设置
log 127.0.0.1 local0 err #[err warning info debug]
#统计页面自动刷新时间
stats refresh 30s
#统计页面url
stats uri /admin?stats
#统计页面密码框上提示文本
stats realm Gemini\ Haproxy
#统计页面用户名和密码设置
stats auth admin:admin
stats auth admin1:admin1
#隐藏统计页面上HAProxy的版本信息
stats hide-version
#######网站检测listen定义############
listen site_status
bind 0.0.0.0:1081
mode http
log 127.0.0.1 local0 err #[err warning info debug]
#网站健康检测URL,用来检测HAProxy管理的网站是否可以用,正常返回200,不正常返回500
monitor-uri /site_status
#定义网站down时的策略
#当挂在负载均衡上的指定backend的中有效机器数小于1台时返回true
acl site_dead nbsrv(denali_server) lt 1
acl site_dead nbsrv(tm_server) lt 1
acl site_dead nbsrv(mms_server) lt 1
#当满足策略的时候返回500
monitor fail if site_dead
#如果192.168.0.252或者192.168.0.31这两天机器挂了
#认为网站挂了,这时候返回500,判断标准是如果mode是
#http返回200认为是正常的,如果mode是tcp认为端口畅通是好的
monitor-net 192.168.0.252/31
########frontend配置############
frontend http_80_in
#监听端口
bind 0.0.0.0:80
#http的7层模式
mode http
#应用全局的日志配置
log global
#启用http的log
option httplog
#每次请求完毕后主动关闭http通道,HA-Proxy不支持keep-alive模式
option httpclose
#如果后端服务器需要获得客户端的真实IP需要配置次参数,将可以从Http Header中
#获得客户端IP
option forwardfor
###########HAProxy的日志记录内容配置##########
capture request header Host len 40
capture request header Content-Length len 10
capture request header Referer len 200
capture response header Server len 40
capture response header Content-Length len 10
capture response header Cache-Control len 8
####################acl策略定义#########################
#如果请求的域名满足正则表达式返回true -i是忽略大小写
acl denali_policy hdr_reg(host) -i ^(www.gemini.taobao.net|my.gemini.taobao.net|auction1.gemini.taobao.net)$
#如果请求域名满足trade.gemini.taobao.net 返回 true -i是忽略大小写
acl tm_policy hdr_dom(host) -i trade.gemini.taobao.net
##在请求url中包含sip_apiname=,则此控制策略返回true,否则为false
acl invalid_req url_sub -i sip_apiname=
##在请求url中存在timetask作为部分地址路径,则此控制策略返回true,否则返回false
acl timetask_req url_dir -i timetask
#当请求的header中Content-length等于0时返回 true
acl missing_cl hdr_cnt(Content-length) eq 0
######################acl策略匹配相应###################
##当请求中header中Content-length等于0 阻止请求返回403
block if missing_cl
##block表示阻止请求,返回403错误,当前表示如果不满足策略invalid_req,或者满足策略timetask_req,则阻止请求。
block if !invalid_req || timetask_req
#当满足denali_policy的策略时使用denali_server的backend
use_backend denali_server if denali_policy
#当满足tm_policy的策略时使用tm_server的backend
use_backend tm_server if tm_policy
#reqisetbe关键字定义,根据定义的关键字选择backend
reqisetbe ^Host:\ img dynamic
reqisetbe ^[^\ ]*\ /(img|css)/ dynamic
reqisetbe ^[^\ ]*\ /admin/stats stats
#以上都不满足的时候使用默认mms_server的backend
default_backend mms_server
#HAProxy错误页面设置
errorfile 400 /home/admin/haproxy/errorfiles/400.http
errorfile 403 /home/admin/haproxy/errorfiles/403.http
errorfile 408 /home/admin/haproxy/errorfiles/408.http
errorfile 500 /home/admin/haproxy/errorfiles/500.http
errorfile 502 /home/admin/haproxy/errorfiles/502.http
errorfile 503 /home/admin/haproxy/errorfiles/503.http
errorfile 504 /home/admin/haproxy/errorfiles/504.http
##########backend的设置##############
backend mms_server
#http的7层模式
mode http
#负载均衡的方式,roundrobin平均方式
balance roundrobin
#允许插入serverid到cookie中,serverid后面可以定义
cookie SERVERID
#心跳检测的URL,HTTP/1.1¥r¥nHost:XXXX,指定了心跳检测HTTP的版本,XXX为检测时请求
#服务器的request中的域名是什么,这个在应用的检测URL对应的功能有对域名依赖的话需要设置
option httpchk GET /member/login.jhtml HTTP/1.1\r\nHost:member1.gemini.taobao.net
#服务器定义,cookie 1表示serverid为1,check inter 1500 是检测心跳频率
#rise 3是3次正确认为服务器可用,fall 3是3次失败认为服务器不可用,weight代表权重
server mms1 10.1.5.134:80 cookie 1 check inter 1500 rise 3 fall 3 weight 1
server mms2 10.1.6.118:80 cookie 2 check inter 1500 rise 3 fall 3 weight 2
backend denali_server
mode http
#负载均衡的方式,source根据客户端IP进行哈希的方式
balance source
#但设置了backup的时候,默认第一个backup会优先,设置option allbackups后
#所有备份服务器权重一样
option allbackups
#心跳检测URL设置
option httpchk GET /mytaobao/home/my_taobao.jhtml HTTP/1.1\r\nHost:my.gemini.taobao.net
#可以根据机器的性能不同,不使用默认的连接数配置而使用自己的特殊的连接数配置
#如minconn 10 maxconn 20
server denlai1 10.1.5.114:80 minconn 4 maxconn 12 check inter 1500 rise 3 fall 3
server denlai2 10.1.6.104:80 minconn 10 maxconn 20 check inter 1500 rise 3 fall 3
#备份机器配置,正常情况下备机不会使用,当主机的全部服务器都down的时候备备机会启用
server dnali-back1 10.1.7.114:80 check backup inter 1500 rise 3 fall 3
server dnali-back2 10.1.7.114:80 check backup inter 1500 rise 3 fall 3
backend tm_server
mode http
#负载均衡的方式,leastconn根据服务器当前的请求数,取当前请求数最少的服务器
balance leastconn
option httpchk GET /trade/itemlist/prepayCard.htm HTTP/1.1\r\nHost:trade.gemini.taobao.ne
server tm1 10.1.5.115:80 check inter 1500 rise 3 fall 3
server tm2 10.1.6.105:80 check inter 1500 rise 3 fall 3
######reqisetbe自定义关键字匹配backend部分#######################
backend dynamic
mode http
balance source
option httpchk GET /welcome.html HTTP/1.1\r\nHost:www.taobao.net
server denlai1 10.3.5.114:80 check inter 1500 rise 3 fall 3
server denlai2 10.4.6.104:80 check inter 1500 rise 3 fall 3
backend stats
mode http
balance source
option httpchk GET /welcome.html HTTP/1.1\r\nHost:www.taobao.net
server denlai1 10.5.5.114:80 check inter 1500 rise 3 fall 3
server denlai2 10.6.6.104:80 check inter 1500 rise 3 fall 3
global:参数是进程级的,通常和操作系统(OS)相关
defaults:配置默认参数,这些参数可以被利用配置到frontend,backend,listen组件
frontend:接收请求的前端虚拟节点,Frontend可以根据规则直接指定具体使用后端的 backend(可动态选择)
backend:后端服务集群的配置,是真实的服务器,一个Backend对应一个或者多个实体服务器
listen:Frontend和Backend的组合体
log 127.0.0.1 local0 使用系统的syslog记录日志
maxconn 4096 限制单个进程的最大连接数
option redispatch 在连接失败或断开的情况下,允许当前会话被重新分发
retries 2 设置在一个服务器上链接失败后的重连次数
balance roundrobin 设置服务器分配算法为轮询(即交替访问)
option dontlognull 不记录空连接
contimeout 5000 设置等待连接到服务器成功的最大时间
clitimeout 50000 设置客户端的最大超时时间
srvtimeout 50000 设置服务器端的最大超时时间
nbproc 1 指定作为守护进程运行的时候,要创建多少个进程,默认只创建一个,需要daemon开启模式
daemon 让进程在后台运行,即作为守护进程运行,正式运行的时候开启,此处先禁止,等同于在命令行添加参数 -D
debug 设置debug模式运行,与daemon模式互斥,等同于在命令行添加参数 -d
1080 监听端口(随意)
mode http http的7层模式
stats refresh 30s 统计页面自动刷新时间
stats uri /haproxy-stats 统计页面URL
stats realm Haproxy\ Statistics 统计页面密码框上提示文本
stats auth ming:123456 统计页面用户名和密码设置
stats hide-version 隐藏统计页面上HAProxy的版本信息
monitor-uri /site_status 网站健康检测URL,用来检测HAProxy管理的网站是否可以用,正常返回200,不正常返回500
weight -- 调节服务器的负重
check -- 允许对该服务器进行健康检查
inter -- 设置连续的两次健康检查之间的时间,单位为毫秒(ms),默认值 2000
rise -- 指定多少次连续成功的健康检查后,即可认定该服务器处于可操作状态,默认值 2
fall -- 指定多少次不成功的健康检查后,认为服务器为当掉状态,默认值 3
balance roundrobin 简单的轮询
balance source 根据请求的源IP
balance uri 根据请求的url
balance url_param 根据请求RUL中的参数
集群/分流 | 评论:0
| Trackbacks:0
| 阅读:863
